Trojan Horse Generic17.something

L

Lizzie

New Member
Hellos,

I hope this is in the right place, sort of new here as you can tell. :)

Anyway I basically downloaded a game which had this hiding in it and I can't seem to get rid of it even though I have run just about every virus scanner there is. They all come up with nothing.

It has also seemed to create new tmp. files in the temp folder every few minutes with AVG shield coming up with an alert about it every ten minutes or so.

AVG online shield comes up with this:

file name: street-info.net/load/mix3.exe
threat name: trojan horse generic17.BPQL
process name: c:\windows\system32.svchost.exe

Here are the HIJACK log because I am having problems with malware.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:10:22, on 5/12/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 5099 bytes


I also tried restoring the laptop to a previous state but that didn't work either.

So in desperate need of help. :confused:

Thanks in advance and so sorry if its in the wrong place again.
 
I don't see nothing going on in the log, however, you must have some hidden infections. Please do the following. If you haven't downloaded and ran malwarebytes, please do so now.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:
  • The Malwarebytes log
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Hellos,

I tried running combofix but it keeps telling me that it cannot create certain files and to close everything and to reboot. Tried to rename it and stick it in a different folder but the same thing comes up.

HIjack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:10:22, on 5/12/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 5099 bytes

Malware log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4093

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/13/2010 09:47:51
mbam-log-2010-05-13 (09-47-51).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 194873
Time elapsed: 40 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And the problem is still happening annoyingly, creating files in the tmp folder and then AVG coming up with an alert about the trojan horse. I'll post the combofix, hopefully, if it starts working.

Thanks again. :)
 
Finally got the combo fix log to work (had to add it here because it wouldn't let me edit the other one). Also I haven't received any notifications of the trojan horse yet (since I ran combofix).

Log:

ComboFix 10-05-12.03 - Liz 05/13/2010 10:21:35.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3070.2049 [GMT 4:00]
Running from: c:\users\Liz\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\system

Infected copy of c:\windows\system32\drivers\tdx.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-13 06:16 . 2010-05-13 06:16 -------- d-----w- C:\32788R22FWJFW
2010-05-12 17:40 . 2010-05-12 17:40 74240 ----a-w- c:\windows\system32\drivers\butsergo.sys
2010-05-12 17:26 . 2010-05-12 17:40 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 15:57 . 2010-05-12 15:57 388096 ----a-r- c:\users\Liz\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-12 15:54 . 2010-04-29 11:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 15:54 . 2010-05-12 15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 15:54 . 2010-04-29 11:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 15:12 . 2010-05-12 16:04 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-12 15:12 . 2010-05-12 15:12 -------- d-----w- c:\programdata\Hitman Pro
2010-05-12 15:12 . 2010-05-12 15:12 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-12 15:10 . 2010-05-12 15:10 -------- d-----w- c:\program files\Trend Micro
2010-05-12 10:51 . 2010-05-12 11:47 -------- d-----w- c:\program files\Trojan Remover
2010-05-12 10:51 . 2010-05-12 10:51 -------- d-----w- c:\users\Liz\AppData\Roaming\Simply Super Software
2010-05-12 10:51 . 2010-05-12 10:51 -------- d-----w- c:\programdata\Simply Super Software
2010-05-12 09:17 . 2010-05-12 13:03 -------- d-----w- c:\users\Liz\AppData\Roaming\VendelGAMES
2010-05-10 11:24 . 2010-05-10 11:24 -------- d-----w- c:\users\Liz\AppData\Roaming\Magic3
2010-05-10 11:24 . 2010-05-10 11:24 -------- d-----w- c:\programdata\AlawarWrapper
2010-05-09 16:54 . 2010-05-12 12:05 -------- d-----w- c:\program files\AnvSoft
2010-05-08 09:53 . 2010-05-12 12:05 -------- d-----w- c:\users\Liz\AppData\Roaming\Jetdogs Studios
2010-05-03 17:12 . 2010-05-03 17:12 -------- d-----w- c:\users\Liz\AppData\Roaming\Gogii
2010-04-30 13:10 . 2010-04-30 13:10 -------- d-----w- c:\users\Liz\AppData\Roaming\skypePM
2010-04-30 13:06 . 2010-05-10 17:12 -------- d-----w- c:\users\Liz\AppData\Roaming\Skype
2010-04-30 13:05 . 2010-05-12 12:44 -------- d-----r- c:\program files\Skype
2010-04-30 13:05 . 2010-04-30 13:05 -------- d-----w- c:\program files\Common Files\Skype
2010-04-30 13:05 . 2010-04-30 13:05 -------- d-----w- c:\programdata\Skype
2010-04-30 07:36 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-04-30 07:36 . 2009-10-10 02:31 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-04-30 06:53 . 2010-04-30 06:53 -------- d-----w- c:\program files\DIFX
2010-04-30 06:38 . 2009-07-24 06:49 114688 ----a-w- c:\windows\system32\RicohMediadriverVer.dll
2010-04-30 06:37 . 2009-06-25 12:25 38400 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2010-04-30 06:37 . 2009-06-25 12:58 48128 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
2010-04-30 06:37 . 2009-06-25 12:10 44544 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
2010-04-30 06:37 . 2007-07-25 08:48 172032 ----a-w- c:\windows\system32\rixdicon.dll
2010-04-30 06:37 . 2004-09-03 23:00 90112 ----a-w- c:\windows\system32\snymsico.dll
2010-04-28 14:36 . 2010-04-28 14:37 -------- d-----w- c:\program files\QuickTime
2010-04-28 05:34 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 05:34 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 05:34 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-27 10:29 . 2010-04-27 10:29 -------- d-----w- C:\$AVG
2010-04-26 09:58 . 2010-04-26 09:58 -------- d-----w- c:\program files\AC3Filter
2010-04-25 11:21 . 2010-04-25 11:21 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-25 11:20 . 2010-04-25 11:20 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-25 08:16 . 2010-04-25 08:16 -------- d-----w- c:\users\Liz\AppData\Roaming\AVG9
2010-04-25 08:06 . 2010-04-25 08:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-25 08:06 . 2010-04-25 08:06 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-25 08:06 . 2010-04-25 11:21 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-25 08:05 . 2010-04-25 08:05 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-25 08:05 . 2010-05-13 05:05 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-25 08:05 . 2010-04-25 08:05 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-25 08:05 . 2010-04-25 08:05 25096 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2010-04-25 08:05 . 2010-04-25 08:05 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-04-25 08:05 . 2010-04-25 08:05 -------- d-----w- c:\program files\AVG
2010-04-25 08:05 . 2010-04-25 08:05 -------- d-----w- c:\programdata\avg9
2010-04-25 07:20 . 2010-04-25 07:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-25 07:18 . 2010-04-25 08:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-25 06:41 . 2010-04-25 06:41 -------- d-----w- c:\users\Liz\AppData\Roaming\Malwarebytes
2010-04-25 06:41 . 2010-04-25 06:41 -------- d-----w- c:\programdata\Malwarebytes
2010-04-25 06:01 . 2010-04-25 06:01 -------- d-----w- c:\users\Liz\AppData\Roaming\Tific
2010-04-19 08:48 . 2010-04-19 08:48 -------- d-----w- c:\programdata\Fugazo
2010-04-19 08:48 . 2010-05-12 12:05 -------- d-----w- c:\windows\Cooking Academy 2 World Cuisine
2010-04-19 07:55 . 2010-04-19 07:55 -------- d-----w- c:\users\Liz\AppData\Roaming\ShinyTales
2010-04-17 07:21 . 2010-04-17 07:21 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-17 07:21 . 2010-04-17 07:21 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-04-17 07:20 . 2010-04-17 07:20 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-17 07:20 . 2010-04-17 07:20 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-17 07:20 . 2010-04-17 07:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-17 07:20 . 2010-02-22 07:39 530625 ----a-w- c:\programdata\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe
2010-04-17 07:20 . 2010-02-22 07:39 530625 ----a-w- c:\programdata\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe
2010-04-17 07:20 . 2010-04-17 07:20 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-17 07:20 . 2010-04-17 07:20 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-17 07:20 . 2010-04-17 07:20 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-17 07:14 . 2010-04-17 07:20 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-17 07:14 . 2010-04-17 07:21 -------- d-----w- c:\programdata\DivX
2010-04-15 11:39 . 2010-05-12 13:06 -------- d-----w- c:\programdata\PlayFirst
2010-04-15 11:39 . 2010-05-12 13:06 -------- d-----w- c:\users\Liz\AppData\Roaming\PlayFirst
2010-04-14 05:33 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 05:33 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 05:33 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 05:33 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 05:33 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 05:33 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 05:31 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 05:31 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 17:18 . 2010-04-13 17:18 -------- d-----w- c:\windows\system32\Wat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 17:06 . 2010-03-12 13:43 -------- d-----w- c:\users\Liz\AppData\Roaming\vlc
2010-05-12 12:05 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-12 11:03 . 2010-02-19 09:12 -------- d-----w- c:\users\Liz\AppData\Roaming\BitComet
2010-05-08 06:07 . 2010-02-19 16:32 -------- d-----w- c:\users\Liz\AppData\Roaming\SanDisk
2010-05-08 05:56 . 2010-02-19 09:10 -------- d-----w- c:\program files\BitComet
2010-04-30 13:10 . 2010-04-30 13:10 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-04-30 06:37 . 2010-02-19 16:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-29 12:19 . 2010-04-17 07:19 -------- d-----w- c:\users\Liz\AppData\Roaming\DivX
2010-04-28 14:36 . 2010-02-27 11:58 -------- d-----w- c:\programdata\Apple Computer
2010-04-25 08:22 . 2010-02-19 08:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-25 07:59 . 2010-02-19 08:23 -------- d-----w- c:\program files\Symantec
2010-04-17 07:21 . 2010-02-22 07:39 -------- d-----w- c:\program files\DivX
2010-04-14 17:37 . 2010-02-19 10:03 -------- d-----w- c:\programdata\Microsoft Help
2010-03-30 10:45 . 2010-03-30 10:45 -------- d-----w- c:\users\Liz\AppData\Roaming\Top Evidence
2010-03-30 10:45 . 2010-03-30 10:45 -------- d-----w- c:\programdata\Top Evidence
2010-03-17 16:35 . 2010-03-17 16:35 -------- d-----w- c:\program files\Sector69
2010-03-14 09:36 . 2010-03-14 08:53 -------- d-----w- c:\program files\Guild Wars
2010-03-14 09:27 . 2010-03-14 09:27 -------- d-----w- c:\programdata\Media Center Programs
2010-03-10 07:58 . 2010-03-10 07:58 4096 ----a-w- c:\windows\d3dx.dat
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-24 06:16 . 2010-02-19 07:54 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 07:56 . 2010-03-31 05:52 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-21 12:02 . 2010-02-19 08:06 108824 ----a-w- c:\users\Liz\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-19 08:59 . 2010-02-19 08:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-14 4874240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 08:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 00:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 03:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 11:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 17:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

R1 MpKsld0d73b90;MpKsld0d73b90;c:\windows\system32\MpEngineStore\MpKsld0d73b90.sys [x]
R1 qrijsijx;qrijsijx;c:\windows\system32\drivers\qrijsijx.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
S0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\System32\Drivers\AVGIDSwx.sys [2010-04-25 25096]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-04-25 52872]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2010-04-25 24856]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-25 216200]
S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-25 242896]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-25 308064]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2010-04-25 2325816]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
S3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSDriver.sys [2010-04-25 122376]
S3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSFilter.sys [2010-04-25 30216]
S3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys [2010-04-25 20488]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]

.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\a0823n6d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
MSConfigStartUp-SansaDispatch - c:\users\Liz\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-13 10:29:39
ComboFix-quarantined-files.txt 2010-05-13 06:29

Pre-Run: 129,895,485,440 bytes free
Post-Run: 129,900,421,120 bytes free

- - End Of File - - 4F212FB4F48D29672B6A9A9E4398E5DA
 
Last edited:
It's been a few days, how is your system been running? Having any more signs of infection?
 
You must log in or register to reply here.
Back
Top