unknown virus or trojan

View previous topic View next topic Go down

unknown virus or trojan

Post by evildarc0 on 26th November 2009, 11:38 am

i dont what it is but it wont even let me use malware to check it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:53 AM, on 11/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\MPC\jetty\DMWebSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\MPC\system_monitor\agent\smaagent.exe
C:\MPC\java\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: C:\WINDOWS\system32\vnn35x2.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\vnn35x2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\MICHAE~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\win16.exe
O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
O4 - S-1-5-18 Startup: scandisk.dll (User 'SYSTEM')
O4 - S-1-5-18 Startup: scandisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: scandisk.dll (User 'Default user')
O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')
O4 - Startup: scandisk.dll
O4 - Startup: scandisk.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{56918B8D-53F7-4352-8568-6C47CAD3B1C0}: NameServer = 83.149.115.182
O20 - AppInit_DLLs: C:\WINDOWS\system32\rdolib.dll,gigiweme.dll
O20 - Winlogon Notify: __c00802C - C:\WINDOWS\system32\__c00802C.dat
O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\vnn35x2.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: MPC Desktop System Manager Web Server (DMWebSrv) - Unknown owner - C:\MPC\jetty\DMWebSrv.exe
O23 - Service: Google Update Service (gupdate1c9c5ad7a6cebe4) (gupdate1c9c5ad7a6cebe4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MPC Desktop System Manager Agent (SMAgent) - SyAM Software, Inc. - C:\MPC\system_monitor\agent\smaagent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6035 bytes

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 26th November 2009, 9:14 pm

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 27th November 2009, 5:29 am

Lies!! ;) i swear i did the virus or w/e i had before when i was running the anti malware thingy closed while i was scanning and i couldnt open it after words.
anyway heres the stuff you askeded for.


Avira AntiVir Personal
Report file date: Thursday, November 26, 2009 21:28

Scanning for 1395187 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : 4338459-0001

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 18:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 12:09:52
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 12:09:52
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 12:09:53
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 12:09:53
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 12:09:53
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 12:09:53
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 12:09:53
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 12:09:54
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 12:09:54
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 12:09:54
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 12:09:54
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 12:09:54
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 12:09:55
VBASE014.VDF : 7.10.1.80 2048 Bytes 11/25/2009 12:09:55
VBASE015.VDF : 7.10.1.81 2048 Bytes 11/25/2009 12:09:56
VBASE016.VDF : 7.10.1.82 2048 Bytes 11/25/2009 12:09:56
VBASE017.VDF : 7.10.1.83 2048 Bytes 11/25/2009 12:09:56
VBASE018.VDF : 7.10.1.84 2048 Bytes 11/25/2009 12:09:56
VBASE019.VDF : 7.10.1.85 2048 Bytes 11/25/2009 12:09:56
VBASE020.VDF : 7.10.1.86 2048 Bytes 11/25/2009 12:09:57
VBASE021.VDF : 7.10.1.87 2048 Bytes 11/25/2009 12:09:57
VBASE022.VDF : 7.10.1.88 2048 Bytes 11/25/2009 12:09:57
VBASE023.VDF : 7.10.1.89 2048 Bytes 11/25/2009 12:09:57
VBASE024.VDF : 7.10.1.90 2048 Bytes 11/25/2009 12:09:57
VBASE025.VDF : 7.10.1.91 2048 Bytes 11/25/2009 12:09:58
VBASE026.VDF : 7.10.1.92 2048 Bytes 11/25/2009 12:09:58
VBASE027.VDF : 7.10.1.93 2048 Bytes 11/25/2009 12:09:58
VBASE028.VDF : 7.10.1.94 2048 Bytes 11/25/2009 12:09:59
VBASE029.VDF : 7.10.1.95 2048 Bytes 11/25/2009 12:09:59
VBASE030.VDF : 7.10.1.96 2048 Bytes 11/25/2009 12:09:59
VBASE031.VDF : 7.10.1.107 29184 Bytes 11/26/2009 12:09:59
Engineversion : 8.2.1.78
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 14:38:52
AESCRIPT.DLL : 8.1.2.45 586108 Bytes 11/26/2009 12:10:04
AESCN.DLL : 8.1.2.5 127346 Bytes 11/8/2009 14:38:46
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 14:38:44
AERDL.DLL : 8.1.3.2 479604 Bytes 11/8/2009 14:38:42
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 14:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 14:38:38
AEHEUR.DLL : 8.1.0.180 2093432 Bytes 11/26/2009 12:10:03
AEHELP.DLL : 8.1.7.5 237942 Bytes 11/26/2009 12:10:01
AEGEN.DLL : 8.1.1.78 364917 Bytes 11/26/2009 12:10:00
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 14:38:26
AECORE.DLL : 8.1.8.2 184694 Bytes 11/8/2009 14:38:24
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 14:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 22:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 21:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 22:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 22:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 19:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, November 26, 2009 21:28

Starting search for hȋdden objects.
'55004' objects were checked, '0' hȋdden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'smaagent.exe' - '1' Module(s) have been scanned
Scan process 'java.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'DMWebSrv.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
40 processes with 40 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '52' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: Thursday, November 26, 2009 22:23
Used time: 55:14 Minute(s)

The scan has been done completely.

11301 Scanned directories
456507 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
456506 Files not concerned
3077 Archives were scanned
1 Warnings
1 Notes
55004 Objects were scanned with rootkit scan
0 hȋdden objects were found

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 27th November 2009, 10:21 am

Did you update Avira? weird why it hasn't found anything when it should be finding plenty of things.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 27th November 2009, 10:36 am

i ran the avira and it was stopped like every minute by w/e the virus was. i had to manually click dont allow access button or it wouldve shut it down and i wouldnt have been able to use it. so after sitting there for close to an hour i think it finished i deleted all the files it found. then i used the combo fix cause the other thing didnt really work. after that is seemed to fix most of the problems i quickly downloaded mbma and scanned it then deleted w/e it found. restarted the comp.(this was before i got your post) afterwords i ran avira posed what you asked me. everything seemed fine after that. although i am constantly scanning to see if anything comes back.

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 27th November 2009, 10:41 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 27th November 2009, 10:44 am

i dont think i fully understand, you want me to run it again and post the log?

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 27th November 2009, 11:20 am

Avira? no, I want you to run Combofix, if it will work.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 27th November 2009, 11:26 am

not sure my previous posts were read correctly. As of currently everything seems fine on my comp. after i ran combofix.

after i did the combofix is when i posted the avira log that you requested.

my question is would you like me to run ...combofix.... again to make sure everything is clear and post the log of combofix after i have run combofix?

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 27th November 2009, 11:39 am

Oh, can you post the Combofix log you already have then.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 27th November 2009, 11:53 am

Unfortunately after running a scan with a vira all the sudden anti-virus system pro came up and did its thing... eh... what should i do?

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 27th November 2009, 11:15 pm

Re-run Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 30th November 2009, 5:50 am

does it save itself somewhere or do i have to wait till its finished to see the log?

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 30th November 2009, 6:52 am

