Forum Home
Press F1
Thread ID: 97556	2009-02-19 22:32:00	Virus Removal Help	Blam (54)	Press F1

Post ID	Timestamp	Content	User
749454	2009-02-20 08:25:00	Disabled system restore already-1st thing i did Renamed gmer, still won't I managed to run combo fix, and it removed some stuff, here's are the combofix and catchme logs: catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ------------------------------------------------------------------------------- ComboFix 09-02-18.01 - 12189 2009-02-20 20:59:30.1 - NTFSx86 MINIMAL Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2039.1689 [GMT 13:00] Running from: F:\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\programdata\Microsoft\Windows\Start Menu\Programs\coolplay c:\programdata\Microsoft\Windows\Start Menu\Programs\coolplay\Uninstall.lnk c:\windows\system32\nvaux32.dll . ((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-02-20 06:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-20 00:33 --------- d-----w c:\program files\MBAM 2009-02-19 23:00 --------- d-----w c:\programdata\Lavasoft 2009-02-19 22:59 --------- d-----w c:\program files\Lavasoft 2009-02-19 22:31 --------- d-----w c:\programdata\ESET 2009-02-19 22:31 --------- d-----w c:\program files\ESET 2009-02-19 20:35 --------- d-----w c:\programdata\STOPzilla! 2009-02-19 19:41 --------- d-----w c:\program files\PowerMenu 2009-02-19 10:27 --------- d-----w c:\program files\Folder Marker 2009-02-19 09:42 --------- d-----w c:\programdata\SITEguard 2009-02-19 09:26 --------- d-----w c:\program files\Common Files\iS3 2009-02-19 09:09 96,520 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-02-19 09:09 67,080 ----a-w c:\windows\system32\drivers\avgwfpx.sys 2009-02-19 09:08 --------- d-----w c:\programdata\avg8 2009-02-19 09:08 --------- d-----w c:\program files\AVG 2009-02-19 07:18 --------- d-----w c:\program files\Windows Live 2009-02-19 07:18 --------- d-----w c:\program files\Sandboxie 2009-02-19 07:03 --------- d---a-w c:\programdata\TEMP 2009-02-19 07:03 --------- d-----w c:\program files\Trojan Remover 2009-02-19 06:53 --------- d-----w c:\programdata\NBC Direct 2009-02-17 22:53 --------- d-----w c:\programdata\Simply Super Software 2009-02-16 04:42 --------- d-----w c:\program files\KeePass Password Safe 2009-02-15 19:33 --------- d-----w c:\program files\Opera 2009-02-15 06:24 --------- d-----w c:\programdata\Spybot - Search & Destroy 2009-02-15 06:08 --------- d-----w c:\programdata\Microsoft Help 2009-02-14 06:53 --------- d-----w c:\program files\Mozilla Thunderbird 2009-02-14 04:53 --------- d-----w c:\program files\LANcet Chat 2009-02-12 05:12 --------- d-----w c:\program files\HandBrake 2009-02-10 06:26 --------- d-----w c:\program files\Insofta Cover Commander 2009-02-09 05:18 --------- d--h--w c:\program files\PMM 2009-02-07 06:26 --------- d-----w c:\programdata\Stardock 2009-02-07 06:25 --------- d-----w c:\program files\Stardock 2009-02-07 06:10 --------- d-----w c:\program files\7-Zip 2009-02-07 05:05 --------- d-----w c:\program files\Executor 2009-02-07 01:02 --------- d-----w c:\programdata\GRETECH 2009-02-07 01:01 --------- d-----w c:\program files\GRETECH 2009-02-06 09:20 --------- d-----w c:\program files\Raxco 2009-02-06 07:25 --------- d-----w c:\program files\FileASSASSIN 2009-02-06 06:45 --------- d-----w c:\program files\VideoLAN 2009-02-05 04:40 32,256 ----a-w c:\windows\hh.exe 2009-02-04 04:15 --------- d-----w c:\program files\Install Creator 2009-02-03 07:28 --------- d-----w c:\program files\Replay AV 8 2009-02-03 06:35 --------- d-----w c:\program files\CCleaner 2009-02-03 05:29 --------- d-----w c:\program files\Windows Mail 2009-02-03 05:29 --------- d-----w c:\program files\Windows Journal 2009-02-03 05:29 --------- d-----w c:\program files\Protector Suite QL 2009-02-03 05:29 --------- d-----w c:\program files\Opus Pro 6 2009-02-03 05:29 --------- d-----w c:\program files\ltmoh 2009-02-03 05:29 --------- d-----w c:\program files\Java 2009-02-03 05:29 --------- d-----w