1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Ebay login malware

Discussion in 'Malware and Virus Removal Archive' started by jform, 2010/03/20.

Page 3 of 4
  1. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    The file is safe. Don't scan it. Run it.
     
    broni,
    #41
  2. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    I tried, it won't run. Do I need to turn off AVG and Spybot first?
     
    jform,
    #42


  3. to hide this advert.

  4. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please do.
     
    broni,
    #43
  5. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

    Running on: Windows XP HOME Edition, Service Pack 3 (2600.5.1)
    System directory: C:\WINDOWS
    SystemScan file: C:\Documents and Settings\John\Desktop\sys17312\sys17312.exe
    Running in: User mode
    Date: 3/21/2010
    Time: 9:26:42 PM

    Output limited to:
    -PC accounts

    ===================== ACCOUNTS ON THIS PC =====================


    Users on this computer:
    Is Admin? | Username
    ------------------
    Yes | Administrator
    | ASPNET
    | Guest (Disabled)
    | HelpAssistant (Disabled)
    Yes | John
    | SUPPORT_388945a0 (Disabled)

    ### users folders

    17/06/2008 16:58:27 (DIR) 0 byte 642 days old -- All Users
    25/06/2009 18:42:28 (DIR) 0 byte 269 days old -- LocalService
    20/03/2010 11:07:02 (DIR) 0 byte 1 days old -- HelpAssistant
    20/03/2010 15:55:35 (DIR) 0 byte 1 days old -- Default User
    21/03/2010 01:02:25 (DIR) 0 byte 0 days old -- NetworkService
    21/03/2010 14:32:40 (DIR) 0 byte 0 days old -- John
    09/03/2010 18:37:31 (DIR) 0 byte 12 days old -- Administrator

    ### startup files in users folders

    C:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Philips GoGear VIBE Device Manager.lnk.disabled
    C:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\HelpAssistant\Start Menu\Programs\Startup\desktop.ini
    C:\documents and settings\John\Start Menu\Programs\Startup\desktop.ini

    ==========================================
    Scan completed in 0 minutes
    End of report


    ~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
    SystemScan uses some freeware tools that remain property of their authors:

    * SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan ", "PC accounts "
    * dumphive (Markus Stephany)--> "Registry scan "
    * Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules "
    * Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects ", "Alternate Data Streams" & "Master Boot Record "
    ---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

    Thanks to all of them for their hard work
     
    jform,
    #44
  6. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)

    Go Start>Control Panel
    Double click on User Accounts.
    Click Change an account in the Pick a task list box.
    Click on HelpAssistant account.
    Click Delete the account (do NOT save any user files, if asked).

    Let me know, if successful.
     
    broni,
    #45
  7. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    Did as you said. HelpAssistant account does not show. Just my account (Computer administrator, password protected) and Guest (Guest account is off).
     
    jform,
    #46
  8. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Delete HelpAsst_mebroot_fix.exe, you have on your desktop.
    Get fresh copy....

    Download and save HelpAsst_mebroot_fix.exe to your desktop.
    • Close all open programs.
    • Double click HelpAsst_mebroot_fix.exe to run it.
    • Pay attention to the running tool.
    • If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
    • After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

      • helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

    =============================================================

    Please download Profiles by noahdfear.

    * Save it to your desktop.
    * Double-click profiles.exe and post its log when you reply.
     
    broni,
    #47
  9. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    I deleted the old, installed and ran the new. Said the MBR was OK. I shut the machine down and will restart in 5 min
     
    jform,
    #48
  10. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok....
     
    broni,
    #49
  11. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    C:\Documents and Settings\John\Desktop\HelpAsst_mebroot_fix.exe
    Sun 03/21/2010 at 22:14:28.25

    HelpAssistant account was found to be Inactive


    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found

    ~~ Checking firewall ports ~~

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list


    HelpAssistant profile not found in registry

    ~~ Checking mbr ~~

    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Sun 03/21/2010 at 22:29:13.90

    Full Name Remote Desktop Help Assistant Account
    Account active No
    Local Group Memberships

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x0950A600
    malicious code @ sector 0x0950A603 !
    PE file found in sector at 0x0950A619 !

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

    ~~ Checking profile list ~~

    No HelpAssistant profile in List

    ~~ Checking for HelpAssistant directories ~~

    HelpAssistant

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    ~~ EOF ~~
     
    jform,
    #50
  12. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    DefaultUserProfile REG_SZ Default User
    AllUsersProfile REG_SZ All Users

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1390067357-1220945662-682003330-1004
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\John

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1390067357-1220945662-682003330-500
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

    SystemRoot REG_SZ C:\WINDOWS
     
    jform,
    #51
  13. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That looks good :)

    Please, re-run Combofix and post fresh log.
     
    broni,
    #52
  14. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    DefaultUserProfile REG_SZ Default User
    AllUsersProfile REG_SZ All Users

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1390067357-1220945662-682003330-1004
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\John

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1390067357-1220945662-682003330-500
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

    SystemRoot REG_SZ C:\WINDOWS
     
    jform,
    #53
  15. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No, Combofix (reply #10).
     
    broni,
    #54
  16. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    ComboFix 10-03-21.02 - John 03/21/2010 22:40:44.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.572 [GMT -4:00]
    Running from: c:\documents and settings\John\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
    .

    2010-03-20 20:04 . 2010-03-20 20:04 -------- d-----w- c:\program files\Trend Micro
    2010-03-13 13:36 . 2010-03-13 13:36 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
    2010-03-13 13:36 . 2010-03-13 13:36 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
    2010-03-13 13:36 . 2010-03-13 13:36 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
    2010-03-13 13:35 . 2010-03-13 13:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-13 13:30 . 2010-03-09 04:28 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2010-03-13 13:30 . 2010-03-09 04:28 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
    2010-03-13 13:30 . 2010-03-09 04:28 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
    2010-03-13 13:30 . 2010-03-09 04:28 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
    2010-03-11 02:22 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-09 22:54 . 2010-03-09 04:28 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
    2010-03-09 22:54 . 2010-03-09 04:28 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
    2010-03-09 22:44 . 2010-03-10 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-09 22:44 . 2010-03-10 01:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-09 22:34 . 2010-03-09 22:34 -------- d-----w- c:\program files\CCleaner
    2010-03-09 22:32 . 2010-03-09 22:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-03-09 04:29 . 2010-03-09 22:51 -------- d-----w- C:\$AVG
    2010-03-09 04:28 . 2010-03-13 13:35 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-03-09 04:28 . 2010-03-13 13:32 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-09 04:28 . 2010-03-13 13:35 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-03-09 04:28 . 2010-03-21 22:30 -------- d-----w- c:\windows\system32\drivers\Avg
    2010-03-09 04:28 . 2010-03-09 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\program files\AVG
    2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-03-02 20:57 . 2010-03-02 20:57 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-03-02 17:31 . 2010-03-02 17:31 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
    2010-03-02 17:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-02 17:15 . 2010-03-02 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-02 17:15 . 2010-03-02 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-02 17:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
    2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
    2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
    2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
    2010-03-01 02:06 . 2010-03-01 02:06 -------- d-----w- c:\documents and settings\HelpAssistant\LocalLow
    2010-03-01 01:42 . 2010-03-01 01:42 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
    2010-03-01 01:42 . 2010-03-01 01:42 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
    2010-03-01 01:42 . 2008-12-13 17:37 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
    2010-02-28 13:27 . 2010-03-09 22:52 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\jmkolb
    2010-02-24 18:14 . 2010-02-24 18:14 -------- d-----w- c:\program files\Garmin
    2010-02-24 18:14 . 2010-02-24 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
    2010-02-24 17:10 . 2010-02-24 17:50 -------- d-----w- c:\documents and settings\John\Application Data\Download Manager
    2010-02-24 15:15 . 2010-02-24 18:13 -------- d-----w- c:\documents and settings\John\Application Data\GARMIN

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-13 19:37 . 2005-10-27 18:49 -------- d-----w- c:\program files\Yahoo!
    2010-03-13 19:32 . 2009-11-13 12:52 -------- d-----w- c:\program files\Microsoft
    2010-03-13 19:29 . 2007-09-16 22:07 -------- d-----w- c:\program files\LEGO Company
    2010-03-03 00:38 . 2009-03-12 16:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-03-02 20:33 . 2005-10-19 16:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-03-02 20:33 . 2005-10-19 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-03-02 17:50 . 2008-10-30 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-02-27 12:02 . 2009-03-12 21:08 -------- d-----w- c:\documents and settings\John\Application Data\PlayFirst
    2010-02-22 19:35 . 2006-10-08 19:52 -------- d-----w- c:\documents and settings\John\Application Data\U3
    2010-02-06 13:52 . 2010-02-06 13:52 50354 ----a-w- c:\documents and settings\John\Application Data\Facebook\uninstall.exe
    2010-02-06 13:52 . 2010-02-06 13:52 -------- d-----w- c:\documents and settings\John\Application Data\Facebook
    2010-02-05 21:36 . 2010-02-05 21:36 -------- d-----w- c:\program files\Nick Jr. Arcade
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John\Application Data\Facebook\npfbplugin_1_0_1.dll
    2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-26 16:12 . 2009-12-26 16:12 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
    2009-12-26 16:12 . 2009-12-26 16:12 6106960 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
    2005-12-05 23:28 . 2005-12-05 23:28 3673932 ------w- c:\program files\Dec2005_MDX1_x86_Archive.cab
    2005-12-05 23:28 . 2005-12-05 23:28 1358864 ------w- c:\program files\Dec2005_d3dx9_28_x64.cab
    2005-12-05 23:28 . 2005-12-05 23:28 86925 ------w- c:\program files\Oct2005_xinput_x64.cab
    2005-12-05 23:28 . 2005-12-05 23:28 46247 ------w- c:\program files\Oct2005_xinput_x86.cab
    2005-12-05 23:28 . 2005-12-05 23:28 41888 ------w- c:\program files\dxdllreg_x86.cab
    2005-12-05 23:28 . 2005-12-05 23:28 916806 ------w- c:\program files\Dec2005_MDX1_x86.cab
    2005-12-05 23:27 . 2005-12-05 23:27 1080344 ------w- c:\program files\Dec2005_d3dx9_28_x86.cab
    .

    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2001-09-04 19:31 . 2001-09-04 19:31 655360 c:\program files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

    2001-08-17 04:41 . 2001-08-17 04:41 28738 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

    2006-01-01 14:40 . 2006-01-01 14:40 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

    2007-07-17 00:43 . 2007-07-17 00:43 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

    2005-02-17 03:11 . 2005-02-17 03:11 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

    2005-01-12 18:54 . 2005-01-12 18:54 241664 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

    2007-03-14 23:05 . 2007-03-14 23:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe

    2007-10-16 00:31 . 2007-09-25 05:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

    2007-10-20 12:55 . 2006-04-03 00:07 389120 c:\program files\Linksys EasyLink Advisor\bak\LinksysAgent.exe

    2001-10-06 00:34 . 2001-10-06 00:34 24576 c:\program files\Microsoft Works\bak\wkfud.exe

    2001-08-23 21:52 . 2001-08-23 21:52 331830 c:\program files\Microsoft Works\bak\WksSb.exe

    2007-02-16 14:54 . 2007-02-16 14:54 282624 c:\program files\QuickTime\bak\qttask.exe

    2005-10-19 22:24 . 2004-01-05 07:27 176128 c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyLinkAdvisor "= "c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [N/A]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater "= "c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QBCD Autorun "= "D:\autorun.exe" [N/A]
    "ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    HP Digital Imaging Monitor.lnk.disabled [2005-10-19 1808]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
    Philips GoGear VIBE Device Manager.lnk.disabled [2009-9-10 835]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-03-13 13:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    c:\program files\iTunes\iTunesHelper.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "DW6 "= "c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe "
    "MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" /background
    "swg "=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Monitor "= "c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\system32\\mshta.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/9/2010 12:28 AM 216200]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/9/2010 12:28 AM 242696]
    R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [8/15/2007 10:41 AM 110304]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 9:34 AM 308064]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [3/2/2010 4:57 PM 583640]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/26/2009 12:14 PM 18560]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/30/2008 5:25 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/30/2008 5:25 PM 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/30/2008 5:25 PM 23680]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-09-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
    - c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com
    mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    Trusted Zone: turbotax.com
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-21 22:51
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3960)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-03-21 22:57:51
    ComboFix-quarantined-files.txt 2010-03-22 02:57
    ComboFix2.txt 2010-03-21 23:06
    ComboFix3.txt 2010-03-21 20:40
    ComboFix4.txt 2010-03-21 13:11
    ComboFix5.txt 2010-03-22 02:39

    Pre-Run: 41,866,842,112 bytes free
    Post-Run: 41,820,450,816 bytes free

    Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 08ED912319A0508D00B8CB49BBC121D7
     
    jform,
    #55
  17. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes

:Services

:Reg

:Files
c:\documents and settings\HelpAssistant
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
    broni,
    #56
  18. 2010/03/21
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    jform,
    #57
  19. 2010/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good :)

    Just to confirm, give me fresh Combofix log, please.
     
    broni,
    #58
  20. 2010/03/22
    jform

    jform Inactive Thread Starter

    Joined:
    2010/03/20
    Messages:
    41
    Likes Received:
    0
    ComboFix 10-03-22.02 - John 03/22/2010 18:19:39.6.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.528 [GMT -4:00]
    Running from: c:\documents and settings\John\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
    .

    2010-03-22 03:19 . 2010-03-22 03:19 -------- d-----w- C:\_OTM
    2010-03-20 20:04 . 2010-03-20 20:04 -------- d-----w- c:\program files\Trend Micro
    2010-03-13 13:36 . 2010-03-13 13:36 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
    2010-03-13 13:36 . 2010-03-13 13:36 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
    2010-03-13 13:36 . 2010-03-13 13:36 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
    2010-03-13 13:35 . 2010-03-13 13:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-13 13:30 . 2010-03-09 04:28 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2010-03-13 13:30 . 2010-03-09 04:28 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
    2010-03-13 13:30 . 2010-03-09 04:28 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
    2010-03-13 13:30 . 2010-03-09 04:28 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
    2010-03-11 02:22 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-09 22:54 . 2010-03-09 04:28 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
    2010-03-09 22:54 . 2010-03-09 04:28 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
    2010-03-09 22:44 . 2010-03-10 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-09 22:44 . 2010-03-10 01:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-09 22:34 . 2010-03-09 22:34 -------- d-----w- c:\program files\CCleaner
    2010-03-09 22:32 . 2010-03-09 22:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-03-09 04:29 . 2010-03-09 22:51 -------- d-----w- C:\$AVG
    2010-03-09 04:28 . 2010-03-13 13:35 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-03-09 04:28 . 2010-03-13 13:32 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-09 04:28 . 2010-03-13 13:35 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-03-09 04:28 . 2010-03-22 14:50 -------- d-----w- c:\windows\system32\drivers\Avg
    2010-03-09 04:28 . 2010-03-09 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\program files\AVG
    2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-03-02 20:57 . 2010-03-02 20:57 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-03-02 17:31 . 2010-03-02 17:31 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
    2010-03-02 17:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-02 17:15 . 2010-03-02 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-02 17:15 . 2010-03-02 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-02 17:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-28 13:27 . 2010-03-09 22:52 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\jmkolb
    2010-02-24 18:14 . 2010-02-24 18:14 -------- d-----w- c:\program files\Garmin
    2010-02-24 18:14 . 2010-02-24 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
    2010-02-24 17:10 . 2010-02-24 17:50 -------- d-----w- c:\documents and settings\John\Application Data\Download Manager
    2010-02-24 15:15 . 2010-02-24 18:13 -------- d-----w- c:\documents and settings\John\Application Data\GARMIN

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-13 19:37 . 2005-10-27 18:49 -------- d-----w- c:\program files\Yahoo!
    2010-03-13 19:32 . 2009-11-13 12:52 -------- d-----w- c:\program files\Microsoft
    2010-03-13 19:29 . 2007-09-16 22:07 -------- d-----w- c:\program files\LEGO Company
    2010-03-03 00:38 . 2009-03-12 16:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-03-02 20:33 . 2005-10-19 16:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-03-02 20:33 . 2005-10-19 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-03-02 17:50 . 2008-10-30 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-02-27 12:02 . 2009-03-12 21:08 -------- d-----w- c:\documents and settings\John\Application Data\PlayFirst
    2010-02-22 19:35 . 2006-10-08 19:52 -------- d-----w- c:\documents and settings\John\Application Data\U3
    2010-02-06 13:52 . 2010-02-06 13:52 50354 ----a-w- c:\documents and settings\John\Application Data\Facebook\uninstall.exe
    2010-02-06 13:52 . 2010-02-06 13:52 -------- d-----w- c:\documents and settings\John\Application Data\Facebook
    2010-02-05 21:36 . 2010-02-05 21:36 -------- d-----w- c:\program files\Nick Jr. Arcade
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John\Application Data\Facebook\npfbplugin_1_0_1.dll
    2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-26 16:12 . 2009-12-26 16:12 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
    2009-12-26 16:12 . 2009-12-26 16:12 6106960 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
    2005-12-05 23:28 . 2005-12-05 23:28 3673932 ------w- c:\program files\Dec2005_MDX1_x86_Archive.cab
    2005-12-05 23:28 . 2005-12-05 23:28 1358864 ------w- c:\program files\Dec2005_d3dx9_28_x64.cab
    2005-12-05 23:28 . 2005-12-05 23:28 86925 ------w- c:\program files\Oct2005_xinput_x64.cab
    2005-12-05 23:28 . 2005-12-05 23:28 46247 ------w- c:\program files\Oct2005_xinput_x86.cab
    2005-12-05 23:28 . 2005-12-05 23:28 41888 ------w- c:\program files\dxdllreg_x86.cab
    2005-12-05 23:28 . 2005-12-05 23:28 916806 ------w- c:\program files\Dec2005_MDX1_x86.cab
    2005-12-05 23:27 . 2005-12-05 23:27 1080344 ------w- c:\program files\Dec2005_d3dx9_28_x86.cab
    .

    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2001-09-04 19:31 . 2001-09-04 19:31 655360 c:\program files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

    2001-08-17 04:41 . 2001-08-17 04:41 28738 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

    2006-01-01 14:40 . 2006-01-01 14:40 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

    2007-07-17 00:43 . 2007-07-17 00:43 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

    2005-02-17 03:11 . 2005-02-17 03:11 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

    2005-01-12 18:54 . 2005-01-12 18:54 241664 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

    2007-03-14 23:05 . 2007-03-14 23:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe

    2007-10-16 00:31 . 2007-09-25 05:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

    2007-10-20 12:55 . 2006-04-03 00:07 389120 c:\program files\Linksys EasyLink Advisor\bak\LinksysAgent.exe

    2001-10-06 00:34 . 2001-10-06 00:34 24576 c:\program files\Microsoft Works\bak\wkfud.exe

    2001-08-23 21:52 . 2001-08-23 21:52 331830 c:\program files\Microsoft Works\bak\WksSb.exe

    2007-02-16 14:54 . 2007-02-16 14:54 282624 c:\program files\QuickTime\bak\qttask.exe

    2005-10-19 22:24 . 2004-01-05 07:27 176128 c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyLinkAdvisor "= "c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [N/A]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater "= "c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QBCD Autorun "= "D:\autorun.exe" [N/A]
    "ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    HP Digital Imaging Monitor.lnk.disabled [2005-10-19 1808]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
    Philips GoGear VIBE Device Manager.lnk.disabled [2009-9-10 835]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-03-13 13:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    c:\program files\iTunes\iTunesHelper.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "DW6 "= "c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe "
    "MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" /background
    "swg "=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Monitor "= "c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\system32\\mshta.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/9/2010 12:28 AM 216200]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/9/2010 12:28 AM 242696]
    R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [8/15/2007 10:41 AM 110304]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 9:34 AM 308064]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [3/2/2010 4:57 PM 583640]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/26/2009 12:14 PM 18560]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/30/2008 5:25 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/30/2008 5:25 PM 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/30/2008 5:25 PM 23680]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-09-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
    - c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com
    mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    Trusted Zone: turbotax.com
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-22 18:29
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2236)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-03-22 18:35:28
    ComboFix-quarantined-files.txt 2010-03-22 22:35
    ComboFix2.txt 2010-03-22 02:57
    ComboFix3.txt 2010-03-21 23:06
    ComboFix4.txt 2010-03-21 20:40
    ComboFix5.txt 2010-03-22 22:18

    Pre-Run: 41,901,461,504 bytes free
    Post-Run: 41,889,124,352 bytes free

    Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 68F77716F7FF3350ACBFE3460830FDAB
     
    jform,
    #59
  21. 2010/03/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looking good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ===============================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
    broni,
    #60
Page 3 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...