Antivirus System Pro is here ..... what next?

View previous topic View next topic Go down

Re: Antivirus System Pro is here ..... what next?

Post by yeknom-ecaps on 16th November 2009, 1:53 am

here is what I created

C:\Combo-Fix\CFScript.txt (copied this from Notepad "Save As" field)

dragged shortcut CFScript.txt onto Combo-Fix icon,
Combo-Fix started then I get

CFScipt Name Error box
Where you trying to run CFScript?
The name CFScript appears to be incorrectly spelt

Name looks right to me.

Any idea?

yeknom-ecaps
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-07-03
OS OS : xp
Points Points : 27277
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus System Pro is here ..... what next?

Post by Dr Jay on 16th November 2009, 1:58 am

Delete your copy of ComboFix; grab a fresh copy, except before you download it, rename it to blackpudding.bat


Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Antivirus System Pro is here ..... what next?

Post by yeknom-ecaps on 16th November 2009, 2:37 am

used "%userprofile%\desktop\blackpudding.bat" /killall
from run box

ComboFix 09-11-16.03 - Tom 11/15/2009 21:25.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.521 [GMT -5:00]
Running from: c:\documents and settings\Tom\desktop\blackpudding.bat
Command switches used :: /killall
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ctfmon .exe

.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-15 16:35 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 16:35 . 2009-11-15 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 16:35 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-15 06:26 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\exmgci
2009-11-15 06:26 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\chtapt
2009-11-15 05:28 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Application Data\bbabbc
2009-11-15 05:28 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\jedynw
2009-11-15 05:12 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\jfkkwd
2009-11-15 04:56 . 2009-11-15 04:56 389120 ----a-w- c:\windows\system32\CF7635.exe
2009-11-15 04:56 . 2009-11-15 04:54 389120 ----a-w- c:\windows\system32\CF7325.exe
2009-11-15 04:20 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\tcmnep
2009-11-15 04:04 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\kyvpip
2009-11-15 03:51 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\lcfvua
2009-11-15 03:50 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\xdlotm
2009-11-07 20:48 . 2009-11-14 19:23 79488 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-21 00:43 . 2009-10-21 00:43 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-10-21 00:43 . 2009-10-21 00:43 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 17:12 . 2009-08-25 19:01 -------- d-----w- c:\program files\QuickTime
2009-11-15 07:58 . 2008-03-09 03:35 -------- d-----w- c:\program files\VisualTaskTips
2009-11-15 07:45 . 2009-08-25 19:03 -------- d-----w- c:\program files\iTunes
2009-11-15 07:45 . 2008-03-10 04:21 -------- d-----w- c:\program files\IconLock
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\documents and settings\Tom\Application Data\Office Genuine Advantage
2009-10-01 01:55 . 2008-06-22 04:10 -------- d-----w- c:\program files\Windows Live
2009-10-01 01:48 . 2008-11-15 21:07 27152 ----a-w- c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 21:29 . 2009-09-29 21:29 -------- d-----w- c:\program files\Google
2009-09-24 23:44 . 2009-09-24 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-24 23:42 . 2009-09-24 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-24 23:41 . 2008-03-10 03:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-24 23:41 . 2009-09-24 23:41 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-09-24 23:37 . 2009-09-24 23:37 -------- d-----w- c:\windows\Fonts\Fonts
2009-09-24 23:35 . 2009-09-24 23:35 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-24 23:35 . 2009-09-24 23:35 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-24 23:35 . 2009-09-24 23:35 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-24 23:35 . 2009-09-24 23:35 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-24 23:35 . 2009-09-24 23:35 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-24 23:35 . 2009-09-24 23:35 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-11 14:18 . 2004-08-03 23:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-03 23:56 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-03 23:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-03 23:56 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-03 23:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:57 . 2009-08-25 18:57 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-20 19:09 . 2009-08-20 19:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