ComboFix 09-11-29.03 - Michaella Franklin 11/29/2009 23:35.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2658 [GMT -7:00]
Running from: c:\documents and settings\Michaella Franklin\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 05:45 . 2009-11-30 05:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-29 22:24 . 2009-11-29 22:24 -------- d-----w- C:\Sun
2009-11-29 08:43 . 2009-11-29 09:33 63 ----a-w- c:\documents and settings\Michaella Franklin\jagex_runescape_preferences2.dat
2009-11-27 11:40 . 2009-11-27 12:58 -------- d-----w- c:\documents and settings\Michaella Franklin\Local Settings\Application Data\fciylx
2009-11-26 14:14 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 14:14 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 12:08 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-26 12:08 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-26 12:08 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-26 12:08 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-26 12:08 . 2009-11-26 12:08 -------- d-----w- c:\program files\Avira
2009-11-26 12:08 . 2009-11-26 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-26 11:02 . 2009-11-26 11:02 12288 ----a-w- C:\jpvedf.exe
2009-11-26 10:19 . 2009-11-26 10:19 -------- d-----w- c:\program files\ESET
2009-11-25 01:40 . 2009-11-25 01:40 -------- d-sh--w- c:\documents and settings\Michaella Franklin\PrivacIE
2009-11-25 01:01 . 2009-11-25 01:01 -------- d-----w- c:\program files\iPod
2009-11-25 01:00 . 2009-11-25 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-25 00:58 . 2009-11-25 00:59 -------- d-----w- c:\program files\QuickTime
2009-11-25 00:52 . 2009-11-25 00:52 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-24 07:02 . 2009-11-24 07:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-24 06:24 . 2009-11-24 06:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-24 06:24 . 2009-11-24 06:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-23 07:08 . 2009-11-26 00:01 -------- d-----w- c:\program files\World of Warcraft Public Test
2009-11-23 04:22 . 2009-11-23 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-23 04:21 . 2009-11-23 04:21 -------- d-sh--w- c:\documents and settings\Michaella Franklin\IETldCache
2009-11-23 04:16 . 2009-11-23 04:17 -------- dc-h--w- c:\windows\ie8
2009-11-23 04:13 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-23 04:13 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 16:07 . 2009-11-14 16:07 -------- d-----w- c:\documents and settings\Michaella Franklin\Local Settings\Application Data\Ascaron Entertainment
2009-11-14 08:57 . 2009-11-14 08:57 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-14 08:57 . 2009-11-14 08:57 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-14 07:11 . 2009-11-14 07:11 -------- d-----w- c:\program files\cdv Software Entertainment USA
2009-11-14 07:11 . 2009-11-14 07:11 -------- d-----w- c:\windows\system32\AGEIA
2009-11-14 07:11 . 2009-11-15 07:10 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-10 04:49 . 2009-11-10 20:31 75269 ----a-w- c:\windows\War3Unin.dat
2009-11-09 03:52 . 2009-11-09 03:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-09 03:42 . 2009-11-09 03:52 -------- d-----w- c:\program files\PC Inspector File Recovery
2009-11-09 03:03 . 2009-11-09 03:03 -------- d-----w- c:\program files\Guild Wars
2009-11-09 02:59 . 2009-11-09 02:59 -------- d-----w- c:\program files\Ventrilo
2009-11-09 02:59 . 2009-11-09 05:43 -------- d-----w- c:\documents and settings\Michaella Franklin\Application Data\Bioshock
2009-11-09 02:59 . 2009-11-09 02:59 -------- d-----w- c:\documents and settings\Michaella Franklin\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 06:31 . 2009-09-01 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-30 06:09 . 2007-11-16 01:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-30 06:09 . 2008-12-02 09:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-29 09:32 . 2009-07-15 00:38 38 ----a-w- c:\documents and settings\Michaella Franklin\jagex_runescape_preferences.dat
2009-11-26 14:14 . 2009-05-18 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 01:10 . 2007-04-04 00:36 -------- d-----w- c:\documents and settings\Michaella Franklin\Application Data\Apple Computer
2009-11-25 01:01 . 2007-06-04 01:42 -------- d-----w- c:\program files\iTunes
2009-11-25 01:01 . 2007-06-30 01:58 -------- d-----w- c:\program files\Common Files\Apple
2009-11-23 07:33 . 2007-03-22 03:45 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-22 08:31 . 2007-06-04 18:30 -------- d-----w- c:\program files\Warcraft III
2009-11-15 21:09 . 2007-03-22 21:12 70288 ----a-w- c:\documents and settings\Michaella Franklin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 10:06 . 2007-03-21 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 05:21 . 2007-06-04 18:35 2829 ----a-w- c:\windows\War3Unin.pif
2009-11-10 05:21 . 2007-06-04 18:35 139264 ----a-w- c:\windows\War3Unin.exe
2009-11-09 03:42 . 2007-03-21 18:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-09 02:59 . 2008-01-16 22:17 -------- d-----w- c:\program files\MaNGOS WoW Server
2009-11-08 03:10 . 2009-01-26 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-06 00:16 . 2009-06-09 20:11 -------- d-----w- c:\program files\ATI
2009-11-03 03:42 . 2009-10-04 22:18 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 09:05 . 2007-03-21 19:13 -------- d-----w- c:\program files\Microsoft Works
2009-10-26 01:45 . 2008-01-10 01:46 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek
2009-10-26 00:23 . 2007-03-09 04:55 -------- d-----w- c:\documents and settings\Michaella Franklin\Application Data\U3
2009-10-07 23:43 . 2009-07-24 00:30 2318 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-09-11 14:18 . 2008-08-17 01:33 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-12-02 10:28 . 2008-12-02 10:28 812344 ----a-w- c:\program files\HJTInstall.exe
2008-10-27 17:37 . 2008-10-27 17:37 699488 ----a-w- c:\program files\JUN2007_d3dx10_34_x86.cab
2008-10-27 17:36 . 2008-10-27 17:36 526160 ----a-w- c:\program files\DXSETUP.exe
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-11-30 04:55 . 2009-11-30 04:55 16384 c:\windows\Temp\Perflib_Perfdata_9f0.dat
+ 2009-11-30 04:55 . 2009-11-30 04:55 16384 c:\windows\Temp\Perflib_Perfdata_640.dat
+ 2009-11-26 12:08 . 2009-05-11 16:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2007-03-22 03:36 . 2009-11-30 04:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-22 03:36 . 2009-11-26 08:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-03-22 03:36 . 2009-11-30 04:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-03-22 03:36 . 2009-11-26 08:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-03-22 03:38 . 2007-03-21 19:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2007-03-22 03:38 . 2009-11-26 11:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-11-24 06:24 . 2009-11-26 08:31 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-24 06:24 . 2009-11-30 04:54 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2007-03-22 03:36 . 2009-11-26 08:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-03-22 03:36 . 2009-11-30 04:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-15 00:38 . 2009-11-29 08:42 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll
- 2009-07-15 00:38 . 2009-07-15 00:44 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll
+ 2009-07-15 00:38 . 2009-11-29 08:42 81920 c:\windows\.jagex_cache_32\runescape\jaggl.dll
- 2009-07-15 00:38 . 2009-07-15 00:44 81920 c:\windows\.jagex_cache_32\runescape\jaggl.dll
+ 2009-11-26 11:15 . 2009-11-26 11:20 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F821022E-DA7C-11DE-ACF4-0019D113E325}.dat
+ 2009-11-26 11:03 . 2009-11-26 11:03 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{591CEBDA-DA7B-11DE-ACF4-0019D113E325}.dat
+ 2009-11-26 11:15 . 2009-11-26 11:15 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F821022F-DA7C-11DE-ACF4-0019D113E325}.dat
+ 2009-11-26 11:03 . 2009-11-26 11:03 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{591CEBDB-DA7B-11DE-ACF4-0019D113E325}.dat
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-11-27 04:13 . 2009-11-27 04:13 195584 c:\windows\Installer\1f5effc.msi
+ 2009-11-26 12:06 . 2009-11-26 12:06 228352 c:\windows\Installer\13266b.msi
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-11-30 05:47 . 2009-11-30 05:47 3940352 c:\windows\Installer\2e709b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun" [X]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\Michaella Franklin\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-11-29 139264]

[HKLM\~\startupfolder\C:^Documents and Settings^Michaella Franklin^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Michaella Franklin\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [5/19/2006 4:41 AM 21504]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/26/2009 5:08 AM 108289]
R2 caniodrvr;caniodrvr;c:\mpc\system_monitor\agent\drivers\Caniodrvr.sys [8/24/2005 12:47 PM 4096]
R2 SMAgent;MPC Desktop System Manager Agent;c:\mpc\system_monitor\agent\smaagent.exe DML 0 --> c:\mpc\system_monitor\agent\smaagent.exe DML 0 [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/3/2009 11:19 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [10/18/2006 4:13 PM 47496]
S2 DMWebSrv;MPC Desktop System Manager Web Server;c:\mpc\jetty\DMWebSrv.exe -s c:\mpc\jetty\DMWebSrv.conf --> c:\mpc\jetty\DMWebSrv.exe -s c:\mpc\jetty\DMWebSrv.conf [?]
S2 gupdate1c9c5ad7a6cebe4;Google Update Service (gupdate1c9c5ad7a6cebe4);c:\program files\Google\Update\GoogleUpdate.exe [4/25/2009 6:55 AM 133104]
S3 hitmanpro3;Hitman Pro 3 Support Driver; [x]
S3 maxidemo;Maxi_Vista_Demo_Driver; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - MBAMSwissArmy
.
Contents of the 'Scheduled Tasks' folder

