please review my log files

G

gib65

Member
Hello,

I just recent got rid of a virus on my computer (XP AntiVirus 2011). I have some log files that I'd like someone to take a look at just to be sure everything is in working order on my computer (much appreciated).

First, I ran rkill and got this log:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08/31/2011 at 14:54:32.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\Documents and Settings\Gibran\Local Settings\Application Data\oqm.exe


Rkill completed on 08/31/2011 at 14:55:09.


Then I ran MBAM (freshly installed and updated):


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/31/2011 3:33:28 PM
mbam-log-2011-08-31 (15-33-28).txt

Scan type: Quick scan
Objects scanned: 179339
Time elapsed: 33 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3580706929 (Trojan.FakeAlert) -> Value: 3580706929 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Gibran\Local Settings\Application Data\oqm.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Gibran\Local Settings\Application Data\oqm.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Gibran\Local Settings\Application Data\oqm.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Gibran\local settings\Temp\0.7291486900603643.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\Gibran\local settings\application data\oqm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Third, I ran HijackThis (freshly installed):

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:46:20 PM, on 8/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS security services\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\TELUS security services\rps.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\System32\bcmntray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\TELUS\TELUS security advisor\Tsa.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
C:\Program Files\TELUS\TELUS security advisor\ServicepointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TELUS\TELUS security advisor\TsaComHandler.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\bcmntray
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Tsa.exe] "C:\Program Files\TELUS\TELUS security advisor\Tsa.exe" /AUTORUN
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1305730721625
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: TELUS security services (Radialpoint Security Services) - TELUS - C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
O23 - Service: RadialpointIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\TELUS\TELUS security services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
O23 - Service: TELUS security services Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS security services\Fws.exe
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\TELUS\TELUS security advisor\ServicepointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7960 bytes


And finally, I ran combofix:


ComboFix 11-08-31.04 - Gibran 08/31/2011 15:55:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.280 [GMT -6:00]
Running from: c:\documents and settings\Gibran\Desktop\ComboFix.exe
AV: TELUS security services Anti-Virus *Disabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: TELUS security services Firewall *Disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\aepg.exe
c:\documents and settings\All Users\Application Data\fopq.exe
c:\documents and settings\All Users\Application Data\ixde.exe
c:\documents and settings\All Users\Application Data\wbep.exe
c:\documents and settings\Gibran\Local Settings\Application Data\ddtv.exe
c:\documents and settings\Gibran\Local Settings\Application Data\ebha.exe
c:\documents and settings\Gibran\Local Settings\Application Data\ghen.exe
c:\documents and settings\Gibran\Local Settings\Application Data\pxxx.exe
c:\documents and settings\Gibran\Templates\gcak.exe
c:\documents and settings\Gibran\Templates\moev.exe
c:\documents and settings\Gibran\Templates\shhw.exe
c:\documents and settings\Gibran\Templates\vkod.exe
c:\program files\messenger\msmsgsin.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-31 )))))))))))))))))))))))))))))))
.
.
2011-08-31 21:44 . 2011-08-31 21:44 388096 ----a-r- c:\documents and settings\Gibran\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-31 21:44 . 2011-08-31 21:44 -------- d-----w- c:\program files\Trend Micro
2011-08-31 20:57 . 2011-07-07 01:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 20:57 . 2011-08-31 20:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-31 20:57 . 2011-07-07 01:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 19:54 . 2011-08-31 19:54 -------- d-----w- c:\documents and settings\Administrator
2011-08-31 17:18 . 2011-08-31 17:18 -------- d-----w- c:\windows\Sun
2011-08-29 22:35 . 2011-08-29 22:35 -------- d-----w- C:\Sun
2011-08-29 22:31 . 2011-08-29 22:32 130284263 ----a-w- C:\java_ee_sdk-5_01-windows.exe
2011-08-29 22:19 . 2011-08-29 22:19 -------- d-----w- c:\program files\Common Files\Java
2011-08-29 22:19 . 2011-08-29 22:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-29 22:19 . 2011-08-29 22:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-29 22:18 . 2011-08-29 22:18 -------- d-----w- c:\program files\Java
2011-08-29 22:15 . 2011-08-29 22:15 16561952 ------w- C:\jre-6u23-windows-i586.exe
2011-08-14 15:39 . 2011-08-14 15:39 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-14 15:39 . 2011-08-14 15:39 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-10 22:49 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:48 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-03 04:25 . 2011-08-03 04:25 -------- d-----w- C:\temp2
2011-08-03 04:14 . 2011-08-03 04:14 65536 ----a-r- c:\documents and settings\Gibran\Application Data\Microsoft\Installer\{CA8B0FB9-69D0-4B50-8342-7CF0C96F10E6}\NewShortcut3_CA8B0FB969D04B5083427CF0C96F10E6.exe
2011-08-03 04:14 . 2011-08-03 04:14 65536 ----a-r- c:\documents and settings\Gibran\Application Data\Microsoft\Installer\{CA8B0FB9-69D0-4B50-8342-7CF0C96F10E6}\NewShortcut2_CA8B0FB969D04B5083427CF0C96F10E6.exe
2011-08-03 04:14 . 2011-08-03 04:25 -------- d-----w- C:\kiosk
2011-08-03 04:14 . 2011-08-03 04:14 -------- d-----w- c:\program files\WorksImaging
2011-08-03 04:14 . 2011-08-03 04:14 -------- d-----w- c:\documents and settings\Gibran\Application Data\WorksImaging
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-11 02:58 . 2011-05-19 07:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2011-05-18 02:37 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-08-14 15:39 . 2011-05-30 19:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\System32\bcmntray" [X]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"Tsa.exe"="c:\program files\TELUS\TELUS security advisor\Tsa.exe" [2010-12-16 4318520]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
c:\documents and settings\Gibran\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2011-8-29 53346]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-17 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TELUS\\TELUS security advisor\\ServicepointService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [5/18/2011 10:15 AM 25608]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 12:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 11:54 AM 116608]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [5/18/2011 10:15 AM 5832712]
R2 ServicepointService;ServicepointService;c:\program files\TELUS\TELUS security advisor\ServicepointService.exe [5/18/2011 10:33 AM 689464]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [5/17/2011 11:27 PM 192896]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [5/18/2011 10:15 AM 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [5/18/2011 10:15 AM 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\TELUS\TELUS security services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [5/18/2011 10:15 AM 25736]
S2 Radialpoint Security Services;TELUS security services;c:\program files\TELUS\TELUS security services\RpsSecurityAwareR.exe [6/2/2010 7:05 PM 166944]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/31/2011 2:57 PM 41272]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 05B11D46
*NewlyCreated* - 294F02E1
*NewlyCreated* - 4151BE2F
*Deregistered* - 05b11d46
*Deregistered* - 294f02e1
*Deregistered* - 4151be2f
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-08-31 c:\windows\Tasks\User_Feed_Synchronization-{47AF1DB4-F34E-44D0-9B1A-9E304025B0C2}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
2011-08-31 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-27 10:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.154.132.68 75.154.132.100
FF - ProfilePath - c:\documents and settings\Gibran\Application Data\Mozilla\Firefox\Profiles\qp5g9faa.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-31 16:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?5?6?0??p???? ?,?B?????????????hLC? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-08-31 16:11:09
ComboFix-quarantined-files.txt 2011-08-31 22:11
.
Pre-Run: 59,774,619,648 bytes free
Post-Run: 62,820,503,552 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - E5B069B2C112120641FA447A71D3F576


Does everything look kosher?
 
Last edited by a moderator:
I'm at work right now and won't get home until later but wont have time to thoroughly go through the logs until tomorrow afternoon sometime. I will reply back then. Just dont want to leave you hanging.
 
Ok, unless you are still having issues, it seems you are clean. I would though download and run tdsskiller to make sure.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

infection-found.jpg


To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

scan-completed.jpg


If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.
 
My computer is telling me that access is denied for downloading that file. In fact, my anti-virus is telling me it is a trojan virus:

Virus detected, restart required
Trojan.Generic.6496406
 
Downloading the rkill file you got that message? Download the file from an uninfected computer and transfer using a cd or usb flash drive. Make sure the flash drive isn't infected before copying to it.
 
You must log in or register to reply here.
Back
Top