------- Sigcheck -------

[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\MsPMSNSv.dll
[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-03 23:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-11-15_06.42.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 02:30 . 2009-11-16 02:30 16384 c:\windows\temp\Perflib_Perfdata_65c.dat
- 2009-11-15 02:00 . 2009-11-15 02:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-15 02:00 . 2009-11-15 18:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-09 03:19 . 2009-11-15 18:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-09 03:19 . 2009-11-15 02:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-15 18:34 . 2009-11-15 18:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-03-09 03:19 . 2009-11-15 02:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-21 520024]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
3DO Registration.lnk - c:\program files\3DO\Heroes3\Register\Remind32.exe [2008-9-26 67584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-15 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
taskmanager.lnk - c:\windows\system32\taskmgr.exe [2004-8-3 135680]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/21/2009 6:18 AM 64160]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/3/2009 2:59 PM 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/7/2009 1:35 AM 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 1:12 PM 693512]
R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [12/21/2004 3:16 PM 141990]
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [3/16/2008 11:02 AM 79616]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 1:12 PM 910600]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 00:43]

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-11-15 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-03 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Search Current News - [You must be registered and logged in to see this link.] files\powershell-xp3\search5.htm
IE: Search Encyclopedia - [You must be registered and logged in to see this link.] files\powershell-xp3\search4.htm
IE: Search for Images - [You must be registered and logged in to see this link.] files\powershell-xp3\search3.htm
IE: Search Newsgroups - [You must be registered and logged in to see this link.] files\powershell-xp3\search2.htm
IE: Search the Web - [You must be registered and logged in to see this link.] files\powershell-xp3\search.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VisualTaskTips - c:\program files\VisualTaskTips\VisualTaskTips.exe
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-15 21:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1380)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\WgaTray.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-11-15 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-16 02:34
ComboFix2.txt 2009-11-15 06:47
ComboFix3.txt 2009-07-03 19:39
ComboFix4.txt 2009-07-03 19:07

Pre-Run: 39,132,659,712 bytes free
Post-Run: 39,190,134,784 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - B3D553E588CE60326D4BAB0FF5658A69

yeknom-ecaps
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-07-03
OS OS : xp
Points Points : 27277
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus System Pro is here ..... what next?

Post by Dr Jay on 16th November 2009, 2:53 am

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    killall::

    Folder::
    c:\documents and settings\Tom\Local Settings\Application Data\exmgci
    c:\documents and settings\Tom\Local Settings\Application Data\chtapt
    c:\documents and settings\Tom\Application Data\bbabbc
    c:\documents and settings\Tom\Local Settings\Application Data\jedynw
    c:\documents and settings\Tom\Local Settings\Application Data\jfkkwd
    c:\documents and settings\Tom\Local Settings\Application Data\kyvpip
    c:\documents and settings\Tom\Local Settings\Application Data\tcmnep
    c:\documents and settings\Tom\Local Settings\Application Data\lcfvua
    c:\documents and settings\Tom\Local Settings\Application Data\xdlotm

    File::
    c:\windows\system32\nerocheck.exe
    C:\penmrdya.exe
    C:\aywdthl.exe

    FCopy::
    c:\windows\system32\dllcache\mspmsnsv.dll | c:\windows\system32\mspmsnsv.dll

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "teinonvy"=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "immkiguk"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into blackpudding.bat
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Antivirus System Pro is here ..... what next?

Post by yeknom-ecaps on 16th November 2009, 3:41 am

Here is run with CFScript.txt

ComboFix 09-11-16.03 - Tom 11/15/2009 22:29.5.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.587 [GMT -5:00]
Running from: c:\documents and settings\Tom\Desktop\commy.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\aywdthl.exe"
"C:\penmrdya.exe"
"c:\windows\system32\nerocheck.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tom\Application Data\bbabbc
c:\documents and settings\Tom\Local Settings\Application Data\chtapt
c:\documents and settings\Tom\Local Settings\Application Data\exmgci
c:\documents and settings\Tom\Local Settings\Application Data\jedynw
c:\documents and settings\Tom\Local Settings\Application Data\jfkkwd
c:\documents and settings\Tom\Local Settings\Application Data\kyvpip
c:\documents and settings\Tom\Local Settings\Application Data\lcfvua
c:\documents and settings\Tom\Local Settings\Application Data\tcmnep
c:\documents and settings\Tom\Local Settings\Application Data\xdlotm

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\mspmsnsv.dll --> c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-15 16:35 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 16:35 . 2009-11-15 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 16:35 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-15 04:56 . 2009-11-15 04:56 389120 ----a-w- c:\windows\system32\CF7635.exe
2009-11-15 04:56 . 2009-11-15 04:54 389120 ----a-w- c:\windows\system32\CF7325.exe
2009-11-07 20:48 . 2009-11-14 19:23 79488 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-21 00:43 . 2009-10-21 00:43 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-10-21 00:43 . 2009-10-21 00:43 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 17:12 . 2009-08-25 19:01 -------- d-----w- c:\program files\QuickTime
2009-11-15 07:58 . 2008-03-09 03:35 -------- d-----w- c:\program files\VisualTaskTips
2009-11-15 07:45 . 2009-08-25 19:03 -------- d-----w- c:\program files\iTunes
2009-11-15 07:45 . 2008-03-10 04:21 -------- d-----w- c:\program files\IconLock
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\documents and settings\Tom\Application Data\Office Genuine Advantage
2009-10-01 01:55 . 2008-06-22 04:10 -------- d-----w- c:\program files\Windows Live
2009-10-01 01:48 . 2008-11-15 21:07 27152 ----a-w- c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 21:29 . 2009-09-29 21:29 -------- d-----w- c:\program files\Google
2009-09-24 23:44 . 2009-09-24 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-24 23:42 . 2009-09-24 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-24 23:41 . 2008-03-10 03:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-24 23:41 . 2009-09-24 23:41 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-09-24 23:37 . 2009-09-24 23:37 -------- d-----w- c:\windows\Fonts\Fonts
2009-09-24 23:35 . 2009-09-24 23:35 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-24 23:35 . 2009-09-24 23:35 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-24 23:35 . 2009-09-24 23:35 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-24 23:35 . 2009-09-24 23:35 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-24 23:35 . 2009-09-24 23:35 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-24 23:35 . 2009-09-24 23:35 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-11 14:18 . 2004-08-03 23:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-03 23:56 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-03 23:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-03 23:56 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-03 23:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:57 . 2009-08-25 18:57 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-20 19:09 . 2009-08-20 19:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

------- Sigcheck -------

[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\mspmsnsv.dll
[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-03 23:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-11-15_06.42.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 03:33 . 2009-11-16 03:33 16384 c:\windows\temp\Perflib_Perfdata_720.dat
+ 2009-11-15 02:00 . 2009-11-15 18:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-15 02:00 . 2009-11-15 02:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-09 03:19 . 2009-11-15 18:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-09 03:19 . 2009-11-15 02:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-21 520024]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
3DO Registration.lnk - c:\program files\3DO\Heroes3\Register\Remind32.exe [2008-9-26 67584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-15 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
taskmanager.lnk - c:\windows\system32\taskmgr.exe [2004-8-3 135680]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/21/2009 6:18 AM 64160]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/3/2009 2:59 PM 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/7/2009 1:35 AM 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 1:12 PM 693512]
R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [12/21/2004 3:16 PM 141990]
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [3/16/2008 11:02 AM 79616]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 1:12 PM 910600]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 00:43]

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-11-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-03 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Search Current News - [You must be registered and logged in to see this link.] files\powershell-xp3\search5.htm
IE: Search Encyclopedia - [You must be registered and logged in to see this link.] files\powershell-xp3\search4.htm
IE: Search for Images - [You must be registered and logged in to see this link.] files\powershell-xp3\search3.htm
IE: Search Newsgroups - [You must be registered and logged in to see this link.] files\powershell-xp3\search2.htm
IE: Search the Web - [You must be registered and logged in to see this link.] files\powershell-xp3\search.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-15 22:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3620)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\WgaTray.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-11-15 22:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-16 03:37
ComboFix2.txt 2009-11-16 02:34
ComboFix3.txt 2009-11-15 06:47
ComboFix4.txt 2009-07-03 19:39
ComboFix5.txt 2009-11-16 03:28

Pre-Run: 39,204,679,680 bytes free
Post-Run: 39,166,255,104 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 4BEE7F5901BF12F5BDB7579607B83DA3

yeknom-ecaps
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-07-03
OS OS : xp
Points Points : 27277
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus System Pro is here ..... what next?

Post by Dr Jay on 16th November 2009, 3:46 am

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Antivirus System Pro is here ..... what next?

Post by yeknom-ecaps on 16th November 2009, 4:23 am

Malwarebytes' Anti-Malware 1.41
Database version: 3175
Windows 5.1.2600 Service Pack 3

11/15/2009 11:22:42 PM
mbam-log-2009-11-15 (23-22-42).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 176530
Time elapsed: 33 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

yeknom-ecaps
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-07-03
OS OS : xp
Points Points : 27277
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus System Pro is here ..... what next?

Post by Dr Jay on 16th November 2009, 6:04 am

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302970
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum