|
|
||
|
|
10-11-2009, 01:02 AM
|
#1 (permalink) |
|
New Member
 
Join Date: Jan 2009
Posts: 20
|
Another annoying virus.
Hey again guys.
So this time, the computer gods have bestowed yet another plague upon my computer, but this time it's even more annoying than the last. This time there is a Red circle with a white x in the menu at the bottom right, and every 2 seconds it gives me a pop up that says: "your computer is infected! Windows has detected spyware infection!" etc etc and asks me to buy their antivirus software. To get rid of this, I have tried to run antivirus stuff, but it windows keeps telling me that "Windows cannot access the specified device, path or file" for almost any EXE that I try to run. The only things I have gotten to work are AVG 8.5 (which finds nothing in a scan), Chrome, Firefox, and IE. If I boot into safe mode, the computer goes to blue screen. system restore point didn't do anything, and Avast, MWB, HJT, McAfee, Ms office, and all games are all blocked with the above mentioned windows error. halp. ~LPM
__________________
Gimme an L Gimme a P Gimme an M Whats that spell? |
|
|
|
10-11-2009, 03:09 AM
|
#2 (permalink) |
|
Moderator
 
Join Date: Sep 2005
Location: Near Joliet Illinois
Age: 39
Posts: 3,671
|
Please download and run combofix from here.
http://www.bleepingcomputer.com/comb...o-use-combofix Please follow the directions carefully. And then post the log that it displays at the end back here along with a hijackthis log.
__________________
Motherboard - Gigabyte GA-EP45-UD3R CPU - E8400 Memory - 2GB Corsair XMS2 (2x 1gb) Graphics - ATI HD3870 Hard Drives - 250GB Seagate DVD Drive - Lite-On DVD Burner - Lite-On Power Supply - Rosewill RP600V2-S-SL 600W 22" Acer widescreen AL2216WBD |
|
|
|
10-11-2009, 04:16 AM
|
#3 (permalink) |
|
New Member
Join Date: Jan 2009
Posts: 20
|
Part 1
Code:
ComboFix 09-10-10.02 - Mark 10/10/2009 18:51.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2419 [GMT -7:00]
Running from: e:\downloads\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091010-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mark\Application Data\iniasd.txt
c:\documents and settings\Mark\Application Data\lizkavd.exe
c:\documents and settings\Mark\Application Data\seres.exe
c:\documents and settings\Mark\Application Data\svcst.exe
c:\program files\INSTALL.LOG
C:\test.txt
c:\windows\Install.txt
c:\windows\Installer\a8ff33e.msi
c:\windows\Installer\a8ff33f.msp
c:\windows\Installer\a8ff340.msp
c:\windows\Installer\a8ff341.msp
c:\windows\Installer\a8ff342.msp
c:\windows\Installer\a8ff343.msp
c:\windows\Installer\a8ff344.msp
c:\windows\Installer\a8ff345.msp
c:\windows\Installer\a8ff346.msp
c:\windows\Installer\a8ff347.msp
c:\windows\Installer\a8ff348.msp
c:\windows\Installer\f0fadad.msi
c:\windows\Installer\f0fadb3.msi
c:\windows\Installer\f0fadba.msi
c:\windows\Installer\f0fadd3.msi
c:\windows\Installer\f0fadda.msi
c:\windows\Installer\f0fade0.msi
c:\windows\Installer\f0fade6.msi
c:\windows\Installer\f0fade7.msi
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\6to4v32.dll
c:\windows\system32\abaHknmp.ini
c:\windows\system32\abaHknmp.ini2
c:\windows\system32\certstore.dat
c:\windows\system32\FInstall.sys
c:\windows\system32\Iasv32.dll
c:\windows\system32\Install.txt
c:\windows\system32\isasdk.sys
c:\windows\system32temp#01.exe
c:\windows\Tasks\atldudbs.job
c:\windows\win32k.sys
E:\install.exe
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_ISASDK
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_isasdk
((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.
2009-10-11 01:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-10 20:35 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-10 20:35 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-10 20:35 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-10 20:35 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-10 20:35 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-10 20:35 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-10 20:35 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-10 20:35 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-10 20:34 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-10 20:34 . 2009-10-10 20:34 -------- d-----w- c:\program files\Alwil Software
2009-10-10 20:16 . 2009-10-11 00:13 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-10 20:16 . 2009-10-11 00:13 -------- d-----w- c:\program files\Spyware Doctor
2009-10-10 19:57 . 2009-10-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-10 19:56 . 2009-10-11 01:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-10 19:56 . 2009-10-10 19:56 -------- d-----w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2009-10-10 19:50 . 2009-10-11 01:40 93136 --sh--w- c:\windows\system32\TerNb.exe
2009-10-10 18:36 . 2009-10-10 18:36 89552 --sh--w- c:\windows\system32\TerNa.exe
2009-10-10 18:34 . 2009-10-10 18:34 -------- d-----w- C:\movies
2009-10-09 00:39 . 2009-10-09 00:39 -------- d-----w- c:\documents and settings\Mark\workspace
2009-10-08 01:41 . 2009-10-08 01:55 -------- d-----w- c:\documents and settings\Mark\bluej
2009-10-08 01:23 . 2009-10-08 01:23 -------- d-----w- C:\BlueJ
2009-09-29 03:58 . 2009-09-29 03:58 -------- d-----w- C:\EAGLE_EYE_D1_AC
2009-09-25 04:41 . 2009-09-25 04:41 -------- d-----w- c:\program files\DownloadToolz
2009-09-23 21:35 . 2009-09-23 21:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BE672698-4DAC-4C83-9056-C07C3170F628}
2009-09-23 01:21 . 2009-09-23 03:07 -------- d-----w- c:\program files\llsumo
2009-09-20 06:30 . 2009-09-20 06:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-09-12 16:15 . 2009-09-12 16:15 -------- d-----w- c:\program files\Nobilis
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 01:43 . 2008-05-06 00:04 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent
2009-10-11 01:37 . 2007-12-23 05:03 -------- d-----w- c:\documents and settings\Mark\Application Data\Skype
2009-10-11 00:56 . 2007-12-23 05:04 -------- d-----w- c:\documents and settings\Mark\Application Data\skypePM
2009-10-11 00:14 . 2008-08-25 02:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-10 19:56 . 2007-12-23 22:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-10 18:38 . 2007-12-25 01:23 -------- d-----w- c:\program files\LogMeIn
2009-10-08 01:33 . 2008-09-21 04:46 -------- d-----w- c:\program files\Sun
2009-10-08 01:33 . 2008-09-21 04:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 01:30 . 2006-07-01 02:04 -------- d-----w- c:\program files\Java
2009-10-02 03:12 . 2007-12-25 01:24 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-02 03:12 . 2007-12-25 01:24 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-02 03:12 . 2007-12-25 01:23 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-09-25 22:53 . 2008-03-27 05:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-23 05:24 . 2009-05-14 06:03 47 ----a-w- c:\windows\popcinfot.dat
2009-09-22 05:59 . 2006-07-01 02:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-22 05:47 . 2008-02-23 02:07 45 -c--a-w- c:\windows\popcinfo.dat
2009-09-19 03:27 . 2008-02-23 01:37 -------- d-----w- c:\program files\PopCap Games
2009-09-08 04:09 . 2008-01-08 06:21 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-08 04:06 . 2008-01-08 06:20 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-08 02:37 . 2007-11-16 02:46 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-09-08 02:37 . 2007-11-16 02:46 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-09-04 06:59 . 2008-03-21 18:20 -------- d-----w- c:\documents and settings\Mark\Application Data\McAfee
2009-09-04 06:59 . 2006-07-01 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-31 01:51 . 2007-12-23 06:15 -------- d-----w- c:\program files\Logitech
2009-08-26 22:12 . 2008-03-09 03:36 98528 -c--a-w- c:\windows\War3Unin.dat
2009-08-25 22:03 . 2007-12-23 21:21 48576 -c--a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 06:25 . 2008-01-17 02:21 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-25 06:25 . 2008-01-17 02:21 -------- d-----w- c:\program files\Microsoft Works
2009-08-23 22:15 . 2009-08-23 22:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{761863BE-97F1-4682-A796-73F6F162ED8A}
2009-08-23 17:56 . 2009-08-23 08:14 -------- d-----w- c:\documents and settings\Mark\Application Data\Winamp
2009-08-20 16:54 . 2009-05-21 21:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 16:54 . 2009-05-21 21:23 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 16:54 . 2008-03-21 22:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-20 01:27 . 2009-08-20 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-14 02:11 . 2009-08-13 22:48 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-08-14 00:50 . 2009-08-14 00:50 -------- d-----w- c:\program files\Trend Micro
2009-08-13 23:58 . 2009-07-05 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 02:24 . 2005-08-16 09:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2005-08-16 09:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2005-08-16 09:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2005-08-16 09:40 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2005-08-16 09:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2005-08-16 09:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-08-14 02:32 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2009-08-14 02:32 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2005-08-16 09:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:36 . 2009-07-05 00:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-07-05 00:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-27 19:32 . 2007-12-24 21:30 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-19 03:01 . 2008-01-08 06:20 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-19 02:12 . 2008-01-08 06:21 139152 -c--a-w- c:\documents and settings\Mark\Application Data\PnkBstrK.sys
2009-07-19 02:11 . 2008-05-11 06:18 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2003-12-18 19:33 . 2008-02-15 07:36 20102 -c--a-w- c:\program files\Readme.txt
2003-09-03 15:46 . 2008-02-15 07:36 10960 -c--a-w- c:\program files\EULA.txt
2008-07-18 07:17 . 2007-12-23 04:05 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-07-18 07:17 . 2007-12-23 04:05 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-18 07:17 . 2007-12-23 04:05 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-07-18 07:17 . 2007-12-23 04:05 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-07-18 07:17 . 2007-12-23 04:05 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-14 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-12 21686568]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="e:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-01-29 270128]
"Steam"="e:\program files\steam\steam.exe" [2009-06-13 1217784]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"CurseClient"="e:\program files\Curse\CurseClient.exe" [2009-08-01 1935360]
"Leaf"="e:\program files\Leaf Networks\Leaf\bin\Leaf.exe" [2009-06-19 554368]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2007-11-20 731136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-09-27 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"RivaTuner"="e:\program files\RivaTuner v2.22\RivaTuner.exe" [2008-12-29 2732032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-08 149280]
"TerNa"="c:\windows\system32\TerNa.exe" [2009-10-10 89552]
"TerNb"="c:\windows\system32\ternb.exe" [2009-10-11 93136]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-9-3 114688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 16:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 03:12 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"e:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"e:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"e:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"e:\\Program Files\\Curse\\CurseClient.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\tom clany's hawx\\HAWX.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\tom clany's hawx\\HAWX_dx10.exe"=
"e:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"e:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"e:\\Program Files\\Leaf Networks\\Leaf\\bin\\Leaf.exe"=
"c:\\Program Files\\Valve\\Garry's Mod\\hl2.exe"=
"c:\\Program Files\\Valve\\Garry's Mod\\srcds.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Stardock Games\\Demigod Demo\\bin\\Demigod.exe"=
"e:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"e:\\Program Files\\Stardock Games\\Demigod\\bin\\Demigod.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
__________________
Gimme an L Gimme a P Gimme an M Whats that spell? |
|
|
|
|
10-11-2009, 04:18 AM
|
#4 (permalink) |
|
New Member
Join Date: Jan 2009
Posts: 20
|
part 2
Code:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/10/2009 1:35 PM 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/21/2009 2:23 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/21/2009 2:23 PM 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/10/2009 1:35 PM 20560]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/21/2009 2:23 PM 297752]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 2:18 AM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/10/2004 3:00 AM 94208]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [12/24/2007 6:24 PM 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/27/2008 8:23 PM 24652]
R2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe [12/22/2007 5:54 PM 53307]
R3 FwHookDrv;FwHookDrv;c:\windows\system32\drivers\FwHookDrv.sys [9/6/2006 1:58 PM 6016]
R3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [5/2/2007 4:48 PM 55296]
R3 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123);c:\windows\system32\drivers\WPRO_40_1123.sys --> c:\windows\system32\drivers\WPRO_40_1123.sys [?]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/22/2007 11:16 PM 116448]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - 6TO4
*NewlyCreated* - BTWSRV
*NewlyCreated* - ISASDK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2009-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1159565619-2269191428-3719403665-1005Core.job
- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-21 22:05]
2009-10-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1159565619-2269191428-3719403665-1005UA.job
- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-21 22:05]
2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-23 20:32]
2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-23 20:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.battlefieldheroes.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {B0984220-A0C1-4D0F-9F14-92C3529D25B0} = 68.94.156.1,68.94.157.1
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tlm69meq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tlm69meq.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
BHO-{35B8892A-2419-4823-98B4-9FDF6E1954AA} - c:\windows\system32\pmnkHaba.dll
HKCU-Run-WebCamRT.exe - (no file)
AddRemove-wcmdmgr.exe - c:\windows\wt\updater\wcmdmgr.exe
AddRemove-wtdmmp - c:\windows\wt\updater\wcmdmgr.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 19:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\docume~1\Mark\LOCALS~1\Temp\etilqs_2lqQMUWTXU6xPjz 0 bytes
c:\docume~1\Mark\LOCALS~1\Temp\etilqs_4DkF8V7h5QOEL6Z 0 bytes
c:\docume~1\Mark\LOCALS~1\Temp\etilqs_b6JGgbTnRaJeNMA 0 bytes
c:\docume~1\Mark\LOCALS~1\Temp\etilqs_VvN8gFTTM4GQYbg 0 bytes
c:\docume~1\Mark\LOCALS~1\Temp\etilqs_wuGevKyVh0BlUja 0 bytes
c:\windows\system32\WPRO_40_1123woem.tmp 100880 bytes executable
c:\windows\system32\FInstall.sys 8 bytes
scan completed successfully
hidden files: 7
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1159565619-2269191428-3719403665-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:91,2c,c9,87,44,3c,30,44,9e,4e,9a,2b,89,1c,44,52,d1,0a,74,7b,41,24,3b,
ff,98,ae,00,f4,93,71,59,c0,83,68,98,8b,ec,78,a8,6b,3d,e1,b2,87,a4,17,66,df,\
"??"=hex:09,1b,14,d2,0b,b4,a6,3c,a9,7f,96,ba,87,22,40,47
[HKEY_USERS\S-1-5-21-1159565619-2269191428-3719403665-1005\Software\SecuROM\License information*]
"datasecu"=hex:90,22,f9,ce,6f,dc,c3,d1,32,32,54,96,5e,57,62,a7,8b,34,aa,9f,93,
db,72,30,1a,8a,e8,34,72,b7,25,a2,a9,7a,3c,c9,fe,17,b0,31,1b,8f,46,01,e6,f3,\
"rkeysecu"=hex:8e,da,ba,c2,e5,3a,ae,eb,94,e9,a7,28,a5,9f,13,7f
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1104)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
- - - - - - - > 'explorer.exe'(3460)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Linksys\WUSB300N\WUSB300N.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wmdtc.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-10-11 19:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 02:11
Pre-Run: 36,256,550,912 bytes free
Post-Run: 40,103,493,632 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
457 --- E O F --- 2009-09-25 22:51
HJT and all other previously mentioned programs are still locked out, same access error.
__________________
Gimme an L Gimme a P Gimme an M Whats that spell? |
|
|
|
|
10-11-2009, 04:21 AM
|
#5 (permalink) |
|
Moderator
Join Date: Sep 2005
Location: Near Joliet Illinois
Age: 39
Posts: 3,671
|
Can you run them in safe mode now since running combofix or have you not tried?
I'm still going through your combofix log.
__________________
Motherboard - Gigabyte GA-EP45-UD3R CPU - E8400 Memory - 2GB Corsair XMS2 (2x 1gb) Graphics - ATI HD3870 Hard Drives - 250GB Seagate DVD Drive - Lite-On DVD Burner - Lite-On Power Supply - Rosewill RP600V2-S-SL 600W 22" Acer widescreen AL2216WBD |
|
|
|
|
10-11-2009, 04:42 AM
|
#6 (permalink) |
|
New Member
Join Date: Jan 2009
Posts: 20
|
well, i guess this is technically an improvement...
I can get in to safe mode now, but all the programs that were blocked are still blocked in safe mode. Also, I don't know if this is relevant, but I get the "Microsoft just in time debugger" window coming up every 30 seconds or so, sometimes several times in quick succession.
__________________
Gimme an L Gimme a P Gimme an M Whats that spell? |
|
|
|
|
10-11-2009, 04:59 AM
|
#7 (permalink) |
|
Moderator
Join Date: Sep 2005
Location: Near Joliet Illinois
Age: 39
Posts: 3,671
|
Just in time debugger is associated with visual studio or visual basic, do you have those installed?
Also in your log I noticed you are using 4 different virus scanners. You should only have 1 installed at a time or you will have issues, they don't play well together. Please decide which one you want to use and uninstall all others. Also, I'm suspecting you are infected with some new malware that doesn't have database definitions against it yet. It is these 2 items, I have found nothing online about them. Acccording to these dates, this infection was just today or yesterday depending on where you live. If you don't know these processes then you may be able to go into safe mode and delete these items. 2009-10-10 19:50 . 2009-10-11 01:40 93136 --sh--w- c:\windows\system32\TerNb.exe 2009-10-10 18:36 . 2009-10-10 18:36 89552 --sh--w- c:\windows\system32\TerNa.exe
__________________
Motherboard - Gigabyte GA-EP45-UD3R CPU - E8400 Memory - 2GB Corsair XMS2 (2x 1gb) Graphics - ATI HD3870 Hard Drives - 250GB Seagate DVD Drive - Lite-On DVD Burner - Lite-On Power Supply - Rosewill RP600V2-S-SL 600W 22" Acer widescreen AL2216WBD |
|
|
|
|
10-11-2009, 05:29 AM
|
#8 (permalink) |
|
New Member
Join Date: Jan 2009
Posts: 20
|
I googled TerNa.exe and TerNb.exe. Came up with one site that had the names, said it was some program that fiddled with the registry, and that the first time/place it was seen was today in the US. so it looks like you were right, it must be something really new.
Also, I don't think i have visual studio or visual basic. Add or remove program list agrees with me. Edit (to avoid double posting): Tried to go into safe mode to delete the files and i got a blue screen. is it maybe safe to delete those files from normal mode?
__________________
Gimme an L Gimme a P Gimme an M Whats that spell? Last edited by LPM; 10-11-2009 at 05:52 AM. |
|
|
|
|
10-11-2009, 03:19 PM
|
#9 (permalink) |
|
Moderator
Join Date: Sep 2005
Location: Near Joliet Illinois
Age: 39
Posts: 3,671
|
If it's an active process than it won't be able to be deleted. You can try doing it in regular mode.
Go to this website and upload both of those files and see what results you get back. http://virusscan.jotti.org/en
__________________
Motherboard - Gigabyte GA-EP45-UD3R CPU - E8400 Memory - 2GB Corsair XMS2 (2x 1gb) Graphics - ATI HD3870 Hard Drives - 250GB Seagate DVD Drive - Lite-On DVD Burner - Lite-On Power Supply - Rosewill RP600V2-S-SL 600W 22" Acer widescreen AL2216WBD |
|
|
|
|
10-11-2009, 04:44 PM
|
#10 (permalink) |
|
New Member
Join Date: Sep 2009
Posts: 3
|
hey dude,
try to scan with NETPROTECTOR ANTIVIRUS. it's really rocking, to know about it pls visit www.indiaantivirus.com. I suggest purchace it's really effective. |
|
|
|
 |
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| HELP riddled with Trojans :( | Hey it's me | Computer Security | 35 | 01-06-2009 12:41 AM |
| Infected With Look2me;Popups include:Dofact,Yourtruths,Drivecleaner.Here is HJT Log. | ranzy | Computer Security | 9 | 09-05-2006 04:54 PM |
| Base 64.dll | soccerdude | Computer Security | 3 | 09-04-2006 04:16 PM |
| My Computer is also sick! | beergoggles | Computer Security | 12 | 02-26-2006 10:51 PM |
| Computer Problems - A joke | Darkomen | General Computer Chat | 31 | 10-31-2005 07:37 PM |
Hybrid Mode