c:\program files\IrfanView 2009-02-03 05:29 --------- d-----w c:\program files\GetASFStream 2009-02-03 05:29 --------- d-----w c:\program files\DataStudio 2009-02-03 05:29 --------- d-----w c:\program files\Common Files\Java 2009-02-03 05:29 --------- d-----w c:\program files\Autograph 3.20 2009-02-03 05:29 --------- d-----w c:\program files\Apoint2K 2009-02-03 02:09 --------- d-----w c:\programdata\Malwarebytes 2009-02-02 10:09 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-02 10:08 --------- d-----w c:\program files\YouSendIt 2009-02-02 10:07 --------- d-----w c:\program files\WinPcap 2009-02-02 10:06 --------- d-----w c:\program files\Replay Converter 3 2009-02-02 10:05 757,760 ----a-w c:\windows\iun6002.exe 2009-02-02 07:59 40,448 ----a-w C:\asyoclq.exe 2009-02-02 07:45 --------- d-----w c:\program files\Common Files\Adobe AIR 2009-02-02 07:44 --------- d-----w c:\program files\Common Files\Adobe 2009-02-02 07:42 --------- d-----w c:\program files\COMODO 2009-02-02 06:47 --------- d-----w c:\program files\Microsoft Games 2009-02-02 06:04 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-02 06:04 --------- d-----w c:\program files\Microsoft 2009-02-02 06:03 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition 2009-02-02 05:52 --------- d-----w c:\program files\Windows Live SkyDrive 2009-02-02 05:44 --------- d-----w c:\program files\Common Files\Windows Live 2009-02-01 09:09 --------- d-----w c:\program files\Alwil Software 2009-02-01 08:58 --------- d-----w c:\program files\NCH Swift Sound 2009-01-30 07:23 --------- d-----w c:\program files\Windows Sidebar 2009-01-30 06:37 110,080 ----a-w c:\windows\system32\drivers\mrxdav.sys 2009-01-30 06:32 803,328 ----a-w c:\windows\system32\drivers\tcpip.sys 2009-01-30 06:32 216,632 ----a-w c:\windows\system32\drivers\netio.sys 2009-01-30 06:30 54,784 ----a-w c:\windows\system32\drivers\i8042prt.sys 2009-01-30 06:30 495,160 ----a-w c:\windows\system32\drivers\Wdf01000.sys 2009-01-30 06:30 35,384 ----a-w c:\windows\system32\drivers\WdfLdr.sys 2009-01-30 06:30 35,384 ----a-w c:\windows\system32\drivers\kbdclass.sys 2009-01-30 06:30 34,360 ----a-w c:\windows\system32\drivers\mouclass.sys 2009-01-30 06:30 19,968 ----a-w c:\windows\system32\drivers\sermouse.sys 2009-01-30 06:30 15,872 ----a-w c:\windows\system32\drivers\mouhid.sys 2009-01-30 06:30 15,872 ----a-w c:\windows\system32\drivers\kbdhid.sys 2009-01-30 06:28 290,304 ----a-w c:\windows\system32\drivers\srv.sys 2009-01-30 06:27 113,664 ----a-w c:\windows\system32\drivers\rmcast.sys 2009-01-30 06:25 84,992 ----a-w c:\windows\system32\drivers\srvnet.sys 2009-01-30 06:25 58,368 ----a-w c:\windows\system32\drivers\mrxsmb20.sys 2009-01-30 06:25 130,048 ----a-w c:\windows\system32\drivers\srv2.sys 2009-01-30 06:25 101,888 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2009-01-30 06:21 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll 2009-01-29 20:43 0 --sha-r c:\windows\system32\drivers\1179_TOSHIBA_PORTEGE M500_SYSTEM_PPM51A-02900L.MRK 2008-12-04 09:55 307,560 ----a-w c:\windows\WLXPGSS.SCR 2008-04-15 02:49 174 --sha-w c:\program files\desktop.ini 2007-11-21 07:10 952 --sha-w c:\windows\System32\KGyGaAvL.sys . ------- Sigcheck ------- 2007-11-22 10:39 2940928 31b652c4437a533ea15bb8b056126940 c:\windows\explorer.exe 2006-11-02 22:45 2940928 22060fc0968f5b5087935aee4e874864 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7d e5167cd15deb\explorer.exe 2007-11-22 10:39 2940928 31b652c4437a533ea15bb8b056126940 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac 29707cae347a\explorer.exe 2007-11-22 10:39 2940928 423a900489e2af66e6a12952bbaaf72e c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f 261995dcf2cf\explorer.exe 2006-11-02 22:45 26112 f131d8ba54efcb2a0079205726c38753 c:\windows\System32\ctfmon.exe 2006-11-02 22:45 26112 f131d8ba54efcb2a0079205726c38753 c:\windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.0.6000.16386_none_9af9ca d793a67953\ctfmon.exe 2006-11-02 22:45 142336 61a46d6c23b712d3a02519a64c09aac1 c:\windows\System32\spoolsv.exe 2006-11-02 22:45 142336 61a46d6c23b712d3a02519a64c09aac1 c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6000.16386_none_d414e125 c49db442\spoolsv.exe 2006-11-02 22:45 41984 994b96ad5c8768aa3be450efdd4047e3 c:\windows\System32\userinit.exe 2006-11-02 22:45 41984 994b96ad5c8768aa3be450efdd4047e3 c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1 f819d4c4e737\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2006-12-04 14:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2006-12-04 14:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1070080] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 219136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "ThpSrv"="c:\windows\system32\thpsrv" [X] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 200704] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-19 1177368] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce] "Wrapper"="runonce" [X] "GrpConv"="grpconv -o" [X] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Windows Live Messenger .lnk - c:\program files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3882312] c:\users\12189\AppData\Roaming\MICROS~1\Windows\ST ARTM~1\Programs\Startup\ Aero_Shake_1.3.exe [2008-11-13 206065] Rainmeter.lnk - d:\program files\Rainmeter\Rainmeter.exe [2006-01-22 139264] rules.ini [2009-02-16 47] c:\users\12189\AppData\Roaming\MICROS~1\Windows\ST ARTM~1\Programs\Startup\resources belvedere.ico [2008-02-01 370070] belvederename.png [2008-02-01 158723] both.png [2008-02-01 45885] c:\users\12189\AppData\Roaming\MICROS~1\Windows\ST ARTM~1\Programs\Startup\resources(78) belvederename.png [2008-02-01 158723] both.png [2008-02-01 45885] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "EnableLUA"= 0 (0x0) "DisableCAD"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-12-04 13:50 90112 c:\windows\System32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm "msacm.divxa32"= msaud32_divx.acm [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-11869\Scripts\Logon\0\0] "Script"=\\sweden\netlogon\settime.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-11869\Scripts\Logon\0\1] "Script"=\\sweden\NETLOGON\IEPrint2.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-11869\Scripts\Logon\1\0] "Script"=08student.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-11869\Scripts\Logon\1\1] "Script"=pushprinterconnections.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain] --a------ 2007-08-03 23:32 714080 c:\program files\TOSHIBA\FlashCards\TCrdMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON] --a------ 2006-12-07 16:49 55416 c:\program files\TOSHIBA\TBS\HSON.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher] --a------ 2006-12-04 13:29 49168 c:\program files\Protector Suite QL\launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] --a------ 2007-06-15 21:01 448080 c:\program files\TOSHIBA\SmoothView\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] --a------ 2007-11-17 14:36 1006264 c:\program files\Windows Defender\MSASCui.exe [HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules] "{DA806815-2928-4C36-BEDB-185A3F2779BE}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{964B2A7A-27A3-4779-BC64-6E411BA91393}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service "{1252A1A8-CE52-48C4-A7D0-4359BAD1791F}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service "{06186416-4128-4A4F-9B13-C348D1DF15AA}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync "TCP Query User{F38FBD7C-DFBA-43A6-9F5D-06C70A72FE03}d:\\downloads\\hijackthis.exe"= UDP:d:\downloads\hijackthis.exe:HijackThis "UDP Query User{FDAA9839-379F-4604-AB70-27F366DD5CEE}d:\\downloads\\hijackthis.exe"= TCP:d:\downloads\hijackthis.exe:HijackThis "TCP Query User{E1D1C8CE-1FC2-40C8-8EB6-A50EDC029943}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{4C2CB304-4C26-445A-A6FB-77AF31AAFF4B}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{B76E8212-85DA-4CA1-9AA7-24666D758A7D}c:\\windows\\system32\\wercon.exe"= UDP:c:\windows\system32\wercon.exe:Problem