whats wrong with it

View previous topic View next topic Go down

whats wrong with it

Post by Danimal on 18th August 2009, 5:46 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:07 PM, on 8/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\DOCUME~1\Daniel\LOCALS~1\Temp\b.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Protection System\psystem.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net1.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\Daniel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Daniel\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c6635fea52a) (gupdate1c9c6635fea52a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6556 bytes

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 18th August 2009, 6:52 am

just fyi I can't open any programs, hijack, combofix, malaware.

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Belahzur on 18th August 2009, 3:39 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
    O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 19th August 2009, 3:46 am

yeah about hijack, i can't even open the program. It just won't load.

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 19th August 2009, 4:19 am

nevermind, i just renamed my hijackthis file to scanner.exe

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 19th August 2009, 5:13 am

well, now my combofix doesnt work. Neither does malware or HJT. I keep getting errors that Running this program is impossible etc etc from Window Anti Virus Pros. I dont even have Window Anti Virus Pro. So frustrated Sad tearing

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 19th August 2009, 7:14 am

my HJI works when I downloaded the fixtm regedit key. However, I always have to disable the anti virus protection under the task manager. ONce i disable it, it comes back on again and again, repetitively. I always get popups from seciruty center alert , advance virus remover, bunch of red x's. Anyway, here is my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:02 AM, on 8/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\AdvancedVirusRemover\PAVRM.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\svchast.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe
C:\Documents and Settings\Daniel\Desktop\winlogon.exe\winlogon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
O2 - BHO: ICQSys (IE PlugIn) - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - C:\WINDOWS\system32\dddesot.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKLM\..\Run: [PC Antispyware 2010] "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Daniel\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c6635fea52a) (gupdate1c9c6635fea52a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6390 bytes


PS i tried to remove O2 - BHO: ICQSys (IE PlugIn) - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - C:\WINDOWS\system32\dddesot.dll because i know that's a bad file but everytime i do it, my computer either restarts or it freezes Sad tearing

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Belahzur on 19th August 2009, 6:51 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 19th August 2009, 8:38 pm

I get an error saying "You cannot rename Combofix as Combo-Fix

Please use another name, preferably made up of alphanumerical characters."

what should i do Sad tearing

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 19th August 2009, 8:47 pm

nvm,

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Belahzur on 19th August 2009, 8:53 pm

Did Combofix run okay?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 19th August 2009, 9:07 pm

yup, it ran. I just had to delete the old combofix files. Here is the log.

ComboFix 09-08-18.04 - Daniel 08/19/2009 13:51.12.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1622 [GMT -7:00]
Running from: c:\documents and settings\Daniel\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Daniel\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Daniel\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk
c:\documents and settings\Daniel\Start Menu\Programs\PC_Antispyware2010
c:\documents and settings\Daniel\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk
c:\documents and settings\Daniel\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\PC_Antispyware2010
c:\program files\PC_Antispyware2010\AVEngn.dll
c:\program files\PC_Antispyware2010\data\daily.cvd
c:\program files\PC_Antispyware2010\htmlayout.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg
c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe
c:\program files\PC_Antispyware2010\pthreadVC2.dll
c:\program files\PC_Antispyware2010\Uninstall.exe
c:\program files\PC_Antispyware2010\wscui.cpl
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\msa.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\run.log
c:\windows\svchast.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\braviax.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\cru629.dat
c:\windows\system32\dddesot.dll
c:\windows\system32\desot.exe
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\drivers\UACsowlmeieda.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\msxml71.dll
c:\windows\system32\resdll.dll
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\UACgdfltnhrga.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkajdanfetv.dll
c:\windows\system32\UAClmylcmedvn.dll
c:\windows\system32\UACxmxomvmcal.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\wispex.html
c:\windows\system32\wscsvc32.exe
C:\yihw.exe

c:\windows\system32\drivers\beep.sys . . . is infected!!

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_AntipPro2009_100
-------\Service_AntipPro2009_100


((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 06:57 . 2009-08-19 06:57 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-19 03:47 . 2009-08-19 03:47 16998 ----a-w- c:\documents and settings\All Users\Application Data\higax.pif
2009-08-19 03:47 . 2009-08-19 03:47 16458 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\avysocaru.dat
2009-08-19 03:47 . 2009-08-19 03:47 15394 ----a-w- c:\windows\system32\lola.vbs
2009-08-19 03:47 . 2009-08-19 03:47 14832 ----a-w- c:\windows\kobo.dat
2009-08-19 03:47 . 2009-08-19 03:47 12034 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\fopijalu.vbs
2009-08-19 03:47 . 2009-08-19 03:47 11618 ----a-w- c:\windows\ibacysid.sys
2009-08-19 03:47 . 2009-08-19 03:47 11072 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\ojajacuhy.exe
2009-08-19 03:47 . 2009-08-19 03:47 10777 ----a-w- c:\documents and settings\All Users\Application Data\sidojonyc.com
2009-08-19 03:42 . 2009-08-18 14:36 142848 ----a-w- c:\windows\msb.exe
2009-08-18 06:42 . 2009-08-18 06:42 18409 ----a-w- c:\windows\system32\taresedu.bat
2009-08-18 06:42 . 2009-08-18 06:42 15866 ----a-w- c:\windows\iwudelomoh.bin
2009-08-18 06:42 . 2009-08-18 06:42 15673 ----a-w- c:\documents and settings\Daniel\Application Data\kabe.pif
2009-08-18 06:42 . 2009-08-18 06:42 12387 ----a-w- c:\windows\omyradeku.reg
2009-08-18 06:42 . 2009-08-18 06:42 10969 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\vufuwos.dll
2009-08-18 06:42 . 2009-08-18 06:42 10410 ----a-w- c:\windows\ybobo.reg
2009-08-18 06:42 . 2009-08-18 06:42 10112 ----a-w- c:\windows\piburigi.scr
2009-08-18 06:29 . 2009-08-19 06:06 27136 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-08-18 05:40 . 2009-08-19 04:47 31232 ----a-w- c:\windows\system32\wingenocx.dll
2009-08-18 05:22 . 2009-08-18 05:22 20480 ----a-w- C:\kvhwftjn.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 05:52 . 2009-07-18 06:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 04:47 . 2008-06-01 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-19 03:47 . 2009-08-19 03:47 14452 ----a-w- c:\documents and settings\All Users\Application Data\wimifu.dat
2009-08-18 06:42 . 2009-08-18 06:42 17794 ----a-w- c:\program files\Common Files\ihywycaxe.inf
2009-08-18 05:01 . 2008-01-13 05:10 -------- d-----w- c:\program files\Warcraft III
2009-08-18 02:15 . 2008-06-01 21:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 02:15 . 2008-06-01 21:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 02:15 . 2007-12-18 07:43 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-12 21:45 . 2007-12-21 19:12 -------- d-----w- c:\program files\Steam
2009-08-10 07:25 . 2009-01-21 01:42 1924440 ----a-w- c:\documents and settings\Daniel\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-08-06 02:19 . 2009-07-07 00:35 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-06 02:19 . 2009-07-07 00:35 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-05 02:32 . 2008-01-13 05:12 78777 ----a-w- c:\windows\War3Unin.dat
2009-08-04 04:05 . 2007-12-18 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-04 04:04 . 2009-03-31 00:53 -------- d-----w- c:\documents and settings\Daniel\Application Data\My Games
2009-08-03 20:36 . 2009-07-18 06:07 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-07-18 06:07 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 19:45 . 2009-06-26 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-18 06:13 . 2009-07-18 06:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-18 06:13 . 2009-07-18 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-16 06:50 . 2009-07-16 06:50 139152 ----a-w- c:\documents and settings\Daniel\Application Data\PnkBstrK.sys
2009-07-16 06:50 . 2009-07-16 06:50 139152 ----a-w- c:\documents and settings\Daniel\Application Data\PnkBstrK.sys
2009-07-16 06:50 . 2009-07-16 06:50 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-16 06:50 . 2009-07-07 00:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-16 01:19 . 2009-03-13 04:57 7 ----a-w- c:\windows\sbacknt.bin
2009-07-12 22:12 . 2009-07-12 22:11 -------- d-----w- c:\program files\AIM6
2009-07-12 22:11 . 2007-12-21 21:46 -------- d-----w- c:\program files\Common Files\AOL
2009-07-12 00:20 . 2009-07-12 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-07-11 01:50 . 2008-01-13 23:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-26 17:50 . 2009-06-26 17:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-21 15:46 . 2007-12-18 07:31 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-14 23:07 . 2009-07-19 19:45 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-10 13:03 . 2009-05-01 05:02 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 13:03 . 2009-05-01 05:02 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 13:03 . 2009-02-18 21:44 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 13:03 . 2009-01-15 15:19 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 13:03 . 2009-01-15 15:19 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 13:03 . 2009-01-15 15:19 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 13:03 . 2009-01-15 15:19 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 13:03 . 2009-01-15 15:19 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 13:03 . 2007-12-18 07:08 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-06-10 13:03 . 2007-12-18 07:07 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 13:03 . 2007-12-18 07:07 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-02-07 02:14 . 2009-02-07 02:14 3143 ----a-w- c:\program files\images.jpeg
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 19th August 2009, 9:07 pm

------- Sigcheck -------

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-09-01 09:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-09-01 09:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-09-01 09:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

[-] 2004-09-01 09:00 215552 A77219A971029DC2FB683E8513713803 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2004-09-01 09:00 215552 A77219A971029DC2FB683E8513713803 c:\windows\system32\termsrv.dll

[-] 2009-08-19 06:06 27136 C0BE6C19AF0966A1AFAB667C16005EBA c:\windows\system32\dllcache\beep.sys

[-] 2005-07-08 16:28 249344 1418A3A6E76E5A2E3F5E43866E793A8B c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\$NtServicePackUninstall$\tapisrv.dll
[7] 2004-09-01 09:00 246272 EB4A4187D74A8EFDCBEA3EA2CB1BDFBD c:\windows\$NtUninstallKB893756$\tapisrv.dll
[7] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\system32\tapisrv.dll

[-] 2005-08-22 18:24 197632 3516D8A18B36784B1005B950B84232E1 c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\$NtServicePackUninstall$\netman.dll
[7] 2004-09-01 09:00 198144 DAB9E6C7105D2EF49876FE92C524F565 c:\windows\$NtUninstallKB905414$\netman.dll
[7] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\ServicePackFiles\i386\netman.dll
[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\system32\netman.dll

[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\$NtServicePackUninstall$\shsvcs.dll
[7] 2004-09-01 09:00 134656 E7518DC542D3EBDCB80EDD98462C7821 c:\windows\$NtUninstallKB928255$\shsvcs.dll
[7] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\system32\shsvcs.dll

c:\windows\system32\drivers\beep.sys ... is missing !!
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-06 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-16 153136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 02:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^DesktopVideoPlayer.LNK]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\DesktopVideoPlayer.LNK
backup=c:\windows\pss\DesktopVideoPlayer.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"rpcapd"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Documents and Settings\\Daniel\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Documents and Settings\\Daniel\\Desktop\\LC\\pickup.listchecker.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Daniel\\My Documents\\Downloads\\YuLeech-RunesofMagic2_0_1_1821-en.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\day of defeat\\hl.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\smashball\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\counter-strike\\hl.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/1/2008 2:45 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/1/2008 2:45 PM 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/15/2008 1:23 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/15/2008 1:23 PM 297752]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [1/30/2009 7:14 PM 125304]
S2 gupdate1c9c6635fea52a;Google Update Service (gupdate1c9c6635fea52a);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2009 4:34 AM 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 1:22 PM 34064]
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 11:34]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 11:34]

2009-08-19 c:\windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
- c:\windows\msb.exe [2009-08-19 14:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe
HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: cinemanow.com
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-19 14:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-507921405-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:84,17,10,a6,1a,91,59,de,05,47,ad,f5,09,7c,bc,e9,85,39,77,8f,44,8f,a0,
2b,9a,90,1b,83,b5,2d,46,f7,c8,38,a7,be,bb,a0,d1,8a,71,03,12,c6,b7,1d,c0,43,\
"??"=hex:9a,c3,59,50,72,6a,1a,2f,b3,4d,bb,af,4d,6f,c4,86

[HKEY_USERS\S-1-5-21-1060284298-507921405-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:f3,b4,a5,20,23,1b,8a,66,38,a5,dc,a4,c1,ef,b4,c9,39,71,2c,e5,81,
83,27,db,5f,2e,62,6c,6a,48,04,c9,6b,72,ba,69,ea,2e,3a,0f,5e,49,fd,4f,ef,5e,\
"rkeysecu"=hex:ea,13,f9,d7,77,1f,03,70,cc,fd,10,91,ca,1b,a5,43
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-19 14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 21:05
ComboFix2.txt 2009-07-18 23:40

Pre-Run: 138,254,159,872 bytes free
Post-Run: 138,167,812,096 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
405 --- E O F --- 2009-08-19 14:39

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Belahzur on 20th August 2009, 12:23 am

I suggest you copy these instructions into a notepad file, because we need to use safe mode and you won't have internet access to read from here.

Download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 20th August 2009, 2:54 am

SDFix: Version 1.240
Run by Daniel on Wed 08/19/2009 at 07:36 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 27136 08/18/2009 11:06 PM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 08/07/2008 03:27 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 08/07/2008 03:27 PM



Checking Files :

Trojan Files Found:

C:\DOCUME~1\DANIEL\COOKIES\ESAS.BIN - Deleted
C:\DOCUME~1\DANIEL\COOKIES\TOCOBU~1.DL - Deleted
C:\DOCUME~1\DANIEL\COOKIES\ECAV._SY - Deleted
C:\DOCUME~1\DANIEL\COOKIES\OZUCU.LIB - Deleted
C:\DOCUME~1\DANIEL\COOKIES\YLUVUJI.PIF - Deleted
C:\DOCUME~1\DANIEL\COOKIES\GYXY.REG - Deleted
C:\DOCUME~1\DANIEL\COOKIES\IMUCUN~1.SYS - Deleted
C:\Program Files\Common Files\wicymy._sy - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-19 19:48:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:c5,6c,df,38,4b,3a,fb,e8,07,14,a3,1d,e2,3d,ea,94,f9,97,d7,68,d1,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d5,07,00,69,c2,42,24,33,15,6a,6e,d0,73,31,d3,98,ab,..
"khjeh"=hex:cb,00,0c,5c,c5,c9,6a,b4,61,8b,2b,42,23,50,ba,da,ed,39,e0,33,27,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5d,d1,ef,37,b1,bf,0a,f9,0b,29,09,1c,4c,79,67,ba,17,c5,23,14,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\ovfsthuwtidxwevxtevwcirpdxymepmxuucbvs.sys"
"inst"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main]
"ver"="sni060409"
"cid"="01"
"bid"="1019188780-1060284298-507921405-725345543"
"aid"="998"
"sid"="3"
"feed"=hex:22,64,78,36,3c,2e,3b,29,39,3b,3b,3a,04,4f,01,0c,09,65
"cmddelay"=dword:00007081
"logoffset"=dword:0001cfcb

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\modules]
"ovfsth.sys"="\systemroot\system32\drivers\ovfsthuwtidxwevxtevwcirpdxymepmxuucbvs.sys"
"ovfsth.dll"="\systemroot\system32\ovfsthkpjuyjhfuchtrsktkrnhilmonugogkqy.dll"
"ovfsthlog.dat"="\systemroot\system32\ovfsthlpkntqhcbwtoslvhfoeflmufthhonxpd.dat"
"ovfsthwi.dll"="\systemroot\system32\ovfsthhcipfaqxguepuctqoxyfwofnbpapvnqy.dll"
"ovfsthff.dll"="\systemroot\system32\ovfsthinbjutmbesyrljwxkxfpppwwcideofem.dll"
"ovfsth.dat"="\systemroot\system32\ovfsthowyrwapvlsdkowvboamcbfwjrelruxog.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:c5,6c,df,38,4b,3a,fb,e8,07,14,a3,1d,e2,3d,ea,94,f9,97,d7,68,d1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d5,07,00,69,c2,42,24,33,15,6a,6e,d0,73,31,d3,98,ab,..
"khjeh"=hex:cb,00,0c,5c,c5,c9,6a,b4,61,8b,2b,42,23,50,ba,da,ed,39,e0,33,27,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5d,d1,ef,37,b1,bf,0a,f9,0b,29,09,1c,4c,79,67,ba,17,c5,23,14,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:c5,6c,df,38,4b,3a,fb,e8,07,14,a3,1d,e2,3d,ea,94,f9,97,d7,68,d1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d5,07,00,69,c2,42,24,33,15,6a,6e,d0,73,31,d3,98,ab,..
"khjeh"=hex:cb,00,0c,5c,c5,c9,6a,b4,61,8b,2b,42,23,50,ba,da,ed,39,e0,33,27,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5d,d1,ef,37,b1,bf,0a,f9,0b,29,09,1c,4c,79,67,ba,17,c5,23,14,f2,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Steam\\steamapps\\buttche3k007\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\buttche3k007\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Warcraft III\\war3.exe"="C:\\Program Files\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Steam\\steamapps\\buttche3k007\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\buttche3k007\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\\Documents and Settings\\Daniel\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.] and Settings\\Daniel\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.] add-in for Adobe Flash Player"
"C:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"="C:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe:*:Enabled:CinemaNow Media Manager"
"C:\\Documents and Settings\\Daniel\\Desktop\\LC\\pickup.listchecker.exe"="C:\\Documents and Settings\\Daniel\\Desktop\\LC\\pickup.listchecker.exe:*:Enabled:pickup.listchecker"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx"
"C:\\Documents and Settings\\Daniel\\My Documents\\Downloads\\YuLeech-RunesofMagic2_0_1_1821-en.exe"="C:\\Documents and Settings\\Daniel\\My Documents\\Downloads\\YuLeech-RunesofMagic2_0_1_1821-en.exe:*:Enabled:FOG Downloader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Steam\\steamapps\\buttche3k007\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\buttche3k007\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\day of defeat\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"="C:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe:*:Enabled:Empire: Total War"
"C:\\Program Files\\Steam\\steamapps\\buttche3k007\\smashball\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\buttche3k007\\smashball\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\buttche3k007\\age of chivalry\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\buttche3k007\\age of chivalry\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"="C:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe:*:Enabled:America's Army 3"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 21 Dec 2007 4 ..SHR --- "C:\WINOS.SYS"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 26 Sep 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 7 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 24 Mar 2009 67,498,308 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c076c7f7f61c324386e46ae674c42632\BIT1.tmp"
Thu 12 Mar 2009 1,301 ...HR --- "C:\Documents and Settings\Daniel\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Belahzur on 20th August 2009, 7:01 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 21st August 2009, 2:07 pm

GMER 1.0.15.15077 [11bixzy1.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-21 07:07:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spov.sys ZwCreateKey [0xB7EA80E0]
SSDT spov.sys ZwEnumerateKey [0xB7EC6CA2]
SSDT spov.sys ZwEnumerateValueKey [0xB7EC7030]
SSDT spov.sys ZwOpenKey [0xB7EA80C0]
SSDT spov.sys ZwQueryKey [0xB7EC7108]
SSDT spov.sys ZwQueryValueKey [0xB7EC6F88]
SSDT spov.sys ZwSetValueKey [0xB7EC719A]

INT 0x62 ? 8A79FBF8
INT 0x63 ? 8A5FAF00
INT 0x73 ? 8A79FBF8
INT 0x73 ? 8A79FBF8
INT 0x73 ? 8A79FBF8
INT 0x73 ? 8A79FBF8
INT 0x73 ? 8A5FAF00
INT 0x73 ? 8A79FBF8
INT 0x82 ? 8A79FBF8
INT 0x83 ? 8A5FAF00
INT 0x94 ? 8A5FAF00
INT 0xB4 ? 8A5FAF00
INT 0xB4 ? 8A5FAF00
INT 0xB4 ? 8A5FAF00
INT 0xB4 ? 8A5FAF00

---- Kernel code sections - GMER 1.0.15 ----

? spov.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B6E988AC 5 Bytes JMP 8A5FA4E0
.text a07do4kt.SYS B6DD4386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a07do4kt.SYS B6DD43AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a07do4kt.SYS B6DD43C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a07do4kt.SYS B6DD43C9 1 Byte [2E]
.text a07do4kt.SYS B6DD43C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spov.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spov.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spov.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spov.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spov.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spov.sys
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a07do4kt.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A79E1F8
Device \FileSystem\Fastfat \FatCdrom 89A5C500
Device \FileSystem\Udfs \UdfsCdRom 8A312500
Device \FileSystem\Udfs \UdfsDisk 8A312500

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 21st August 2009, 2:08 pm

Device \Driver\usbuhci \Device\USBPDO-0 8A5F41F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8131F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A8131F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A8131F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A8131F8
Device \Driver\usbuhci \Device\USBPDO-1 8A5F41F8
Device \Driver\usbuhci \Device\USBPDO-2 8A5F41F8
Device \Driver\usbehci \Device\USBPDO-3 8A5FF1F8
Device \Driver\usbuhci \Device\USBPDO-4 8A5F41F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 8A5F41F8
Device \Driver\PCI_PNP4742 \Device\00000049 spov.sys
Device \Driver\usbuhci \Device\USBPDO-6 8A5F41F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7A01F8
Device \Driver\usbehci \Device\USBPDO-7 8A5FF1F8
Device \Driver\Cdrom \Device\CdRom0 8A5FE1F8
Device \Driver\Cdrom \Device\CdRom1 8A5FE1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A278500
Device \Driver\NetBT \Device\NetbiosSmb 8A278500
Device \Driver\NetBT \Device\NetBT_Tcpip_{CD6FF56B-5065-4043-BB0D-4995520082D8} 8A278500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8A5F41F8
Device \Driver\usbuhci \Device\USBFDO-1 8A5F41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B68500
Device \Driver\usbuhci \Device\USBFDO-2 8A5F41F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B68500
Device \Driver\usbehci \Device\USBFDO-3 8A5FF1F8
Device \Driver\usbuhci \Device\USBFDO-4 8A5F41F8
Device \Driver\Ftdisk \Device\FtControl 8A7A01F8
Device \Driver\usbuhci \Device\USBFDO-5 8A5F41F8
Device \Driver\usbuhci \Device\USBFDO-6 8A5F41F8
Device \Driver\usbehci \Device\USBFDO-7 8A5FF1F8
Device \Driver\sptd \Device\3690444742 spov.sys
Device \Driver\a07do4kt \Device\Scsi\a07do4kt1Port6Path0Target0Lun0 8A6061F8
Device \Driver\a07do4kt \Device\Scsi\a07do4kt1 8A6061F8
Device \FileSystem\Fastfat \Fat 89A5C500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A34B1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC5 0x6C 0xDF 0x38 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0x00 0x0C 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0xD1 0xEF 0x37 ...
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri@imagepath \systemroot\system32\drivers\ovfsthuwtidxwevxtevwcirpdxymepmxuucbvs.sys
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri@inst 0
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main@ver sni060409
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main@cid 01
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main@bid 1019188780-1060284298-507921405-725345543
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main@aid 998
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main@sid 3
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main@cmddelay 28801
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main@logoffset 118731
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main\ff (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{27CAC14D-C61C-4A2A-95E6-7015D83145D0}
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthuwtidxwevxtevwcirpdxymepmxuucbvs.sys
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\modules@ovfsth.dll \systemroot\system32\ovfsthkpjuyjhfuchtrsktkrnhilmonugogkqy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\modules@ovfsthlog.dat \systemroot\system32\ovfsthlpkntqhcbwtoslvhfoeflmufthhonxpd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\modules@ovfsthwi.dll \systemroot\system32\ovfsthhcipfaqxguepuctqoxyfwofnbpapvnqy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\modules@ovfsthff.dll \systemroot\system32\ovfsthinbjutmbesyrljwxkxfpppwwcideofem.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri\modules@ovfsth.dat \systemroot\system32\ovfsthowyrwapvlsdkowvboamcbfwjrelruxog.dat
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC5 0x6C 0xDF 0x38 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0x00 0x0C 0x5C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0xD1 0xEF 0x37 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC5 0x6C 0xDF 0x38 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0x00 0x0C 0x5C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0xD1 0xEF 0x37 ...

---- EOF - GMER 1.0.15 ----

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Belahzur on 21st August 2009, 2:12 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Registry keys to delete:
HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 21st August 2009, 2:52 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Registry key "HKLM\SYSTEM\ControlSet003\Services\ovfsthbftirxercrnseomtidbluqxdnftobiri" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Origin on 21st August 2009, 3:36 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Danimal on 22nd August 2009, 2:43 am

Malwarebytes' Anti-Malware 1.40
Database version: 2675
Windows 5.1.2600 Service Pack 3

8/21/2009 7:41:57 PM
mbam-log-2009-08-21 (19-41-57).txt

Scan type: Quick Scan
Objects scanned: 96767
Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tbsb00583.tbsb00583toolbar (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Internet Explorer\LiveInfoPro (Adware.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Internet Explorer\LiveInfoPro\affid.dat (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\basis.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\bg.jpg (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\icons.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\icons.bmp_16.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\icons.bmp_24.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\icons.bmp_32.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\info.txt (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\liveinfo_logo.gif (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\liveinfo_logo2.gif (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\liveinfo_logo3.gif (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\liveinfo_logo4.gif (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\liveinfo_logo5.gif (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\mini_logo.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\radio2.html (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\radio3.html (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\script.html (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\standart_icons.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbhelper.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_000666.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_001203.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_001359.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_007269.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_013174.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_015435.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_016286.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_021605.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_023250.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_026591.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_028434.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbs_include_script_031265.js (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.crc (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\version.txt (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\your_logo.png (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29147
# Likes # Likes : 0

View user profile

Back to top Go down

Re: whats wrong with it

Post by Origin on 22nd August 2009, 5:21 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum