Software > Computer viruses and spyware
New rogue/antivirus infection - Please help
mario21lv:
sorry about that SuperDave......
justbeck:
Hey, sorry for the delay of my response!
I had just run ComboFix when I turned my PC back on and it says that it corrected several infections, and I haven't gotten a single pop-up or seen any symptoms of the rogue that I had become so familiar with in these last days. Should I still go through with your directions of the Rescue CD/USB ?
mario21lv:
i would still go through with his advice. i got my way and he's got his way but he's one of the big guys on the forum and im just a member. glad to hear those things are gone though.
SuperDave:
If you can download and run the SAS, MBAM and HJT and get me some logs don't bother with the rescue disk.
justbeck:
Here are the completed logs I've done so farr!
ComboFix 10-03-20.01 - Compaq_Owner 03/20/2010 22:51:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.184 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\ave.exe
c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.
2010-03-16 19:09 . 2010-03-16 19:09 -------- d-----w- C:\8d213983b851922cc
2010-03-16 18:53 . 2010-03-16 18:53 -------- d-----w- C:\adad871fd64396d7d4a1a67d8a8baac9
2010-03-16 18:53 . 2010-03-16 18:53 -------- d-----w- C:\44e88e89d0ebf39
2010-03-16 18:53 . 2010-03-16 18:53 -------- d-----w- C:\21ee9e2511f33aa91
2010-03-16 18:53 . 2010-03-16 18:53 -------- d-----w- C:\97cb9
2010-03-16 18:53 . 2010-03-16 18:53 -------- d-----w- C:\7d9ed
2010-03-16 18:53 . 2010-03-16 18:53 -------- d-----w- C:\f9a1eeaf6fd564a0bf99f3482ab8ae1e
2010-03-16 18:52 . 2010-03-16 18:52 -------- d-----w- C:\da74a0117a4388da33d34d4d6b40c90
2010-03-16 18:52 . 2010-03-16 18:52 -------- d-----w- C:\fa37cc519b9fb5172d30cf21d
2010-03-16 18:49 . 2010-03-16 18:49 -------- d-----w- c:\program files\Trend Micro
2010-03-16 18:07 . 2010-03-16 18:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-16 18:04 . 2010-03-16 18:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-03-16 17:03 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-16 17:03 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-16 17:03 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-16 17:03 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-16 17:03 . 2010-03-16 18:39 -------- d-----w- c:\program files\Spyware Doctor
2010-03-16 17:03 . 2010-03-16 17:03 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-16 17:03 . 2010-03-16 17:03 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\PC Tools
2010-03-16 17:03 . 2010-03-16 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-16 17:03 . 2010-03-16 18:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 16:34 . 2010-03-16 16:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-16 16:26 . 2010-03-16 16:26 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-03-16 16:25 . 2009-12-30 18:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 16:25 . 2010-03-16 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-16 16:25 . 2010-03-16 16:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 16:25 . 2009-12-30 18:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 16:16 . 2010-03-16 16:16 202752 --sha-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\1732168344.dll
2010-03-16 02:31 . 2010-03-16 02:31 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-16 02:31 . 2010-03-16 18:36 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-16 02:30 . 2010-03-16 02:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-15 07:27 . 2010-03-15 07:27 -------- d--h--w- c:\windows\PIF
2010-03-09 03:51 . 2010-03-09 03:51 -------- d-----w- C:\7468ab8a25277b18b2ce12c422
2010-02-21 09:11 . 2010-02-21 09:11 152576 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 16:37 . 2009-12-15 03:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\BitTorrent
2010-02-23 04:58 . 2009-06-17 00:04 -------- d-----w- c:\program files\AIMTunes
2010-02-21 09:12 . 2004-08-09 06:12 -------- d-----w- c:\program files\Java
2010-02-21 09:11 . 2009-11-25 18:17 79488 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 04:26 . 2008-09-05 01:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2010-02-18 19:48 . 2010-02-18 19:47 -------- d-----w- c:\program files\iTunes
2010-02-18 19:47 . 2010-02-18 19:47 -------- d-----w- c:\program files\iPod
2010-02-18 19:47 . 2009-03-11 22:52 -------- d-----w- c:\program files\Common Files\Apple
2010-02-18 19:42 . 2010-02-18 19:42 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-03 04:43 . 2009-11-11 16:22 -------- d-----w- c:\program files\World of Warcraft
2010-02-03 04:41 . 2009-11-21 20:29 -------- d-----w- c:\program files\World of Warcraft Public Test
2010-01-28 06:47 . 2008-12-15 20:38 64624 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 10:00 . 2004-08-09 04:28 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-09 04:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-09 04:28 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 21:09 . 2009-09-17 22:17 8892928 -c--a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2009-12-31 16:14 . 2004-08-09 04:28 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-03-18_03.49.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-21 02:57 . 2010-03-21 02:57 16384 c:\windows\Temp\Perflib_Perfdata_ac.dat
+ 2004-08-09 04:28 . 2010-03-18 03:52 54280 c:\windows\system32\perfc009.dat
- 2004-08-09 04:28 . 2010-03-15 03:07 54280 c:\windows\system32\perfc009.dat
+ 2004-08-09 04:28 . 2010-03-18 03:52 384596 c:\windows\system32\perfh009.dat
- 2004-08-09 04:28 . 2010-03-15 03:07 384596 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-8-9 16423]
Push Client.LNK - c:\program files\Interwise\Participant\pull.exe [2009-9-15 886000]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10522-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10522-to-0.3.0.10554-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10554-to-0.3.0.10571-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.3.0.10571-to-0.3.0.10596-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58964:TCP"= 58964:TCP:Pando Media Booster
"58964:UDP"= 58964:UDP:Pando Media Booster
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/16/2010 1:03 PM 207280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/19/2009 2:00 PM 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/16/2010 12:25 PM 38224]
.
Contents of the 'Scheduled Tasks' folder
2010-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2007-09-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-10 08:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\fte4u602.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-AVS Update Manager_is1 - c:\program files\AVS4YOU\AVSUpdateManager\unins000.exe
AddRemove-AVS4YOU Software Navigator_is1 - c:\program files\AVS4YOU\AVSSoftwareNavigator\unins000.exe
AddRemove-AVS4YOU Video Converter 6_is1 - c:\program files\AVS4YOU\AVSVideoConverter6\unins000.exe
AddRemove-Burn4Free - c:\program files\Burn4Free\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 22:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3472)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\VTTimer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-20 23:01:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 03:01
ComboFix2.txt 2010-03-18 03:53
Pre-Run: 71,883,866,112 bytes free
Post-Run: 71,854,149,632 bytes free
- - End Of File - - 48CF55404A7D2ED52DA89BC54DEDE860
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version