Reports and Solutions "UDP Query User{6045692D-344D-416C-9885-50E0E10B85EA}c:\\windows\\system32\\wercon.exe"= TCP:c:\windows\system32\wercon.exe:Problem Reports and Solutions "TCP Query User{AF9DF791-E0C1-4101-A398-528EEB012B43}c:\\program files\\microsoft office\\office12\\winword.exe"= UDP:c:\program files\microsoft office\office12\winword.exe:Microsoft Office Word "UDP Query User{64C63C64-D3BA-4FC7-BFB6-6C585F77270E}c:\\program files\\microsoft office\\office12\\winword.exe"= TCP:c:\program files\microsoft office\office12\winword.exe:Microsoft Office Word "TCP Query User{ACA167D6-2E61-43B1-AEDE-6825C016BACC}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{D02EE336-D962-48DA-BBEE-491033D1DCE6}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "{A9CF5304-625B-4590-8D7B-2789E5B9E679}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In) "{29F1651F-E076-47A8-9B2F-4848B7D51CE2}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In) "TCP Query User{C170B9D3-BCDE-4DF8-88C1-951419E55099}c:\\program files\\lancet chat\\lchat.exe"= UDP:c:\program files\lancet chat\lchat.exe:?hat for local networks "UDP Query User{3D68C2C5-FEC5-42DC-B97F-FC1D23359D51}c:\\program files\\lancet chat\\lchat.exe"= TCP:c:\program files\lancet chat\lchat.exe:?hat for local networks "TCP Query User{43A81BDF-76BA-47D3-BB8E-DAA29F1A5D46}c:\\program files\\lancet chat\\lancetchat.exe"= UDP:c:\program files\lancet chat\lancetchat.exe:?hat for local networks "UDP Query User{A7D2BCE4-6533-4C33-B6F0-BC542D28EBE5}c:\\program files\\lancet chat\\lancetchat.exe"= TCP:c:\program files\lancet chat\lancetchat.exe:?hat for local networks "{2BC73476-A4E8-4E58-8ADC-26202819FDFD}"= UDP:F:\uTorrent.exe:µTorrent (TCP-In) "{20A43B7F-A336-4AB0-A5AE-A396339C8C39}"= TCP:F:\uTorrent.exe:µTorrent (UDP-In) "{44A14EB1-8796-4534-990D-BB9CBFB82619}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe "{A08BEF6C-2474-450F-BF8F-4359A7E235B8}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe [HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile\AuthorizedApplications\List] "c:\\Windows\\system32\\wininit.exe"= c:\windows\system32\wininit.exe:*:enabled:@shell32 .dll,-1 R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\System32\drivers\thpdrv.sys [2006-10-31 16384] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\System32\drivers\Thpevm.sys [2006-10-20 6528] R0 WsFsF;WsFsF;c:\windows\System32\drivers\wsfsfwlh.s ys [2007-05-08 31744] R2 KbdFIOControl;KbdFIOControl;c:\windows\System32\dr ivers\KbdF.sys [2007-11-18 7168] S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-19 96520] S1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfw tdir.sys [2008-07-01 34312] S1 wscam6300;wscam6300;c:\windows\System32\drivers\ws cam6300.sys [2007-05-08 33024] S1 wstdi;wstdi;c:\windows\System32\drivers\wstdiwlh.s ys [2007-05-08 35328] S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-19 902424] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-19 282904] S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224] S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2007-11-18 600912] S2 WebsenseDesktopClient;Websense Desktop Client;c:\program files\PMM\WDC.exe --> c:\program files\PMM\WDC.exe [?] S3 AvgWfpX;AVG8 Firewall Driver x86;c:\windows\System32\drivers\avgwfpx.sys [2009-02-19 67080] S3 netr73;TL-WN321G Wireless USB Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [2009-02-13 329728] S3 NJXUVCN;NJXUVCN;c:\users\12189\AppData\Local\Temp\ NJXUVCN.exe --> c:\users\12189\AppData\Local\Temp\NJXUVCN.exe [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [2007-01-26 42000] S3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2009-01-06 103936] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc rsmsvcs REG_MULTI_SZ ntmssvc [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{960ca98b-f417-11dd-9ec4-001c7e33551d}] \shell\AutoRun\command - F:\2u.com \shell\explore\Command - F:\2u.com \shell\open\Command - F:\2u.com [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{960ca98f-f417-11dd-9ec4-001c7e33551d}] \shell\AutoRun\command - G:\2u.com \shell\explore\Command - G:\2u.com \shell\open\Command - G:\2u.com . Contents of the 'Scheduled Tasks' folder 2009-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-643970264-1529554251-782984527-11869.job - c:\users\12189\AppData\Local\Google\Update\GoogleU pdate.exe [2009-02-02 20:10] . - - - - ORPHANS REMOVED - - - - Toolbar-SITEguard - (no file) HKLM-RunOnce-<NO NAME> - (no file) MSConfigStartUp-WsUiMgr - c:\program files\PMM\WsUIMgr.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://pressf1.pcworld.co.nz/forumdisplay.php?f=4 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\12189\AppData\Roaming\Mozilla\Firefox\Pro files\7un6b0k7.default\ FF - prefs.js: browser.startup.homepage - hxxp://pressf1.pcworld.co.nz/forumdisplay.php?f=4 FF - component: c:\users\12189\AppData\Roaming\Mozilla\Firefox\Pro files\7un6b0k7.default\extensions\glasser@sixxgate .com\components\dwmxpcom.dll FF - component: c:\users\12189\AppData\Roaming\Mozilla\Firefox\Pro files\7un6b0k7.default\extensions\piclens@cooliris .com\components\coolirisstub.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: c:\users\12189\AppData\Local\Google\Update\1.2.141 .5\npGoogleOneClick7.dll . ************************************************** ************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-20 21:08:10 Windows 6.0.6000 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(436) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\homefus2.dll c:\program files\Protector Suite QL\infra.dll - - - - - - - > 'Explorer.exe'(820) c:\program files\Protector Suite QL\farchns.dll c:\program files\Protector Suite QL\infra.dll c:\windows\system32\igfxsrvc.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\System32\igfxsrvc.exe . ************************************************** ************************ . Completion time: 2009-02-20 21:10:52 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-20 08:10:49 Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application. Post-Run: 29,022,646,272 bytes free 312 --- E O F --- 2009-02-02 07:16:12	Blam (54)
749455	2009-02-20 08:27:00	You can always try using ComboFix (www.bleepingcomputer.com) -- Been using it quite a bit - its amazing the crap (infections) it will pull out that many of the others turn turtle on. Biggest thing - let it do its job, even if it looks like its stalled, or not working it actually is - stopping it or getting impatient can have negative affects. And it now does work on Vista. EDITED: SNAP - I see you ran it while I was posting :D -- Cant be bothered looking back through the post - have you run Spyware Terminator ?? either y OR N make sure you go to settings, Scan Settings, and tick the two unticked boxes.	wainuitech (129)
749456	2009-02-20 08:29:00	Get rid of Mcafee and AVG, if NOD is running OK I dont know what to do with combofix logs (thats if you have to do anything)	Speedy Gonzales (78)
749457	2009-02-20 08:31:00	It IS! AVG and Mcafee were already uninstalled...don't know what combofix was complaining about...	Blam (54)
749458	2009-02-20 08:42:00	Should have guessed it had some sort of P2P program on it :ban Find this file then delete it NJXUVCN.exe And delete it Or use ccleaner and run it, delete asyoclq.exe as well (in safe mode)	Speedy Gonzales (78)
749459	2009-02-20 09:18:00	Deleted, now what?	Blam (54)
749460	2009-02-20 09:37:00	Is it any better when you boot into vista? I guess not Find this file right mouse / properties whats it say? c:\windows\iun6002.exe, a file with this name spies on you	Speedy Gonzales (78)
749461	2009-02-20 09:40:00	Nope:(	Blam (54)
749462	2009-02-20 09:53:00	If you didnt delete this file (or if you did) restore it iun6002.exe Then go into its properties	Speedy Gonzales (78)
749463	2009-02-20 09:57:00	Nope. its deleted. Why would you want it back anyways?	Blam (54)
1 2 3 4 5 6