Author Topic: online scan to get rid of "packed.generic.200"? (Read 10294 times)

Kando · « **on:** May 20, 2009, 10:03:25 AM »

I am looking for an online virus scan that will scan the C drive when the computer is running off a Linux live cd. It has to be free and is should remove any viruses found without having to purchase a full version.

I went to Eset, Trendmicro and Bitdefender, the first two needed to download and install something but could not since I was using the live cd. Bitdefender was able to run but did not find the virus.

I am trying to get rid of Packed.Generic.200, I followed the instructions from the Symantec site but they did not work. Malwarebytes was able to be downloaded but will not install. Spybot S & D was installed but will not run. Ad-aware Anniversary edition ran but did not find it. I am already geared up to do a reinstallation from scratch (client can not find the cd's) but wanted to give it one more try.

Thanks

evilfantasy · « **Reply #1 on:** May 20, 2009, 10:30:52 AM »

Quote

I am looking for an online virus scan that will scan the C drive when the computer is running off a Linux live cd. It has to be free and is should remove any viruses found without having to purchase a full version.

There is no gurantee, even with the paid versions that they can detect and remove everything they find.

Packed.Generic.200 is the name assigned to this virus by Symantec. Other companies will have a different name for it like Packed.Win32.Tdss.f [Kaspersky Lab] or Rootkit.Win32.TDSS [Ikarus].

What this is is a rootkit. Unless you know how to physically find and completely remove a rootkit then I suggest you let me help.

* Download The Avenger by Swandog46
* Unzip/extract it to a folder on your desktop.
* Double click on avenger.exe to run The Avenger.
* Click OK
* Make sure that the box next to Scan for rootkits has a mark in it and that the box next to Automatically disable any rootkits found does not have a mark in it.
* Click the Execute button.
* You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
* Click Yes.
* You will now be asked First step completed ... The Avenger has been successfully set up to run on next boot. Reboot now?
* Click Yes
* Your PC will now be rebooted.
* After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at
%systemdrive%avenger.txt (typically C:avenger.txt).
* Please post the Avenger log in your next reply.

Kando · « **Reply #2 on:** May 20, 2009, 12:12:27 PM »

Hi, posting from different computer.

The log was created and says that there is no rootkit found.

I know it is there, is there a step that is to be done after this?

evilfantasy · « **Reply #3 on:** May 20, 2009, 12:18:37 PM »

Yes we can keep looking.

Is the infected computer hooked up to the Internet?

Do you have the file location that the Packed.Generic.200 was found at?

Kando · « **Reply #4 on:** May 20, 2009, 12:41:40 PM »

I ran Norton 360 again to get the address:

"globalroot\systemroot\system32\uacnmsfijuybienyic.dll"

I can hook it up, but will the infection jump to other computers? I am working in a school right now with 200+ computers.

evilfantasy · « **Reply #5 on:** May 20, 2009, 12:45:46 PM »

It won't spread as long as you don't transfer any files from the infected computer to another clean computer.

Please do this.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:
* Important! The letters can appear in either upper case or lower case letters.

- UACd.sys <- Or anything beginning with UAC
- TDSSserv.sys <- Or anything beginning with TDSS

* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now restart the computer.
* Let me know if you found them or not.

----------

Hook the computer up with Internet access and then download and run ComboFix and post the log. This scan will take about 10 minutes, maybe a little longer.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Kando · « **Reply #6 on:** May 20, 2009, 01:32:44 PM »

I checked the device manager and did not find the files you mentioned. Would a search with wildcards find those files?

I downloaded Combofix to the desktop and closed all browsers, disabled anti-virus and firewall. When I try to start it up, nothing happens. I checked task manager but did not see anything that looked like Combofix. I tried to start again with task manager open and still nothing happened.

Could this be like trying to open Malwarebytes? It would show up in task manager for a fast 1/2 second and then disappear without starting.

evilfantasy · « **Reply #7 on:** May 20, 2009, 02:05:30 PM »

Launch Task Manager by pressing Ctrl + Alt + Delete

End Process on these file names (if found)

- FindStr
- Vfind
- SED
- GREP
- or any file that has the extension *.cfexe

End each only once.

Now run ComboFix like this.

Close all other browser windows.

Go to Start > Run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

Press Enter and Combofix should begin to run.

When finished, it will produce a log file located at C:\ComboFix.txt

Post the contents of that log in your next reply.

Kando · « **Reply #8 on:** May 20, 2009, 05:14:21 PM »

Still no love. None of the processes were in task manager, typed in what you said and hit enter. The run window comes up, I click on "run" and nothing happened.

All of the browsers are closed, task manager is closed, the account is part of the administrative group but the program will not start.

Looks like this is a reinstallation waiting to happen.

evilfantasy · « **Reply #9 on:** May 20, 2009, 05:25:57 PM »

Have you tried running it in Safe Mode?

evilfantasy · « **Reply #10 on:** May 20, 2009, 05:27:34 PM »

Also that wasn't a complete file path.

globalroot\systemroot\system32\uacnmsfijuybienyic.dll

Is the first part C:\globalroot\systemroot\system32\uacnmsfijuybienyic.dll

Kando · « **Reply #11 on:** May 20, 2009, 06:23:42 PM »

I did not try it in safe mode, I will try that. The address is what was in the error window from Norton 360.

evilfantasy · « **Reply #12 on:** May 20, 2009, 06:29:04 PM »

Let me know. I'm not out of tricks yet

Kando · « **Reply #13 on:** May 20, 2009, 07:39:20 PM »

Booted into safe mode, checked task manager and they are still not there. Tried what you said and Combofix still will not start.

What other tricks do you have? I am not sure that this is worth it, I was able to save the files and pictures and the owner is resolved to having everything reinstalled.

evilfantasy · « **Reply #14 on:** May 20, 2009, 07:43:39 PM »

Download OTMoveIt3 by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
UACd

:reg

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules]

:files
\\?\globalroot\systemroot\system32\uacnmsfijuybienyic.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Kando · « **Reply #15 on:** May 20, 2009, 10:21:01 PM »

Many things have happened, after MoveIt ran and I rebooted, the avenger log came up:

Avenger log-

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACrhbyyetusiutewx.sys
Start Type: 1 (System)

Rootkit scan completed.

Completed script processing.

*******************

Finished! Terminate.

Then the MoveIt log came up:

MoveIt log-
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service\Driver UACd not found.
Service\Driver UACd not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules\\ not found.
Unable to delete registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules\\ .
========== FILES ==========
File/Folder \\?\globalroot\systemroot\system32\uacnmsfijuybienyic.dll not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05202009_222711

Files moved on Reboot...

THEN AVG came up and said that there were infections and did I want to move them to the vault. I clicked yes but it said access denied and did I want to delete them. I clicked yes and they were deleted. I checked the vault to be sure, and they were there. I deleted the contents of the vault.

And finally Norton360 popped up and said that Backdoor.tidserv was detected and that a restart was needed. I did that but the Norton360 alert came up again.

I checked the info that Norton had and it shows the affected areas as: 2 services, 15 files, 6 registry entries, 3 system actions and 1 browser cache.

A lot of progress but it looks like new problems are appearing.

Kando · « **Reply #16 on:** May 20, 2009, 10:27:33 PM »

On a whim I clicked on Malwarebytes setup and it opened up and ran through the install with no problems. It is scanning now...got my fingers crossed.

Kando · « **Reply #17 on:** May 20, 2009, 11:37:59 PM »

whew, almost an hour scanning and Malwarebytes found 9 things, and they were removed. I rebooted and so far nothing has popped up again. Below is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/21/2009 1:24:12 AM
mbam-log-2009-05-21 (01-24-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142272
Time elapsed: 54 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP0\A0000007.exe (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.

Success? I certainly hope so. Thanks for all the help

Kando · « **Reply #18 on:** May 21, 2009, 06:10:31 AM »

Woke up at 4:30 and the Norton360 scan was done. There were only tracking cookies and those were deleted easily. I will be running the scans on all of the accounts on the laptop, but it looks good for the infections to be gone.

I will let you know if anything bad is found again, but for now

THANK YOU EVILFANTASY!!

evilfantasy · « **Reply #19 on:** May 21, 2009, 10:14:43 AM »

Glad it finally worked.

Lets run another scan just to double check.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Kando · « **Reply #20 on:** May 21, 2009, 11:33:16 AM »

Here is the Combofix log

ComboFix 09-05-19.08 - Joe 05/21/2009 13:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.413 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\setup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 17:14 . 2009-05-21 17:14   6736   ----a-w   c:\windows\system32\drivers\PROCEXP90.SYS
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\documents and settings\kevin\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-21 04:25 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-05-21 02:27 . 2009-05-21 02:27   --------   d-----w   C:\_OTMoveIt
2009-05-18 19:19 . 2009-05-18 19:19   --------   d-----w   c:\program files\Driver Magician Lite
2009-05-17 18:59 . 2009-05-17 19:00   --------   d-----w   c:\documents and settings\kevin
2009-05-17 17:06 . 2009-05-17 17:54   --------   d-----w   c:\documents and settings\Joe\.housecall6.6
2009-05-17 16:00 . 2009-05-17 15:36   15688   ----a-w   c:\windows\system32\lsdelete.exe
2009-05-17 15:36 . 2009-05-17 15:35   64160   ----a-w   c:\windows\system32\drivers\Lbd.sys
2009-05-17 15:35 . 2009-05-21 12:24   --------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 15:35 . 2009-05-21 17:21   --------   d-----w   c:\program files\Spybot - Search & Destroy
2009-05-17 15:34 . 2009-05-17 15:34   --------   dc-h--w   c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-17 15:34 . 2009-05-17 15:34   --------   d-----w   c:\program files\Lavasoft
2009-05-17 15:34 . 2009-05-17 15:36   --------   d-----w   c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-17 15:28 . 2009-05-17 15:28   --------   d-----w   c:\program files\Windows Media Connect 2
2009-05-17 15:26 . 2009-05-17 15:27   --------   d-----w   c:\windows\system32\drivers\UMDF
2009-05-17 15:26 . 2009-05-17 15:26   --------   d-----w   c:\windows\system32\LogFiles
2009-05-15 02:17 . 2009-05-21 04:55   --------   d--h--w   C:\$AVG8.VAULT$
2009-05-15 02:13 . 2009-05-15 02:13   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-05-15 02:13 . 2009-05-15 02:13   108552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-05-15 02:13 . 2009-05-15 02:13   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-05-15 02:13 . 2009-05-17 16:24   --------   d-----w   c:\windows\system32\drivers\Avg
2009-05-15 02:12 . 2009-05-15 02:12   --------   d-----w   c:\program files\AVG
2009-05-15 02:12 . 2009-05-15 02:12   --------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-05-14 23:16 . 2009-05-14 23:16   53248   ----a-w   c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 17:25 . 2005-12-16 08:32   --------   d-----w   c:\program files\Common Files\Symantec Shared
2009-05-21 05:24 . 2008-10-24 20:38   --------   d-----w   c:\program files\Common
2009-05-17 15:25 . 2005-12-16 05:28   --------   d-----w   c:\program files\Windows Media Connect
2009-05-17 15:25 . 2007-01-14 14:47   126   ----a-w   c:\documents and settings\Joe\Local Settings\Application Data\fusioncache.dat
2009-05-16 01:39 . 2005-12-16 08:28   --------   d-----w   c:\program files\Quicken
2009-04-18 14:36 . 2008-10-26 18:36   --------   d-----w   c:\program files\Norton 360
2009-04-04 19:49 . 2008-04-06 14:24   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-04 19:48 . 2008-04-06 14:21   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-12-16 02:51   284160   ----a-w   c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-23 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-25 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-25 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-11-29 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7335936]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-17 516440]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 02:13   11952   ----a-w   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42   73728   ----a-w   c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2009 11:36 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 10:13 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2009 10:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/14/2009 10:13 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 7:26 PM 101936]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/15/2005 10:52 PM 28800]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [12/15/2005 10:52 PM 217472]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:35]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = proxy:8002
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 13:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(4928)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-05-21 13:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 17:29

Pre-Run: 78,696,206,336 bytes free
Post-Run: 78,620,049,408 bytes free

198   --- E O F ---   2009-05-17 19:11

Is this good news?

evilfantasy · « **Reply #21 on:** May 21, 2009, 12:12:07 PM »

Yes there is still one left.

You need to uninstall either Norton or AVG. Two antivirus actually offers less protection because they "argue" with each other.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Kando · « **Reply #22 on:** May 21, 2009, 01:07:55 PM »

Here is the latest ComboFix log

ComboFix 09-05-19.08 - Joe 05/21/2009 14:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.443 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 17:14 . 2009-05-21 17:29   6736   ----a-w   c:\windows\system32\drivers\PROCEXP90.SYS
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\documents and settings\kevin\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-21 04:25 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-05-21 02:27 . 2009-05-21 02:27   --------   d-----w   C:\_OTMoveIt
2009-05-18 19:19 . 2009-05-18 19:19   --------   d-----w   c:\program files\Driver Magician Lite
2009-05-17 18:59 . 2009-05-17 19:00   --------   d-----w   c:\documents and settings\kevin
2009-05-17 17:06 . 2009-05-17 17:54   --------   d-----w   c:\documents and settings\Joe\.housecall6.6
2009-05-17 16:00 . 2009-05-17 15:36   15688   ----a-w   c:\windows\system32\lsdelete.exe
2009-05-17 15:36 . 2009-05-17 15:35   64160   ----a-w   c:\windows\system32\drivers\Lbd.sys
2009-05-17 15:35 . 2009-05-21 12:24   --------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 15:35 . 2009-05-21 17:21   --------   d-----w   c:\program files\Spybot - Search & Destroy
2009-05-17 15:34 . 2009-05-17 15:34   --------   dc-h--w   c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-17 15:34 . 2009-05-17 15:34   --------   d-----w   c:\program files\Lavasoft
2009-05-17 15:34 . 2009-05-17 15:36   --------   d-----w   c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-17 15:28 . 2009-05-17 15:28   --------   d-----w   c:\program files\Windows Media Connect 2
2009-05-17 15:26 . 2009-05-17 15:27   --------   d-----w   c:\windows\system32\drivers\UMDF
2009-05-17 15:26 . 2009-05-17 15:26   --------   d-----w   c:\windows\system32\LogFiles
2009-05-15 02:17 . 2009-05-21 04:55   --------   d--h--w   C:\$AVG8.VAULT$
2009-05-15 02:13 . 2009-05-15 02:13   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-05-15 02:13 . 2009-05-15 02:13   108552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-05-15 02:13 . 2009-05-15 02:13   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-05-15 02:13 . 2009-05-17 16:24   --------   d-----w   c:\windows\system32\drivers\Avg
2009-05-15 02:12 . 2009-05-15 02:12   --------   d-----w   c:\program files\AVG
2009-05-15 02:12 . 2009-05-15 02:12   --------   d-----w   c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 18:54 . 2005-12-16 08:32   --------   d-----w   c:\program files\Common Files\Symantec Shared
2009-05-21 05:24 . 2008-10-24 20:38   --------   d-----w   c:\program files\Common
2009-05-17 15:25 . 2005-12-16 05:28   --------   d-----w   c:\program files\Windows Media Connect
2009-05-17 15:25 . 2007-01-14 14:47   126   ----a-w   c:\documents and settings\Joe\Local Settings\Application Data\fusioncache.dat
2009-05-16 01:39 . 2005-12-16 08:28   --------   d-----w   c:\program files\Quicken
2009-04-18 14:36 . 2008-10-26 18:36   --------   d-----w   c:\program files\Norton 360
2009-04-04 19:49 . 2008-04-06 14:24   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-04 19:48 . 2008-04-06 14:21   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-12-16 02:51   284160   ----a-w   c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-21_17.25.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 18:55 . 2009-05-21 18:55   16384 c:\windows\Temp\Perflib_Perfdata_4f4.dat
+ 2009-05-21 18:54 . 2009-05-21 18:54   16384 c:\windows\Temp\Perflib_Perfdata_2a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-23 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-25 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-25 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-11-29 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7335936]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-17 516440]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 02:13   11952   ----a-w   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42   73728   ----a-w   c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2009 11:36 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 10:13 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2009 10:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/14/2009 10:13 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 7:26 PM 101936]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/15/2005 10:52 PM 28800]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [12/15/2005 10:52 PM 217472]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = proxy:8002
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-05-21 15:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 19:02
ComboFix2.txt 2009-05-21 17:29

Pre-Run: 78,615,195,648 bytes free
Post-Run: 78,597,533,696 bytes free

201   --- E O F ---   2009-05-17 19:11

>crosses his fingers

And I am uninstalling AVG, I think the owner has actually paid for Norton

evilfantasy · « **Reply #23 on:** May 21, 2009, 01:35:46 PM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.

Kando · « **Reply #24 on:** May 21, 2009, 01:55:45 PM »

WHEW again! Ok, deleted ComboFix, downloaded and ran the other two programs, is that it?

I don't want to go through this again, but if I do I have all of these new programs to make use of.

Thanks again.

evilfantasy · « **Reply #25 on:** May 21, 2009, 02:52:09 PM »

You should be good to go.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Kando · « **Reply #26 on:** May 22, 2009, 05:49:47 AM »

Well, all of my computers are safe and uninfected, this whole episode was for a teacher at the school where I work. Now she knows not to click on a little box that promises to clean up her computer for a small fee. 8-)

evilfantasy · « **Reply #27 on:** May 22, 2009, 08:48:44 AM »

I learned the hard way long ago. Sometimes a hard lesson is the best lesson.

Let us know if anything else comes up.

thom · « **Reply #28 on:** June 02, 2009, 09:50:04 AM »

EvilFantasy!!!!!

I........ LOVE YOU VERY MUCH DUDE~! XD

THX DUDE! YOUR MY COMPUTER SAVIOUR XD

Computer Hope Forum

News:

Author Topic: online scan to get rid of "packed.generic.200"? (Read 10294 times)

Kando

evilfantasy

Kando

evilfantasy

Kando

evilfantasy

Kando

evilfantasy

Kando

evilfantasy

evilfantasy

Kando

evilfantasy

Kando

evilfantasy

Kando

Kando

Kando

Kando

evilfantasy

Kando

evilfantasy

Kando

evilfantasy

Kando

evilfantasy

Kando

evilfantasy

thom