Welcome to GeekPolice!
HomeMalware Win32.Agent.pz--Urgent Help
Page 1 of 4 • 1, 2, 3, 4 
- uvita
Intermediate
-
OS : Windows Vista with Media Edition
Posts : 163
Rubies : 4042
Likes : 0 
uvita on 17th September 2009, 2:24 am
I ran my Antivirus an coul not fin this virus but when I ran Spybot it tells me that my computer has two entries of Win32.Agent.pz in my registry which is a malware...Please help me completely remove it from my system.
- uvitaIntermediate
-
OS : Windows Vista with Media Edition
Posts : 163
Rubies : 4042
Likes : 0 -
uvita on 17th September 2009, 2:49 am
I ran Malware bytes an this is the logfile
Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3
9/16/2009 9:48:01 PM
mbam-log-2009-09-16 (21-47-48).txt
Scan type: Quick Scan
Objects scanned: 102075
Time elapsed: 7 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Deepa\Application Data\wiaserva.log (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\wtl32locale.dll (Trojan.Agent) -> No action taken.
Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3
9/16/2009 9:48:01 PM
mbam-log-2009-09-16 (21-47-48).txt
Scan type: Quick Scan
Objects scanned: 102075
Time elapsed: 7 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Deepa\Application Data\wiaserva.log (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\wtl32locale.dll (Trojan.Agent) -> No action taken.
- uvitaIntermediate
-
OS : Windows Vista with Media Edition
Posts : 163
Rubies : 4042
Likes : 0 -
uvita on 17th September 2009, 3:09 am
I removed the selected and restarte my computer and after ram malwarebytes again an this is the logfile
Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3
9/16/2009 10:07:29 PM
mbam-log-2009-09-16 (22-07-29).txt
Scan type: Quick Scan
Objects scanned: 102148
Time elapsed: 10 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
does the above mean its gone? please help
Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3
9/16/2009 10:07:29 PM
mbam-log-2009-09-16 (22-07-29).txt
Scan type: Quick Scan
Objects scanned: 102148
Time elapsed: 10 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
does the above mean its gone? please help
- Dr Jay
Head Admin
-
Power of Youth! 
OS : Windows 10 Home & Pro, Android
Arch. : x64 (64-bit)
Anti-Malware : Bitdefender Total Security; Bitdefender Mobile Security
Posts : 15093
Rubies : 288448
Likes : 149 -
Dr Jay on 17th September 2009, 3:13 am
Hi
Please download ComboFix
by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com
Please save the file to your Desktop, but rename it first:
Important information about ComboFix
Before the download:
After the download:
Running ComboFix:
Troubleshooting ComboFix
Safe Mode:
If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.
(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")
Re-downloading:
If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.
Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
Please download ComboFix
by sUBsLink 1: Forospyware.com or Link 2: BleepingComputer.com
Please save the file to your Desktop, but rename it first:
Important information about ComboFix
Before the download:
- Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
- It is important to rename ComboFix before the download.
- Please do not rename ComboFix to other names, but only the one indicated.
After the download:
- Close any open browsers.
- Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
- If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
- Double click on svchost.exe & follow the prompts.
- It will attempt to install the Recovery Console:
- When ComboFix finishes, it will produce a report for you.
- Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix
Safe Mode:
If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.
(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")
Re-downloading:
If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.
Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
Dr Jay
Head Administrator / Lead Security Administrator / Project Manager
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ Fun Stuff
Head Administrator / Lead Security Administrator / Project Manager
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ Fun Stuff
- uvitaIntermediate
-
OS : Windows Vista with Media Edition
Posts : 163
Rubies : 4042
Likes : 0 -
uvita on 17th September 2009, 4:46 am
here is the Combofix log txt
ComboFix 09-09-16.02 - Deepa 09/16/2009 23:10.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.420 [GMT -5:00]
Running from: c:\documents and settings\Deepa\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\desktop.ini
c:\recycler\S-1-5-21-2000478354-1935655697-839522115-500
c:\recycler\S-1-5-21-2823752601-3194716430-1139259701-500
c:\recycler\S-1-5-21-3368456305-730258004-1853410020-500
c:\windows\Installer\26f6e34.msi
c:\windows\Installer\c8a98a.msi
c:\windows\Installer\e99165.msi
c:\windows\kb913800.exe
c:\windows\UA000106.DLL
c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.
2009-09-17 04:25 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-17 04:25 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-17 04:25 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-09-17 04:25 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-09-17 03:17 . 2009-09-17 03:18 5154304 ----a-w- C:\WindowsDefender.msi
2009-09-17 02:37 . 2009-09-17 03:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 02:26 . 2009-09-17 02:26 4045528 ----a-w- C:\mbam-setup.exe
2009-09-15 03:17 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-15 03:17 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-14 14:03 . 2009-09-14 14:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-14 14:03 . 2009-09-14 14:03 4938616 ----a-w- C:\Silverlight.exe
2009-09-12 00:45 . 2009-09-12 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-09 16:00 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 01:02 . 2009-09-07 01:02 -------- d-----w- c:\documents and settings\Deepa\Application Data\Xilisoft Corporation
2009-09-07 01:02 . 2009-09-07 01:02 -------- d-----w- c:\program files\Xilisoft
2009-09-06 02:06 . 2009-09-06 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2009-09-06 02:05 . 2008-04-02 02:40 209040 ----a-w- c:\windows\system32\IVIresizeW7.dll
2009-09-06 02:05 . 2008-04-02 02:40 192656 ----a-w- c:\windows\system32\IVIresizePX.dll
2009-09-06 02:05 . 2008-04-02 02:40 196752 ----a-w- c:\windows\system32\IVIresizeP6.dll
2009-09-06 02:05 . 2008-04-02 02:40 196752 ----a-w- c:\windows\system32\IVIresizeM6.dll
2009-09-06 02:05 . 2008-04-02 02:40 204944 ----a-w- c:\windows\system32\IVIresizeA6.dll
2009-09-06 02:05 . 2008-04-02 02:40 24720 ----a-w- c:\windows\system32\IVIresize.dll
2009-09-06 02:04 . 2009-09-06 02:04 -------- d-----w- c:\program files\Windows Media Components
2009-09-06 02:02 . 2009-09-06 02:04 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-08-31 17:03 . 2009-08-31 17:03 -------- d-----w- c:\documents and settings\Deepa\Application Data\webex
2009-08-31 17:02 . 2009-08-31 17:02 -------- d-----w- c:\windows\Sun
2009-08-20 02:32 . 2009-08-20 02:32 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-20 02:32 . 2009-08-20 02:32 -------- d-----w- c:\program files\Java
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 03:06 . 2008-07-07 02:47 -------- d-----w- c:\documents and settings\Deepa\Application Data\uTorrent
2009-09-17 02:37 . 2008-07-30 05:09 7168 --sha-w- c:\program files\Thumbs.db
2009-09-17 01:56 . 2007-09-27 01:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 00:34 . 2008-11-28 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-16 01:19 . 2007-07-01 22:29 -------- d-----w- c:\program files\Kundli
2009-09-13 03:06 . 2008-02-07 22:12 -------- d-----w- c:\program files\downloads
2009-09-07 05:05 . 2008-03-22 18:19 -------- d-----w- c:\program files\Common Files\Real
2009-09-07 01:02 . 2008-07-07 03:54 67224 ----a-w- c:\documents and settings\Deepa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 14:01 . 2009-01-30 22:30 -------- d-----w- c:\documents and settings\Deepa\Application Data\Ulead Systems
2009-09-06 02:08 . 2009-01-30 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-06 02:05 . 2006-06-20 09:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-06 02:02 . 2009-04-19 21:30 -------- d-----w- c:\program files\Corel
2009-08-31 20:24 . 2009-03-01 19:13 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-08-12 19:45 . 2009-08-12 19:44 -------- d-----w- c:\program files\Ultra RM Converter
2009-08-10 04:51 . 2009-05-07 18:22 -------- d-----w- c:\program files\Replay Video Capture
2009-08-05 15:00 . 2009-04-30 00:31 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2006-06-20 09:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-22 19:39 . 2009-07-22 19:39 -------- d-----w- c:\program files\MSECache
2009-07-21 01:45 . 2008-02-07 22:34 -------- d-----w- c:\program files\multimedia
2009-07-17 19:01 . 2006-06-20 09:02 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2006-06-20 09:03 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 23:56 . 2006-07-12 00:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-01 17:09 . 2009-07-01 17:09 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-01 17:09 . 2009-07-01 17:09 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-26 16:50 . 2006-06-20 09:03 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2006-06-20 09:02 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-07-30 00:48 . 2008-07-29 23:36 88 --sh--r- c:\windows\system32\96BED014D3.sys
2009-02-26 05:35 . 2008-07-29 23:36 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-07 198160]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client Manager.lnk - c:\program files\2Wire Wireless\Client Manager\CMTWO.EXE [2008-1-2 323584]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2006-6-20 589824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"RTHDCPL"=RTHDCPL.EXE
"farstone"=
"nwiz"=nwiz.exe /install
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" --logon
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\installs\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/27/2006 2:00 AM 34880]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2/20/2006 3:01 AM 29056]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 10:23 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/29/2009 7:31 PM 108289]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [6/20/2006 6:59 AM 45056]
S4 Bscrr_lmn;Bscrr_lmn;c:\windows\system32\drivers\AegisP.sys [6/20/2006 4:56 AM 20747]
.
Contents of the 'Scheduled Tasks' folder
2008-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
2009-09-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-28 13:47]
2009-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3394046492-3908304094-923156054-1011Core.job
- c:\documents and settings\Deepa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-13 14:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.averatec.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Deepa\Application Data\Mozilla\Firefox\Profiles\42cws0hp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Deepa\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Power2GoExpress - c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-Bytescout SWF To Video Scout (demo)_is1 - c:\program files\Bytescout SWF To Video Scout\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 23:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-09-17 23:37
ComboFix-quarantined-files.txt 2009-09-17 04:37
Pre-Run: 48,597,307,392 bytes free
Post-Run: 48,390,602,752 bytes free
176 --- E O F --- 2009-09-15 06:47
ComboFix 09-09-16.02 - Deepa 09/16/2009 23:10.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.420 [GMT -5:00]
Running from: c:\documents and settings\Deepa\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\desktop.ini
c:\recycler\S-1-5-21-2000478354-1935655697-839522115-500
c:\recycler\S-1-5-21-2823752601-3194716430-1139259701-500
c:\recycler\S-1-5-21-3368456305-730258004-1853410020-500
c:\windows\Installer\26f6e34.msi
c:\windows\Installer\c8a98a.msi
c:\windows\Installer\e99165.msi
c:\windows\kb913800.exe
c:\windows\UA000106.DLL
c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.
2009-09-17 04:25 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-17 04:25 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-17 04:25 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-09-17 04:25 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-09-17 03:17 . 2009-09-17 03:18 5154304 ----a-w- C:\WindowsDefender.msi
2009-09-17 02:37 . 2009-09-17 03:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 02:26 . 2009-09-17 02:26 4045528 ----a-w- C:\mbam-setup.exe
2009-09-15 03:17 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-15 03:17 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-14 14:03 . 2009-09-14 14:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-14 14:03 . 2009-09-14 14:03 4938616 ----a-w- C:\Silverlight.exe
2009-09-12 00:45 . 2009-09-12 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-09 16:00 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 01:02 . 2009-09-07 01:02 -------- d-----w- c:\documents and settings\Deepa\Application Data\Xilisoft Corporation
2009-09-07 01:02 . 2009-09-07 01:02 -------- d-----w- c:\program files\Xilisoft
2009-09-06 02:06 . 2009-09-06 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2009-09-06 02:05 . 2008-04-02 02:40 209040 ----a-w- c:\windows\system32\IVIresizeW7.dll
2009-09-06 02:05 . 2008-04-02 02:40 192656 ----a-w- c:\windows\system32\IVIresizePX.dll
2009-09-06 02:05 . 2008-04-02 02:40 196752 ----a-w- c:\windows\system32\IVIresizeP6.dll
2009-09-06 02:05 . 2008-04-02 02:40 196752 ----a-w- c:\windows\system32\IVIresizeM6.dll
2009-09-06 02:05 . 2008-04-02 02:40 204944 ----a-w- c:\windows\system32\IVIresizeA6.dll
2009-09-06 02:05 . 2008-04-02 02:40 24720 ----a-w- c:\windows\system32\IVIresize.dll
2009-09-06 02:04 . 2009-09-06 02:04 -------- d-----w- c:\program files\Windows Media Components
2009-09-06 02:02 . 2009-09-06 02:04 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-08-31 17:03 . 2009-08-31 17:03 -------- d-----w- c:\documents and settings\Deepa\Application Data\webex
2009-08-31 17:02 . 2009-08-31 17:02 -------- d-----w- c:\windows\Sun
2009-08-20 02:32 . 2009-08-20 02:32 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-20 02:32 . 2009-08-20 02:32 -------- d-----w- c:\program files\Java
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 03:06 . 2008-07-07 02:47 -------- d-----w- c:\documents and settings\Deepa\Application Data\uTorrent
2009-09-17 02:37 . 2008-07-30 05:09 7168 --sha-w- c:\program files\Thumbs.db
2009-09-17 01:56 . 2007-09-27 01:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 00:34 . 2008-11-28 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-16 01:19 . 2007-07-01 22:29 -------- d-----w- c:\program files\Kundli
2009-09-13 03:06 . 2008-02-07 22:12 -------- d-----w- c:\program files\downloads
2009-09-07 05:05 . 2008-03-22 18:19 -------- d-----w- c:\program files\Common Files\Real
2009-09-07 01:02 . 2008-07-07 03:54 67224 ----a-w- c:\documents and settings\Deepa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 14:01 . 2009-01-30 22:30 -------- d-----w- c:\documents and settings\Deepa\Application Data\Ulead Systems
2009-09-06 02:08 . 2009-01-30 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-06 02:05 . 2006-06-20 09:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-06 02:02 . 2009-04-19 21:30 -------- d-----w- c:\program files\Corel
2009-08-31 20:24 . 2009-03-01 19:13 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-08-12 19:45 . 2009-08-12 19:44 -------- d-----w- c:\program files\Ultra RM Converter
2009-08-10 04:51 . 2009-05-07 18:22 -------- d-----w- c:\program files\Replay Video Capture
2009-08-05 15:00 . 2009-04-30 00:31 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2006-06-20 09:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-22 19:39 . 2009-07-22 19:39 -------- d-----w- c:\program files\MSECache
2009-07-21 01:45 . 2008-02-07 22:34 -------- d-----w- c:\program files\multimedia
2009-07-17 19:01 . 2006-06-20 09:02 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2006-06-20 09:03 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 23:56 . 2006-07-12 00:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-01 17:09 . 2009-07-01 17:09 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-01 17:09 . 2009-07-01 17:09 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-26 16:50 . 2006-06-20 09:03 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2006-06-20 09:02 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-07-30 00:48 . 2008-07-29 23:36 88 --sh--r- c:\windows\system32\96BED014D3.sys
2009-02-26 05:35 . 2008-07-29 23:36 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-07 198160]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client Manager.lnk - c:\program files\2Wire Wireless\Client Manager\CMTWO.EXE [2008-1-2 323584]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2006-6-20 589824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"RTHDCPL"=RTHDCPL.EXE
"farstone"=
"nwiz"=nwiz.exe /install
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" --logon
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\installs\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/27/2006 2:00 AM 34880]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2/20/2006 3:01 AM 29056]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 10:23 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/29/2009 7:31 PM 108289]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [6/20/2006 6:59 AM 45056]
S4 Bscrr_lmn;Bscrr_lmn;c:\windows\system32\drivers\AegisP.sys [6/20/2006 4:56 AM 20747]
.
Contents of the 'Scheduled Tasks' folder
2008-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
2009-09-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-28 13:47]
2009-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3394046492-3908304094-923156054-1011Core.job
- c:\documents and settings\Deepa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-13 14:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.averatec.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Deepa\Application Data\Mozilla\Firefox\Profiles\42cws0hp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Deepa\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Power2GoExpress - c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-Bytescout SWF To Video Scout (demo)_is1 - c:\program files\Bytescout SWF To Video Scout\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 23:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-09-17 23:37
ComboFix-quarantined-files.txt 2009-09-17 04:37
Pre-Run: 48,597,307,392 bytes free
Post-Run: 48,390,602,752 bytes free
176 --- E O F --- 2009-09-15 06:47
- Dr JayHead Admin
-
Power of Youth!
OS : Windows 10 Home & Pro, Android
Arch. : x64 (64-bit)
Anti-Malware : Bitdefender Total Security; Bitdefender Mobile Security
Posts : 15093
Rubies : 288448
Likes : 149 -
Dr Jay on 17th September 2009, 5:12 am
Hi
I see you are running a P2P application. I suggest to read the following, and then decided whether you want to keep it or not: http://www.helpmyos.com/learn-security-f40/p2p-programs-t1102.htm
==
Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Please post the log in your next reply.
I see you are running a P2P application. I suggest to read the following, and then decided whether you want to keep it or not: http://www.helpmyos.com/learn-security-f40/p2p-programs-t1102.htm
==
Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Please post the log in your next reply.
Dr Jay
Head Administrator / Lead Security Administrator / Project Manager
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ Fun Stuff
Head Administrator / Lead Security Administrator / Project Manager
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ Fun Stuff
- uvitaIntermediate
-
OS : Windows Vista with Media Edition
Posts : 163
Rubies : 4042
Likes : 0 -
uvita on 17th September 2009, 5:28 am
hi,
here is the Malwarebytes log txt:
Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3
9/17/2009 12:27:23 AM
mbam-log-2009-09-17 (00-27-23).txt
Scan type: Quick Scan
Objects scanned: 101391
Time elapsed: 6 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
here is the Malwarebytes log txt:
Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 3
9/17/2009 12:27:23 AM
mbam-log-2009-09-17 (00-27-23).txt
Scan type: Quick Scan
Objects scanned: 101391
Time elapsed: 6 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
- Dr JayHead Admin
-
Power of Youth!
OS : Windows 10 Home & Pro, Android
Arch. : x64 (64-bit)
Anti-Malware : Bitdefender Total Security; Bitdefender Mobile Security
Posts : 15093
Rubies : 288448
Likes : 149 -
Dr Jay on 17th September 2009, 9:06 am
Hi
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
==
Download Security Check by screen317 from here or here.
==
Please post the results of the ESET scan and the Checkup log in your next reply.
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
==
Download Security Check by screen317 from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
==
Please post the results of the ESET scan and the Checkup log in your next reply.
Dr Jay
Head Administrator / Lead Security Administrator / Project Manager
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ Fun Stuff
Head Administrator / Lead Security Administrator / Project Manager
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ Fun Stuff
Page 1 of 4 • 1, 2, 3, 4
Similar topics
Create an account or log in to leave a reply
You need to be a member in order to leave a reply.
Page 1 of 4
Permissions in this forum:
You can reply to topics in this forum