2009-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 13:55]

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 13:55]

2009-11-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
TCP: {56918B8D-53F7-4352-8568-6C47CAD3B1C0} = 83.149.115.182
FF - ProfilePath - c:\documents and settings\Michaella Franklin\Application Data\Mozilla\Firefox\Profiles\ll6pcbxu.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Michaella Franklin\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-29 23:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AE2F369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
\Driver\iaStor -> iaStor.sys @ 0xb9e47b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/1000 PM Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d59bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d66a21
SendHandler -> NDIS.sys @ 0xb9d4487b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,82,9d,3d,42,ee,80,48,ad,80,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,82,9d,3d,42,ee,80,48,ad,80,d5,\

[HKEY_USERS\S-1-5-21-456631245-283180312-2691934696-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:37,24,4d,93,ce,59,0d,dd,c9,44,c8,9c,1e,24,db,8a,d4,71,eb,db,e2,35,e5,
8f,5b,24,5a,cf,39,e5,21,ef,6c,fd,48,83,a1,87,38,fb,4d,a8,09,7b,d5,99,bf,49,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-456631245-283180312-2691934696-1004\Software\SecuROM\License information*]
"datasecu"=hex:ea,0a,25,d0,d8,66,a0,9c,f2,ab,03,4c,9a,09,9f,e3,f9,f8,6e,e4,21,
57,e5,ba,bf,c5,e7,8e,c0,a1,13,3c,0d,d8,5b,b4,de,d0,86,cf,1b,8b,6e,63,cd,b8,\
"rkeysecu"=hex:b2,ce,31,15,b2,ac,40,2e,d7,2e,22,89,fe,50,38,18
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-29 23:50
ComboFix-quarantined-files.txt 2009-11-30 06:50
ComboFix2.txt 2009-11-26 13:57
ComboFix3.txt 2009-11-26 09:10

Pre-Run: 35,802,759,168 bytes free
Post-Run: 35,881,578,496 bytes free

- - End Of File - - 9AD994B02CFB8938F4D2238409BADF42

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 30th November 2009, 8:09 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\jpvedf.exe

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 1st December 2009, 12:21 am

ComboFix 09-11-30.02 - Michaella Franklin 11/30/2009 17:07.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2839 [GMT -7:00]
Running from: c:\documents and settings\Michaella Franklin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Michaella Franklin\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"C:\jpvedf.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\jpvedf.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-11-30 05:45 . 2009-11-30 05:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-29 22:24 . 2009-11-29 22:24 -------- d-----w- C:\Sun
2009-11-29 08:43 . 2009-11-29 09:33 63 ----a-w- c:\documents and settings\Michaella Franklin\jagex_runescape_preferences2.dat
2009-11-27 11:40 . 2009-11-27 12:58 -------- d-----w- c:\documents and settings\Michaella Franklin\Local Settings\Application Data\fciylx
2009-11-26 14:14 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 14:14 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 12:08 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-26 12:08 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-26 12:08 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-26 12:08 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-26 12:08 . 2009-11-26 12:08 -------- d-----w- c:\program files\Avira
2009-11-26 12:08 . 2009-11-26 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-26 10:19 . 2009-11-26 10:19 -------- d-----w- c:\program files\ESET
2009-11-25 01:40 . 2009-11-25 01:40 -------- d-sh--w- c:\documents and settings\Michaella Franklin\PrivacIE
2009-11-25 01:01 . 2009-11-25 01:01 -------- d-----w- c:\program files\iPod
2009-11-25 01:00 . 2009-11-25 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-25 00:58 . 2009-11-25 00:59 -------- d-----w- c:\program files\QuickTime
2009-11-25 00:52 . 2009-11-25 00:52 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-24 07:02 . 2009-11-24 07:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-24 06:24 . 2009-11-24 06:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-24 06:24 . 2009-11-24 06:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-23 07:08 . 2009-11-26 00:01 -------- d-----w- c:\program files\World of Warcraft Public Test
2009-11-23 04:22 . 2009-11-23 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-23 04:21 . 2009-11-23 04:21 -------- d-sh--w- c:\documents and settings\Michaella Franklin\IETldCache
2009-11-23 04:16 . 2009-11-23 04:17 -------- dc-h--w- c:\windows\ie8
2009-11-23 04:13 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-23 04:13 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 16:07 . 2009-11-14 16:07 -------- d-----w- c:\documents and settings\Michaella Franklin\Local Settings\Application Data\Ascaron Entertainment
2009-11-14 08:57 . 2009-11-14 08:57 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-14 08:57 . 2009-11-14 08:57 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-14 07:11 . 2009-11-14 07:11 -------- d-----w- c:\program files\cdv Software Entertainment USA
2009-11-14 07:11 . 2009-11-14 07:11 -------- d-----w- c:\windows\system32\AGEIA
2009-11-14 07:11 . 2009-11-15 07:10 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-10 04:49 . 2009-11-10 20:31 75269 ----a-w- c:\windows\War3Unin.dat
2009-11-09 03:52 . 2009-11-09 03:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-09 03:42 . 2009-11-09 03:52 -------- d-----w- c:\program files\PC Inspector File Recovery
2009-11-09 03:03 . 2009-11-09 03:03 -------- d-----w- c:\program files\Guild Wars
2009-11-09 02:59 . 2009-11-09 02:59 -------- d-----w- c:\program files\Ventrilo
2009-11-09 02:59 . 2009-11-09 05:43 -------- d-----w- c:\documents and settings\Michaella Franklin\Application Data\Bioshock
2009-11-09 02:59 . 2009-11-09 02:59 -------- d-----w- c:\documents and settings\Michaella Franklin\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 06:31 . 2009-09-01 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-30 06:09 . 2007-11-16 01:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-30 06:09 . 2008-12-02 09:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-29 09:32 . 2009-07-15 00:38 38 ----a-w- c:\documents and settings\Michaella Franklin\jagex_runescape_preferences.dat
2009-11-26 14:14 . 2009-05-18 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 01:10 . 2007-04-04 00:36 -------- d-----w- c:\documents and settings\Michaella Franklin\Application Data\Apple Computer
2009-11-25 01:01 . 2007-06-04 01:42 -------- d-----w- c:\program files\iTunes
2009-11-25 01:01 . 2007-06-30 01:58 -------- d-----w- c:\program files\Common Files\Apple
2009-11-23 07:33 . 2007-03-22 03:45 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-22 08:31 . 2007-06-04 18:30 -------- d-----w- c:\program files\Warcraft III
2009-11-15 21:09 . 2007-03-22 21:12 70288 ----a-w- c:\documents and settings\Michaella Franklin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 10:06 . 2007-03-21 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 05:21 . 2007-06-04 18:35 2829 ----a-w- c:\windows\War3Unin.pif
2009-11-10 05:21 . 2007-06-04 18:35 139264 ----a-w- c:\windows\War3Unin.exe
2009-11-09 03:42 . 2007-03-21 18:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-09 02:59 . 2008-01-16 22:17 -------- d-----w- c:\program files\MaNGOS WoW Server
2009-11-08 03:10 . 2009-01-26 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-06 00:16 . 2009-06-09 20:11 -------- d-----w- c:\program files\ATI
2009-11-03 03:42 . 2009-10-04 22:18 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 09:05 . 2007-03-21 19:13 -------- d-----w- c:\program files\Microsoft Works
2009-10-26 01:45 . 2008-01-10 01:46 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek
2009-10-26 00:23 . 2007-03-09 04:55 -------- d-----w- c:\documents and settings\Michaella Franklin\Application Data\U3
2009-10-07 23:43 . 2009-07-24 00:30 2318 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-09-11 14:18 . 2008-08-17 01:33 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-12-02 10:28 . 2008-12-02 10:28 812344 ----a-w- c:\program files\HJTInstall.exe
2008-10-27 17:37 . 2008-10-27 17:37 699488 ----a-w- c:\program files\JUN2007_d3dx10_34_x86.cab
2008-10-27 17:36 . 2008-10-27 17:36 526160 ----a-w- c:\program files\DXSETUP.exe
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-12-01 00:06 . 2009-12-01 00:06 16384 c:\windows\Temp\Perflib_Perfdata_a8.dat
+ 2009-12-01 00:06 . 2009-12-01 00:06 16384 c:\windows\Temp\Perflib_Perfdata_978.dat
+ 2009-11-26 12:08 . 2009-05-11 16:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-08-17 01:33 . 2008-04-14 06:10 96512 c:\windows\system32\dllcache\atapi.sys
- 2007-03-22 03:36 . 2009-11-26 08:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-03-22 03:36 . 2009-11-30 04:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-22 03:36 . 2009-11-26 08:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-03-22 03:36 . 2009-11-30 04:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-03-22 03:38 . 2007-03-21 19:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2007-03-22 03:38 . 2009-11-26 11:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-11-24 06:24 . 2009-11-30 04:54 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-24 06:24 . 2009-11-26 08:31 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2007-03-22 03:36 . 2009-11-30 04:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-03-22 03:36 . 2009-11-26 08:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-15 00:38 . 2009-11-29 08:42 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll
- 2009-07-15 00:38 . 2009-07-15 00:44 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll
- 2009-07-15 00:38 . 2009-07-15 00:44 81920 c:\windows\.jagex_cache_32\runescape\jaggl.dll
+ 2009-07-15 00:38 . 2009-11-29 08:42 81920 c:\windows\.jagex_cache_32\runescape\jaggl.dll
+ 2009-11-26 11:15 . 2009-11-26 11:20 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F821022E-DA7C-11DE-ACF4-0019D113E325}.dat
+ 2009-11-26 11:03 . 2009-11-26 11:03 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{591CEBDA-DA7B-11DE-ACF4-0019D113E325}.dat
+ 2009-11-26 11:15 . 2009-11-26 11:15 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F821022F-DA7C-11DE-ACF4-0019D113E325}.dat
+ 2009-11-26 11:03 . 2009-11-26 11:03 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{591CEBDB-DA7B-11DE-ACF4-0019D113E325}.dat
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-11-27 04:13 . 2009-11-27 04:13 195584 c:\windows\Installer\1f5effc.msi
+ 2009-11-26 12:06 . 2009-11-26 12:06 228352 c:\windows\Installer\13266b.msi
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-11-30 05:47 . 2009-11-30 05:47 3940352 c:\windows\Installer\2e709b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun" [X]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\Michaella Franklin\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-11-29 139264]

[HKLM\~\startupfolder\C:^Documents and Settings^Michaella Franklin^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Michaella Franklin\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [5/19/2006 4:41 AM 21504]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/26/2009 5:08 AM 108289]
R2 caniodrvr;caniodrvr;c:\mpc\system_monitor\agent\drivers\Caniodrvr.sys [8/24/2005 12:47 PM 4096]
R2 SMAgent;MPC Desktop System Manager Agent;c:\mpc\system_monitor\agent\smaagent.exe DML 0 --> c:\mpc\system_monitor\agent\smaagent.exe DML 0 [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/3/2009 11:19 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [10/18/2006 4:13 PM 47496]
S2 DMWebSrv;MPC Desktop System Manager Web Server;c:\mpc\jetty\DMWebSrv.exe -s c:\mpc\jetty\DMWebSrv.conf --> c:\mpc\jetty\DMWebSrv.exe -s c:\mpc\jetty\DMWebSrv.conf [?]
S2 gupdate1c9c5ad7a6cebe4;Google Update Service (gupdate1c9c5ad7a6cebe4);c:\program files\Google\Update\GoogleUpdate.exe [4/25/2009 6:55 AM 133104]
S3 hitmanpro3;Hitman Pro 3 Support Driver; [x]
S3 maxidemo;Maxi_Vista_Demo_Driver; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 13:55]

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 13:55]

2009-12-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: {56918B8D-53F7-4352-8568-6C47CAD3B1C0} = 83.149.115.182
FF - ProfilePath - c:\documents and settings\Michaella Franklin\Application Data\Mozilla\Firefox\Profiles\ll6pcbxu.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Michaella Franklin\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-30 17:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,82,9d,3d,42,ee,80,48,ad,80,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,82,9d,3d,42,ee,80,48,ad,80,d5,\

[HKEY_USERS\S-1-5-21-456631245-283180312-2691934696-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:37,24,4d,93,ce,59,0d,dd,c9,44,c8,9c,1e,24,db,8a,d4,71,eb,db,e2,35,e5,
8f,5b,24,5a,cf,39,e5,21,ef,6c,fd,48,83,a1,87,38,fb,4d,a8,09,7b,d5,99,bf,49,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-456631245-283180312-2691934696-1004\Software\SecuROM\License information*]
"datasecu"=hex:ea,0a,25,d0,d8,66,a0,9c,f2,ab,03,4c,9a,09,9f,e3,f9,f8,6e,e4,21,
57,e5,ba,bf,c5,e7,8e,c0,a1,13,3c,0d,d8,5b,b4,de,d0,86,cf,1b,8b,6e,63,cd,b8,\
"rkeysecu"=hex:b2,ce,31,15,b2,ac,40,2e,d7,2e,22,89,fe,50,38,18
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-30 17:18
ComboFix-quarantined-files.txt 2009-12-01 00:18
ComboFix2.txt 2009-11-30 06:50
ComboFix3.txt 2009-11-26 13:57
ComboFix4.txt 2009-11-26 09:10

Pre-Run: 35,737,939,968 bytes free
Post-Run: 35,796,713,472 bytes free

- - End Of File - - D5AAEA7FB4652DBF7E345A466E433500

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 1st December 2009, 1:44 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 1st December 2009, 5:12 am

Malwarebytes' Anti-Malware 1.41
Database version: 3265
Windows 5.1.2600 Service Pack 3

11/30/2009 10:12:05 PM
mbam-log-2009-11-30 (22-12-05).txt

Scan type: Quick Scan
Objects scanned: 122856
Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{56918b8d-53f7-4352-8568-6c47cad3b1c0}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{56918b8d-53f7-4352-8568-6c47cad3b1c0}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{56918b8d-53f7-4352-8568-6c47cad3b1c0}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 1st December 2009, 10:08 pm

How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 1st December 2009, 10:35 pm

well its running fine now but every now and then i get a random web page opening but other then that i think its good

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 1st December 2009, 11:24 pm

Post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by evildarc0 on 2nd December 2009, 1:59 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:57 PM, on 12/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\MPC\jetty\DMWebSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\MPC\system_monitor\agent\smaagent.exe
C:\WINDOWS\system32\svchost.exe
C:\MPC\java\bin\java.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - Startup: SDK Tray Menu.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: MPC Desktop System Manager Web Server (DMWebSrv) - Unknown owner - C:\MPC\jetty\DMWebSrv.exe
O23 - Service: Google Update Service (gupdate1c9c5ad7a6cebe4) (gupdate1c9c5ad7a6cebe4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MPC Desktop System Manager Agent (SMAgent) - SyAM Software, Inc. - C:\MPC\system_monitor\agent\smaagent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5224 bytes

evildarc0
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-11-26
OS OS : xp
Points Points : 25848
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unknown virus or trojan

Post by Belahzur on 2nd December 2009, 8:50 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum