Submit Your Article Forum Rules FAQ About Us
Search the forums:

Tech Support Team

Join Now!Nav Seperator FAQNav Seperator GalleryNav Seperator TutorialsNav Seperator BlogNav Seperator SearchNav Seperator Today's PostsNav Seperator Mark Forums ReadNav Seperator Navigation Right

Hello and Welcome to Tech Support Team! Before you can start posting and answering questions, you'll have to register. Registration is fast, simple and absolutely free! Feel free to browse through existing questions by choosing the forum you want to visit below.


Tech Support Team » Malware Removal & Security » Malware Removal » Do I have a virus?

Notices
Before creating a new thread, we ask that you please read our Removal guide first: Malware Removal Guide - Read Before Posting. We also advise you reading this thread before continuing: P2P programs - please remove before posting for help

NOTE: NEVER follow someone elses fix. Just because the symptoms may appear to be the same, it does NOT mean your system has the same malware infection. ALWAYS start a new thread so that a member of our Security Team can take you through the steps of cleaning your computer.

Reply
Thread Tools
 
  #1 (permalink)   Top
Old 19th September 2009, 05:40 AM
troy021079's Avatar
Newcomer
  
Join Date: Feb 2008, 32 posts.
Reputation: troy021079 is on a distinguished road
Do I have a virus?
Hi guys,

I think I may have gotten a virus when I tried to download a file on a website and now my anti spyware is not working (Spybot, windows defender) I have uninstalled windows defender because I kept getting a message saying it failed to launch or somehting along those lines. When I try to use spybot I get this message: "Unable to execute file: C:\program files\spybot - search & destroy\spybotSD.exe Create process failed; code 5, Access is denied.

I tried un-installing spybot but still get the same thing??? I used Spybot two days ago and it was fine as soon as I tried to download that file it came up with error messages. So I'm guessing it's a virus?? What can I do?

Edit: I'm in the process of doing the malware removal that is on here step by step, however when I went to save the log from SuperAntiSpyware I get this message: Windows cannot access the specified device, path or file. You may not have the appropiate permissions to acces the item. It says the same with spybot.

Thanks

Troy
Last edited by troy021079; 19th September 2009 at 02:59 PM.
Reply With Quote
  #2 (permalink)   Top
Old 20th September 2009, 05:25 AM
troy021079's Avatar
Newcomer
  
Join Date: Feb 2008, 32 posts.
Reputation: troy021079 is on a distinguished road
Can anyone help with this?? I can't open any programs in my C drive It's being blocked!!!

Wont let me run any spyware or anti virus.

The only program i could get to run was superantispyware, Malwarebytes starts to scan and about 4 seconds in it just closes it's the same with HighJackThis it scans but then just closes with no log. I have tried uninstalling an re-installing but it wont let me do it.

All I have is the log from Superantispyware so i will post it up. My normal anti virus (AVG) wont let me scan, this virus has reaaly taken hold.

I hope that all I do is copy and paste??

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/19/2009 at 11:33 PM

Application Version : 4.29.1002

Core Rules Database Version : 3404
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 01:52:27

Memory items scanned : 612
Memory threats detected : 1
Registry items scanned : 6673
Registry threats detected : 2
File items scanned : 114080
File threats detected : 88

Trojan.Downloader-Gen/A
C:\DOCUME~1\TROY\LOCALS~1\TEMP\A.EXE
C:\DOCUME~1\TROY\LOCALS~1\TEMP\A.EXE
[PopRock] C:\DOCUME~1\TROY\LOCALS~1\TEMP\A.EXE
C:\DOCUMENTS AND SETTINGS\TROY\LOCAL SETTINGS\TEMP\A.EXE
C:\WINDOWS\Prefetch\A.EXE-115DC037.pf

InstaFinderK BHO
HKU\S-1-5-21-1718582468-3621032229-1909646053-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}

Adware.Tracking Cookie
C:\Documents and Settings\troy\Cookies\troy@server.cpmstar[2].txt
C:\Documents and Settings\troy\Cookies\troy@ads.pointroll[1].txt
C:\Documents and Settings\troy\Cookies\troy@content.yieldmanager[3].txt
C:\Documents and Settings\troy\Cookies\troy@atdmt[2].txt
C:\Documents and Settings\troy\Cookies\troy@questionmarket[2].txt
C:\Documents and Settings\troy\Cookies\troy@yadro[1].txt
C:\Documents and Settings\troy\Cookies\troy@redirect.clickshield[1].txt
C:\Documents and Settings\troy\Cookies\troy@content.yieldmanager[2].txt
C:\Documents and Settings\troy\Cookies\troy@wt.sexsearchcom[1].txt
C:\Documents and Settings\troy\Cookies\troy@waterfrontmedia.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@112.2o7[2].txt
C:\Documents and Settings\Guest\Cookies\guest@122.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.associatedcontent[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.clicksor[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.sl[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adserver.mapmyfitness[2].txt
C:\Documents and Settings\Guest\Cookies\guest@aps.media.adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@asp.elitefts[1].txt
C:\Documents and Settings\Guest\Cookies\guest@at.atwola[1].txt
C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
C:\Documents and Settings\Guest\Cookies\guest@avgtechnologies.112.2 o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@c7.zedo[1].txt
C:\Documents and Settings\Guest\Cookies\guest@counter.hitslink[1].txt
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wfk4gmdpwgp.stats.esomniture[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ehg-crossfit.hitbox[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ehg-newsinteractive.hitbox[2].txt
C:\Documents and Settings\Guest\Cookies\guest@elitefts[1].txt
C:\Documents and Settings\Guest\Cookies\guest@fastxxxnow[2].txt
C:\Documents and Settings\Guest\Cookies\guest@hc2.humanclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@hc2.humanclick[3].txt
C:\Documents and Settings\Guest\Cookies\guest@iacas.adbureau[1].txt
C:\Documents and Settings\Guest\Cookies\guest@media.sensis.com[2].txt
C:\Documents and Settings\Guest\Cookies\guest@mediaonenetwork[1].txt
C:\Documents and Settings\Guest\Cookies\guest@myap.liveperson[1].txt
C:\Documents and Settings\Guest\Cookies\guest@myroitracking[2].txt
C:\Documents and Settings\Guest\Cookies\guest@openxxx.viragemedia[2].txt
C:\Documents and Settings\Guest\Cookies\guest@optus.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@paypal.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@rocku.adbureau[1].txt
C:\Documents and Settings\Guest\Cookies\guest@server.iad.liveperson[1].txt
C:\Documents and Settings\Guest\Cookies\guest@server.iad.liveperson[3].txt
C:\Documents and Settings\Guest\Cookies\guest@serw.clicksor[2].txt
C:\Documents and Settings\Guest\Cookies\guest@socialmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@specificclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@statcounter[1].txt
C:\Documents and Settings\Guest\Cookies\guest@stats.paypal[2].txt
C:\Documents and Settings\Guest\Cookies\guest@stats2.clicktracks[2].txt
C:\Documents and Settings\Guest\Cookies\guest@windowsmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.burstnet[2].txt
C:\Documents and Settings\Guest\Cookies\guest@www.ezytrack[2].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[2].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[3].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[6].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[7].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[8].txt
C:\Documents and Settings\Guest\Cookies\guest@www.socialtrack[1].txt
C:\Documents and Settings\head\Cookies\head@cba.122.2o7[1].txt
C:\Documents and Settings\head\Cookies\head@e-2dj6wckocjdzmcp.stats.esomniture[2].txt
C:\Documents and Settings\head\Cookies\head@gaytrafficbroker[2].txt
C:\Documents and Settings\head\Cookies\head@interclick[1].txt
C:\Documents and Settings\head\Cookies\head@lifeevents.112.2o7[1].txt
C:\Documents and Settings\head\Cookies\head@loanmarketgroup.122.2o7[1].txt
C:\Documents and Settings\head\Cookies\head@mbf.112.2o7[1].txt
C:\Documents and Settings\head\Cookies\head@media.sensis.com[2].txt
C:\Documents and Settings\head\Cookies\head@microsoftwindows.112.2o 7[1].txt
C:\Documents and Settings\head\Cookies\head@msnbc.112.2o7[1].txt
C:\Documents and Settings\head\Cookies\head@reagroup.122.2o7[1].txt
C:\Documents and Settings\head\Cookies\head@server.iad.liveperson[1].txt
C:\Documents and Settings\head\Cookies\head@server.iad.liveperson[3].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[10].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[11].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[1].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[2].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[3].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[4].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[5].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[6].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[7].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[8].txt
C:\Documents and Settings\head\Cookies\head@www.googleadservices[9].txt
C:\Documents and Settings\head\Cookies\head@www.hardcockxxx[1].txt
C:\Documents and Settings\head\Cookies\head@www.hellofemales[1].txt
C:\Documents and Settings\head\Cookies\head@www.hotnakedmen[2].txt
C:\Documents and Settings\head\Cookies\head@www.hotnakedmen[3].txt
Last edited by troy021079; 20th September 2009 at 10:13 AM. Reason: more info.
Reply With Quote
  #3 (permalink)   Top
Old 20th September 2009, 11:53 AM
troy021079's Avatar
Newcomer
  
Join Date: Feb 2008, 32 posts.
Reputation: troy021079 is on a distinguished road
Ok so i did some research and it turns out I'm not the only person with this problem, someone suggested trying Combofix so I did and it seems to have worked I can now run spybot etc but AVG is still not scanning??

Anyway I will post the log up of Combo fix

Thanks in advance for any help.

ComboFix 09-09-18.02 - troy 09/20/2009 20:42.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.277 [GMT 9.5:30]
Running from: D:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
C:\HijackThis.exe
C:\kmd.exe
c:\recycler\S-1-5-21-1718582468-3621032229-1909646053-1006
c:\recycler\S-1-5-21-2365902819-649269002-3657925374-500
c:\windows\Alcmtr.exe
c:\windows\Fonts\acrsec.fon
c:\windows\Installer\140be.msi
c:\windows\Installer\1bb0e84.msi
c:\windows\Installer\23b522.msi
c:\windows\Installer\88e310.msi
c:\windows\Installer\98a95.msi
c:\windows\Installer\b22513.msi
c:\windows\Installer\c66110.msi
c:\windows\Installer\ed5d1c.msi
c:\windows\system32\autorun.ini
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lowsec
c:\windows\system32\muzapp.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 09:17 . 2009-09-20 09:17 -------- d-----w- c:\documents and settings\troy\Application Data\AVG8
2009-09-20 05:05 . 2009-09-20 05:05 -------- d-----w- c:\program files\Trend Micro
2009-09-20 05:05 . 2009-09-20 05:05 812344 ----a-w- C:\sniper.exe.exe
2009-09-20 04:55 . 2009-09-10 05:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 04:55 . 2009-09-10 05:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-20 03:25 . 2009-09-20 03:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-20 01:12 . 2009-09-20 01:12 -------- d-----w- c:\documents and settings\troy\Application Data\Malwarebytes
2009-09-20 01:12 . 2009-09-20 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-18 12:44 . 2009-09-20 10:26 0 ----a-r- c:\windows\win32k.sys
2009-09-09 10:54 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-08-30 08:31 . 2009-08-30 08:31 -------- d-----w- c:\documents and settings\troy\Local Settings\Application Data\Nero
2009-08-29 11:14 . 2009-08-29 11:15 121628242 ----a-w- C:\BACKUP.REG
2009-08-29 07:10 . 2009-08-29 07:10 -------- d-----w- c:\documents and settings\troy\Application Data\Nero
2009-08-29 06:42 . 2009-09-11 11:56 -------- d-----w- c:\program files\Nero
2009-08-29 06:41 . 2009-09-11 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-29 06:41 . 2009-09-11 12:10 -------- d-----w- c:\program files\Common Files\Nero
2009-08-23 02:22 . 2009-02-15 14:40 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-23 02:22 . 2009-02-15 14:40 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-23 02:21 . 2009-02-15 14:40 1221512 ----a-w- c:\windows\system32\zpeng25.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-20 11:37 . 2008-02-16 12:20 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-20 10:58 . 2008-02-09 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-20 10:25 . 2008-02-09 11:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-20 09:53 . 2008-12-22 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-20 04:07 . 2005-11-16 04:37 -------- d-----w- c:\program files\Java
2009-09-20 03:55 . 2009-05-19 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-20 03:24 . 2008-02-11 08:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-19 11:39 . 2007-04-12 04:28 -------- d-----w- c:\program files\Windows Defender
2009-09-08 07:26 . 2009-03-21 11:16 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-28 12:09 . 2007-03-12 05:37 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-28 11:31 . 2007-11-16 07:12 -------- d-----w- c:\documents and settings\head\Application Data\LimeWire
2009-08-21 11:26 . 2007-03-10 07:42 -------- d-----w- c:\program files\LimeWire
2009-08-20 07:28 . 2008-12-22 12:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 07:28 . 2008-12-22 12:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 07:28 . 2008-12-22 12:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:01 . 2004-08-04 13:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 05:53 . 2008-12-19 11:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-28 09:19 . 2008-02-21 08:58 -------- d-----w- c:\program files\Common Files\Nokia
2009-07-28 09:19 . 2008-02-21 08:57 -------- d-----w- c:\program files\Nokia
2009-07-28 06:38 . 2008-02-21 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-07-28 06:09 . 2009-07-28 06:09 -------- d-----w- c:\program files\Common Files\PCSuite
2009-07-28 05:51 . 2008-02-21 08:59 -------- d-----w- c:\documents and settings\troy\Application Data\Nokia
2009-07-28 05:20 . 2008-02-21 08:58 -------- d-----w- c:\documents and settings\troy\Application Data\PC Suite
2009-07-23 07:20 . 2009-07-23 07:20 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDrive r_01_07_00.Wdf
2009-07-23 07:19 . 2009-07-23 07:19 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00. Wdf
2009-07-17 19:01 . 2004-08-04 13:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:13 . 2004-08-04 13:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 10:00 . 2007-04-14 12:42 96104 ----a-w- c:\documents and settings\head\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-10 12:52 . 2007-03-06 08:35 96104 ----a-w- c:\documents and settings\troy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2005-07-03 02:11 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-06-15 17:49 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-10-28 01:21 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 13:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 13:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 13:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 13:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 13:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 95536]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\troy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-11-13 68856]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"SpybotSD TeaTimer"="d:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"MAAgent"="c:\program files\MarkAny\ContentSafer\MAAgent.exe" [2007-12-17 62176]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 59392]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2005-12-20 94208]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 827392]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-09-22 14854144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2008-11-03 435096]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 05:51 548352 ----a-w- D:\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 07:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^troy^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\troy\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr .exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2/6/2005 12:30 AM 85888]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/22/2008 10:06 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/22/2008 10:06 PM 108552]
R1 SASDIFSV;SASDIFSV;D:\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/22/2008 10:05 PM 297752]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/22/2008 10:05 PM 908056]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [6/20/2009 9:29 PM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [6/20/2009 9:29 PM 8320]
S3 SASENUM;SASENUM;D:\SASENUM.SYS [9/15/2009 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:04]

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1718582468-3621032229-1909646053-1005Core.job
- c:\documents and settings\troy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 10:31]

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1718582468-3621032229-1909646053-1005UA.job
- c:\documents and settings\troy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 10:31]

2009-09-20 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:34]

2009-09-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:34]

2009-09-18 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2009-09-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-09-18 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-15 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-09-20 c:\windows\Tasks\User_Feed_Synchronization-{7AA78D0F-E102-404A-B320-D46A29487517}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: windowsupdate.com
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - d:\31802d5a1a42e3e786de\HijackThis.exe
AddRemove-{93a8ff8c-72a0-4f68-b89c-987ba3662012} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-20 21:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macrome d\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUt il10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
D:\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(276)
c:\windows\system32\WININET.dll
c:\program files\MarkAny\ContentSafer\MaCSProHook.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia Map Manager\MapMgrCopyHook.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\acer\Empowering Technology\awServ.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
.
************************************************** ************************
.
Completion time: 2009-09-20 21:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 11:43

Pre-Run: 20,887,470,080 bytes free
Post-Run: 24,738,766,848 bytes free

297 --- E O F --- 2009-09-17 15:40
Reply With Quote
  #4 (permalink)   Top
Old 22nd January 2012, 07:46 PM
wladicus's Avatar
TST Expert
  
Join Date: Sep 2008, 846 posts.
Location: St. Thomas, Ontario, Canada
Reputation: wladicus is on a distinguished road
Quote:
Originally Posted by tultdashCaush View Post
mnbvcxz0030
Your contribution does not appear to be helpful.
__________________
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
joy,
walt
St. Thomas, Ontario, Canada = 42.77°N, 81.11°W =
That which appears to be without lies within...wladicus->http://wladicus.blogspot.com/
Reply With Quote
  #5 (permalink)   Top
Old 23rd January 2012, 04:02 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,555 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Quote:
Originally Posted by wladicus View Post
Your contribution does not appear to be helpful.
It was just a now banned member using signature spam.
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #6 (permalink)   Top
Old 23rd January 2012, 04:14 PM
wladicus's Avatar
TST Expert
  
Join Date: Sep 2008, 846 posts.
Location: St. Thomas, Ontario, Canada
Reputation: wladicus is on a distinguished road
Quote:
Originally Posted by evilfantasy View Post
It was just a now banned member using signature spam.
Good Work!
__________________
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
joy,
walt
St. Thomas, Ontario, Canada = 42.77°N, 81.11°W =
That which appears to be without lies within...wladicus->http://wladicus.blogspot.com/
Reply With Quote
  #7 (permalink)   Top
Old 23rd January 2012, 04:21 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,555 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Thanks...
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
Reply

Only registered members can participate in forum threads. You must register or log in to contribute.


« Previous Thread | Next Thread »
Thread Tools

Forum Jump


All times are GMT. The time now is 11:23 PM.

Contact Us - Tech Support Team - Terms of Service - Top


Member Login
Forgot Password?



Post A Question!
Useful Links
Main Menu
Home
Forum Rules
FAQ
About Us
Welcome Pack
Search the forums
TST Mobile
Contact Us
Send Message

These are the 8 most used thread tags
Tag Cloud
geforce modem monitor no ring response no signal nvidia soft modem win7
Copyright © Tech Support Team, Inc. All rights reserved.
TechSupportTeam.org is an Privacy Policy and Legal Powered by vBulletin® Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 ©2008, Crawlability, Inc.