1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Attack of false virus infection warnings, popups, basically disabled Please Help

Discussion in 'Virus & Other Malware Removal' started by yettz, Apr 28, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    I am unable to run any programs, including HJT, so can't get a security log.
    The screen gets multiple fake security alert windows, saying it is infected and do I want to activate my antivirus software, and then unwanted websites start popping up. Any program that I try to run shuts down right away, or doesn't respond, and then I get another warning that the program file is infected.

    I think I got malwarebytes to scan, but it said only one item was found, and then it froze and I couldn't do any more with it.
    Never had a problem like this before on this computer, but it is dead in the water now and we're a bit frantic. Any help would be Very Much appreciated!
     
  2. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Here is the HJT log. I ran it in safe mode. Any ideas where to start? I'm at a loss...:confused:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:31:17 AM, on 4/28/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Documents and Settings\Matt\Desktop\Torrents\Clone CD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:eek:n /alerts:eek:n /notifications:eek:n /systrayIcon:eek:n /fl:eek:n /fr:eek:n /appData:eek:n
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Gigaware\Gigaware Optical Mouse Driver\4.06\MOUSE32A.EXE
    O4 - HKLM\..\Run: [AMD_Display] C:\Program Files\AMD\AMD Power Monitor\AMD_PwrMon.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

    --
    End of file - 6824 bytes
     
  3. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Bump --- I still need help, please ----- any suggestions?
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully

    Download ComboFix from Here to your Desktop.

    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Run it in safe mode
     
  5. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Thank you SO much for responding!!

    I downloaded Combofix in Normal mode, then ran it in Safe mode. Since there was no Internet connection, the recovery console did not install.

    Here is the log -------------

    ComboFix 10-04-29.01 - Administrator 04/29/2010 16:32:19.1.2 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.712 [GMT -6:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Marcus\Local Settings\Application Data\kjqqkarew
    c:\documents and settings\Marcus\Local Settings\Application Data\kjqqkarew\vbsgntatssd.exe
    c:\documents and settings\Matt\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
    c:\program files\INSTALL.LOG

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
    .

    2010-04-28 15:31 . 2010-04-28 15:31 -------- d-----w- c:\program files\Trend Micro
    2010-04-28 15:27 . 2010-04-28 15:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-04-28 15:06 . 2010-04-28 15:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-04-28 15:06 . 2010-04-28 15:06 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-04-27 06:46 . 2010-04-27 06:46 -------- d-----w- c:\documents and settings\Marcus\Application Data\Malwarebytes
    2010-04-27 06:23 . 2010-04-27 06:23 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
    2010-04-27 06:22 . 2010-03-30 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-27 06:22 . 2010-04-27 06:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-27 06:22 . 2010-04-27 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-27 06:22 . 2010-03-30 06:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-21 22:45 . 2010-04-21 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
    2010-04-21 22:37 . 2010-02-11 03:20 593920 ------w- c:\windows\system32\ati2sgag.exe
    2010-04-21 21:44 . 2010-04-23 03:09 -------- d-----w- c:\program files\ATI
    2010-04-15 05:36 . 2008-04-14 00:11 32768 -c--a-w- c:\windows\system32\dllcache\ativtmxx.dll
    2010-04-15 05:36 . 2008-04-14 00:11 32768 ----a-w- c:\windows\system32\ativtmxx.dll
    2010-04-11 06:01 . 2010-04-11 06:01 -------- d-----w- c:\program files\The Graveyard Trial
    2010-04-05 21:38 . 2010-04-05 21:38 -------- d-----w- c:\program files\Microsoft SQL Server
    2010-04-05 21:37 . 2010-04-12 02:30 -------- d-----w- C:\344689bbb6e4300b2bafef27f4
    2010-04-05 21:33 . 2010-04-05 21:33 -------- d-----w- c:\program files\Park Sidekick
    2010-04-01 23:40 . 2009-11-03 15:51 421888 ----a-w- c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\2engp2mn.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    2010-04-01 23:40 . 2008-12-04 07:25 120832 ----a-w- c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\2engp2mn.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
    2010-04-01 23:40 . 2007-12-30 11:01 172032 ----a-w- c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\2engp2mn.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
    2010-04-01 23:40 . 2007-12-30 11:01 307200 ----a-w- c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\2engp2mn.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
    2010-04-01 23:40 . 2007-12-30 11:01 90112 ----a-w- c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\2engp2mn.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-29 22:24 . 2006-09-11 04:54 -------- d-----w- c:\program files\BOINC
    2010-04-29 20:58 . 2008-04-08 21:19 -------- d-----w- c:\documents and settings\Marcus\Application Data\OpenOffice.org2
    2010-04-27 06:50 . 2008-06-09 19:00 -------- d-----w- c:\documents and settings\Marcus\Application Data\mIRC
    2010-04-24 14:48 . 2009-06-12 05:04 1324 ----a-w- c:\documents and settings\Marcus\Local Settings\Application Data\d3d9caps.tmp
    2010-04-24 04:34 . 2006-08-09 03:51 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-21 22:39 . 2009-06-29 22:25 -------- d-----w- c:\program files\ATI Technologies
    2010-04-16 01:24 . 2006-08-09 03:31 1100 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-04-15 06:48 . 2007-12-29 00:23 -------- d-----w- c:\program files\Steam
    2010-04-15 05:48 . 2009-12-12 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-04-15 04:07 . 2008-08-14 17:25 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2010-04-15 04:02 . 2006-08-09 17:24 -------- d-----w- c:\program files\Warcraft III
    2010-04-01 22:02 . 2010-03-12 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
    2010-03-29 04:28 . 2010-03-29 04:28 -------- d-----w- c:\documents and settings\Marcus\Application Data\vlc
    2010-03-29 02:13 . 2010-03-29 02:13 -------- d-----w- c:\documents and settings\Marcus\Application Data\.BitTornado
    2010-03-12 02:13 . 2010-03-12 02:13 -------- d-----w- c:\program files\SoulseekNS
    2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 16:16 . 2009-10-03 07:44 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
    2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    2010-02-11 07:38 . 2007-11-02 05:52 3565056 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
    2010-02-11 05:17 . 2010-02-11 05:17 11845632 ----a-w- c:\windows\system32\atioglxx.dll
    2010-02-11 05:07 . 2010-02-11 05:07 307200 ----a-w- c:\windows\system32\atiiiexx.dll
    2010-02-11 04:46 . 2010-02-11 04:46 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2010-02-11 04:45 . 2010-02-11 04:45 325120 ----a-w- c:\windows\system32\ati2dvag.dll
    2010-02-11 04:37 . 2010-02-11 04:37 290816 ----a-w- c:\windows\system32\atiok3x2.dll
    2010-02-11 04:36 . 2010-02-11 04:36 204800 ----a-w- c:\windows\system32\atipdlxx.dll
    2010-02-11 04:35 . 2010-02-11 04:35 155648 ----a-w- c:\windows\system32\Oemdspif.dll
    2010-02-11 04:35 . 2010-02-11 04:35 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
    2010-02-11 04:35 . 2010-02-11 04:35 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2010-02-11 04:35 . 2010-02-11 04:35 155648 ----a-w- c:\windows\system32\ati2evxx.dll
    2010-02-11 04:33 . 2010-02-11 04:33 602112 ----a-w- c:\windows\system32\ati2evxx.exe
    2010-02-11 04:32 . 2010-02-11 04:32 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
    2010-02-11 04:25 . 2010-02-11 04:25 3818144 ----a-w- c:\windows\system32\ati3duag.dll
    2010-02-11 04:23 . 2010-02-11 04:23 45056 ----a-w- c:\windows\system32\aticalrt.dll
    2010-02-11 04:22 . 2010-02-11 04:22 45056 ----a-w- c:\windows\system32\aticalcl.dll
    2010-02-11 04:21 . 2010-02-11 04:21 3227648 ----a-w- c:\windows\system32\aticaldd.dll
    2010-02-11 04:19 . 2010-02-11 04:19 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2010-02-11 04:12 . 2010-02-11 04:12 2670592 ----a-w- c:\windows\system32\ativvaxx.dll
    2010-02-11 04:12 . 2010-02-11 04:12 887724 ----a-w- c:\windows\system32\ativva6x.dat
    2010-02-11 04:12 . 2010-02-11 04:12 3107788 ----a-w- c:\windows\system32\ativva5x.dat
    2010-02-11 03:59 . 2010-02-11 03:59 49664 ----a-w- c:\windows\system32\amdpcom32.dll
    2010-02-11 03:55 . 2010-02-11 03:55 475136 ----a-w- c:\windows\system32\atikvmag.dll
    2010-02-11 03:54 . 2010-02-11 03:54 126976 ----a-w- c:\windows\system32\atiadlxx.dll
    2010-02-11 03:53 . 2010-02-11 03:53 17408 ----a-w- c:\windows\system32\atitvo32.dll
    2010-02-11 03:47 . 2010-02-11 03:47 626688 ----a-w- c:\windows\system32\ati2cqag.dll
    2010-02-07 19:12 . 2010-02-07 19:12 50354 ----a-w- c:\documents and settings\Matt\Application Data\Facebook\uninstall.exe
    2010-02-02 00:57 . 2009-07-24 16:55 56484 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Matt\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Matt\Application Data\Facebook\npfbplugin_1_0_1.dll
    2006-08-14 20:45 . 2006-08-14 20:45 0 ----a-w- c:\program files\itouch_config_crash_info.txt
    2003-12-18 17:33 . 2007-05-19 02:56 20102 ----a-w- c:\program files\Readme.txt
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
    "CloneCDTray"="c:\documents and settings\Matt\Desktop\Torrents\Clone CD\CloneCDTray.exe" [2006-09-28 57344]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 45056]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "LWBMOUSE"="c:\program files\Gigaware\Gigaware Optical Mouse Driver\4.06\MOUSE32A.EXE" [2001-11-09 356352]
    "AMD_Display"="c:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2006-10-02 1355776]
    "C-Media Mixer"="Mixer.exe" [2002-10-16 1818624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
    "RTHDCPL"="RTHDCPL.EXE" [2008-12-09 18063872]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    c:\documents and settings\Marcus\Start Menu\Programs\Startup\
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\documents and settings\Matt\Start Menu\Programs\Startup\
    GridRepublic Desktop.lnk - c:\program files\BOINC\GridRepublic.exe [2006-8-7 1990656]
    ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-6-26 464176]
    MultiRes.lnk - c:\program files\MultiRes\MultiRes.exe [2006-9-12 54784]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
    Wireless Configuration Utility HW.51.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-14 454656]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-21 20:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\Program Files\\Winamp\\winamp.exe"=
    "c:\\Program Files\\SlurpySoft\\Wulfram\\wulfram2.exe"=
    "c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Last.fm\\LastFM.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\edible_weasel\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Starcraft\\StarCraft.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\Demigod\\bin\\Demigod.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
    "c:\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

    R0 AmdAcpi;AmdAcpi Bus Filter Driver;c:\windows\system32\drivers\amdacpi.sys [5/20/2007 11:57 PM 14336]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [11/20/2006 12:31 AM 33792]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/4/2007 3:33 PM 685816]
    S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys [?]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/12/2009 2:16 PM 335240]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/12/2009 2:16 PM 108552]
    S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [8/20/2009 8:53 AM 13696]
    S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/12/2009 2:16 PM 908056]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/12/2009 2:16 PM 297752]
    S3 jgameenp;jgameenp;\??\c:\docume~1\Matt\LOCALS~1\Temp\jgameenp.sys --> c:\docume~1\Matt\LOCALS~1\Temp\jgameenp.sys [?]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 3:10 PM 32512]
    S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [6/19/2009 3:13 PM 17536]
    S3 XDva016;XDva016;\??\c:\windows\system32\XDva016.sys --> c:\windows\system32\XDva016.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

    2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-879983540-839522115-1004Core.job
    - c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-13 09:04]

    2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-879983540-839522115-1004UA.job
    - c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-13 09:04]

    2010-04-29 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sekmf6rv.default\
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Soulseek - c:\documents and settings\Matt\Desktop\Music\!Programs\SLSK\uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-29 16:44
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(216)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-04-29 16:47:06
    ComboFix-quarantined-files.txt 2010-04-29 22:47

    Pre-Run: 30,805,520,384 bytes free
    Post-Run: 36,129,361,920 bytes free

    - - End Of File - - 70CF2917864C588BC73D433674BD657D
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    next

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

    then run combofix again in normal mode and install Recovery console while you have internet connection
     
  7. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    There are two user accounts on this computer. I first ran Defogger from the account I've been working in, but it had access errors. So I switched to the other account and ran again - no trouble.

    ----------1st defogger_disable report -------------

    defogger_disable by jpshortstuff (23.02.10.1)
    Log created at 06:35 on 30/04/2010 (Marcus)

    Checking for autostart values...
    HKCU\~\Run values retrieved.
    Unable to open HKLM\~\Run key (5)
    HKLM\~\Run values retrieved.

    Checking for services/drivers...
    Unable to read sptd.sys
    Error opening service: SPTD (5)

    -=E.O.F=-


    ---------2nd defogger ran OK ---------------


    ---------Combofix log is attached (from the 2nd acct) -------
     

    Attached Files:

  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    download gmer rootkit detector from http://gmer.net

    unzip it & double click the gmer.exe file

    It will do a quick scan automatically, when that finishes if it says "rootkit activity detected" then Stop there & press copy & post back the log it makes.
    Do NOT allow it to perform a full scan at this time

    If there is No warning of rootkit activity then select the rootkit tab & press scan. When it finishes press copy & post back the log it makes
     
  9. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    :eek: I've hit a big snag... downloaded the gmer program and watched it do the quick scan. It seemed to have completed - I let it sit for about 15 mins - and there were no rootkit warnings, so I started the scan. It ran for many hours going through all the files. I had to leave after about 4 hours. When I came back the screen was frozen with what looked like the beginning of a Notepad window where the .log file would go, but it was empty and the hourglass curser was active. The CPU is running 100% but the programs running in this user account weren't using that much. Tried to switch users to look for the culprit, but screen stuck between users with a blue screen and hourglass curser - nothing else, (not the blue screen of death I don't think, more like the windows background color) ?? What have I done?? I think I can only cut power to get out of this state. I'll try it and see if I maybe find a .log file on reboot. Or....?? :confused: I really appreciate your help and expertise.
     
  10. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Maybe I should add that after the quick scan by the gmer program, there were four lines typed in the window that had to do with AVG : \Driver\Tcpip\Device\Ip, \Tcp, \Udp, \Rawlp

    I don't see a .log file anywhere. I'll try the scan again...
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    uncheck "show all" & "Sections" in gmer & see if that gets it to run properly
     
  12. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    I had already restarted the scan last night before you sent this. It ran all night and it is STILL running now (!) , but it is up to C:\WINDOWS\ so surely it is near the end. I hope this is not a bad sign, just a slow /full/ tired hard drive?
     
  13. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Still running... ~14 hrs!! should I stop it? I'm a little concerned. How long does it usually take? I could try again with the two boxes unchecked.
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    if it is still running, let it continue

    only stop it if it is stuck or freezes
     
  15. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Ok. It is still running. amazing
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/919709

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice