Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91987 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Windows Police Pro and Blue Screen of Death


  • This topic is locked This topic is locked
60 replies to this topic

#31 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 24 September 2009 - 11:52 PM

dropped exehelper.com onto desktop from E: and a big box came up that says Reside Shield alert Multiple threat detection E:\exehelper.com Virus found Downloader.Banload Infected E:\exehelper.com Virus found Downloader.Banload Infected then I have 3 boxes Remove selected infections Remove all unhealed infections Close I've seen this before and I think it's part of the malware but I"m not sure. I can click the upper right x and it goes away but I don't know what to do. I've left the box open to see if you reply. That's as far as I've gotten to your latest request. Fred

    Advertisements

Register to Remove


#32 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 24 September 2009 - 11:57 PM

should I try to launch exehelper.exe from E:?

#33 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 24 September 2009 - 11:59 PM

svchast.exe is back in Processes in Task Manager BTW

#34 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 25 September 2009 - 12:11 AM

Closed the task mgr box and another box is showing with red circle with white x on left side Error Copying File or Folder Cannot copy exehelper: Access is denied. Make sure the disk is not full or write-protected . . . . . Will wait for instructions.. Thanks Raktor, appreciate you help. Fred

#35 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 25 September 2009 - 02:33 AM

Please disable AVG, then try downloading and running exeHelper again. If that still fails, just continue on with Combofix.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#36 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 25 September 2009 - 10:53 PM

Raktor, I disabled AVG and it exehelper ran a scan, here are the results. exeHelper by Raktor - 09 Build 20090919 Run at 20:17:42 on 09/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Found file C:\WINDOWS\system32\desot.exe Deleting file C:\WINDOWS\system32\desot.exe Found file C:\Program Files\Windows Police Pro\Windows Police Pro.exe Deleting file C:\Program Files\Windows Police Pro\Windows Police Pro.exe Found file C:\WINDOWS\system32\dddesot.dll Deleting file C:\WINDOWS\system32\dddesot.dll Found file C:\WINDOWS\ppp3.dat Deleting file C:\WINDOWS\ppp3.dat Found file C:\WINDOWS\ppp4.dat Deleting file C:\WINDOWS\ppp4.dat Found file C:\WINDOWS\system32\sysnet.dat Deleting file C:\WINDOWS\system32\sysnet.dat Found file C:\WINDOWS\system32\bincd32.dat Deleting file C:\WINDOWS\system32\bincd32.dat Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- exeHelper by Raktor - 09 Build 20090919 Run at 21:11:36 on 09/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- exeHelper by Raktor - 09 Build 20090919 Run at 22:36:13 on 09/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- exeHelper by Raktor - 09 Build 20090919 Run at 21:46:16 on 09/25/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- Sorry to be so late, at family vacation site for the weekend. BTW, I'm sending this from the infected computer. I'll continue on with Combofix if I don't get redirected while trying to get it downloaded from this computer. Fred

#37 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 25 September 2009 - 10:56 PM

BTW, did this work? Fred

#38 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 25 September 2009 - 10:58 PM

Yes, but Combofix needs to be run.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#39 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 26 September 2009 - 01:34 AM

Raktor, I did get to download ComboFix. Followed instructions. It downloaded Windows Recovery Console. There were some issues I can't explain and it rebooted and continued. It got into autoscan, scanning for infected files. After about a minute a box came up; Rootkit!! Combofix has detected presense of rootkit activity and needs to reboot. Please write down this info, it may be needed later. (here's what was the info) C:\windows\system32\drivers\gasfkywxwheexy.sys C:\windows\system32\gasfkyycnirppr.dll C:\windows\system32\gasfkypopnbjou.dat C:\windows\system32\gasfkygqmcetyn.dll C:\windows\system32\gasfkyrgfldlve.dat C:\windows\system32\gasfkybpkbwute.dll C:\windows\system32\drivers\UACd.sys I hit ok and the system totally rebooted and it cycled back to this display again, it repeated it 6 more times. At that point I figured it was in an endless do loop and tried to get out of Combofix by getting into task manager, it wouldn't come up so I hit the on/off button and it shut down. I restarted in normal mode to get back to the desktop and inform you of what happened but it went into chkdsk, an elaborate one at that. From what I could catch it deleted alot of orphan files and then went into "deleting an index entry from index $o of file 25. I stayed there a long time showing the % complete as it went along deleting alot of index entrys and then I saw in was recovering some entrys (it was hard to tell, sorry). I went back into Combfix mode (don't think it ever left) and the box came up again just like above. I let it reboot 2 more times and then I went into safe mode and hit shut down. That's where I'm at now. It never finished a complete scan, just the continuous do loop. Also, just before this box above comes up there is a sentance (I only caught part of this portion) that says "....updat-CF.cmd not recognized as an internal or external command or batch file, could not find combo-fix\update-CF.cmd" then the box comes up. I have noticed upon the reboots that the tons of boxes that were coming up before way earlier in this thread are not doing that any more. Right now, I can't get back to my desktop, seems to be locked into running ComboFix. Hope this is helpful. Awaiting your instructins. (Is there a way to stop ComboFix} Thanks, Fred

#40 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 26 September 2009 - 08:54 PM

Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
Click on Open AVG Interface.
Double click on Resident Shield
Deselect the option to "Enable Resident Shield."
Save changes, and exit the application.

Delete existing ComboFix.exe and download a fresh copy.
Link 1
Link 2

Now run CF and if it Combofix 'goes into that 'endless reboot loop', close the blue CF Dos window before CF gets to the "rootkit found" message.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

    Advertisements

Register to Remove


#41 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 28 September 2009 - 10:16 AM

Raktor, I'll respond when I get home tonite, just wanted to let you know. Thanks, Fred.

#42 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 28 September 2009 - 09:28 PM

Success!!!! New copy of CF and it ran and here's the report.

ComboFix 09-09-28.01 - Owner 09/28/2009 20:01.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1527.871 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\{34BDA~1
c:\progra~1\COMMON~1\{B4BDA~1
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\tmp\dbsinit.exe
c:\program files\Windows Police Pro\tmp\images\i1.gif
c:\program files\Windows Police Pro\tmp\images\i2.gif
c:\program files\Windows Police Pro\tmp\images\i3.gif
c:\program files\Windows Police Pro\tmp\images\j1.gif
c:\program files\Windows Police Pro\tmp\images\j2.gif
c:\program files\Windows Police Pro\tmp\images\j3.gif
c:\program files\Windows Police Pro\tmp\images\jj1.gif
c:\program files\Windows Police Pro\tmp\images\jj2.gif
c:\program files\Windows Police Pro\tmp\images\jj3.gif
c:\program files\Windows Police Pro\tmp\images\l1.gif
c:\program files\Windows Police Pro\tmp\images\l2.gif
c:\program files\Windows Police Pro\tmp\images\l3.gif
c:\program files\Windows Police Pro\tmp\images\pix.gif
c:\program files\Windows Police Pro\tmp\images\t1.gif
c:\program files\Windows Police Pro\tmp\images\t2.gif
c:\program files\Windows Police Pro\tmp\images\up1.gif
c:\program files\Windows Police Pro\tmp\images\up2.gif
c:\program files\Windows Police Pro\tmp\images\w1.gif
c:\program files\Windows Police Pro\tmp\images\w11.gif
c:\program files\Windows Police Pro\tmp\images\w2.gif
c:\program files\Windows Police Pro\tmp\images\w3.gif
c:\program files\Windows Police Pro\tmp\images\w3.jpg
c:\program files\Windows Police Pro\tmp\images\wt1.gif
c:\program files\Windows Police Pro\tmp\images\wt2.gif
c:\program files\Windows Police Pro\tmp\images\wt3.gif
c:\program files\Windows Police Pro\tmp\wispex.html
c:\recycler\S-1-5-21-3963078224-3239512543-965112274-1003
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\d8f3d.msp
c:\windows\run.log
c:\windows\svchast.exe
c:\windows\system32\bennuar.old
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\gasfkyrnsixdny.sys
c:\windows\system32\drivers\gasfkywxwheexy.sys
c:\windows\system32\drivers\MSIVXpjkcjmmgtpeyknoootlqoynymnuhbgqw.sys.vir
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\drivers\UACyuijpyxevr.sys
c:\windows\system32\gasfkybpkbwute.dll
c:\windows\system32\gasfkygqmcetyn.dll
c:\windows\system32\gasfkypopnbjou.dat
c:\windows\system32\gasfkyrgfldlve.dat
c:\windows\system32\gasfkyrtfgeism.dll
c:\windows\system32\gasfkyycnirppr.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\net.net
c:\windows\system32\UACabuxoqhxbq.dll
c:\windows\system32\wispex.html
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkyquqfvbyg
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_gasfkyquqfvbyg
-------\Service_UACd.sys
-------\Legacy_AntipPolice_
-------\Service_AntipPolice_


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-26 06:33 . 2009-09-26 06:33 -------- d-----w- C:\found.000
2009-09-24 05:57 . 2009-09-24 05:14 71680 ----a-w- C:\mbr.exe
2009-09-21 07:33 . 2009-09-26 04:21 0 ----a-r- c:\windows\win32k.sys
2009-09-21 07:11 . 2009-09-21 07:11 68608 ----a-w- c:\windows\system32\drivers\tivmtqfoysnnvsji.sys
2009-09-13 05:42 . 2009-09-13 05:42 -------- d-----w- c:\documents and settings\Cory\Application Data\Malwarebytes
2009-09-12 04:24 . 2009-09-12 04:24 -------- d-----w- c:\documents and settings\Freddie\Application Data\Malwarebytes
2009-09-09 04:57 . 2009-09-09 04:57 -------- d-----w- c:\documents and settings\Owner\Application Data\GOL_byHasbro
2009-09-09 04:47 . 2009-09-09 04:47 -------- d-----w- C:\GameHouse Games
2009-09-09 04:45 . 2009-09-09 04:45 -------- d-----w- c:\program files\RealArcade
2009-09-07 17:57 . 2009-09-07 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\kds_kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 03:05 . 2008-05-27 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 21:54 . 2008-08-17 19:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2008-05-27 03:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 04:24 . 2008-09-07 04:19 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 04:41 . 2007-01-23 22:27 -------- d-----w- c:\program files\IKEA HomePlanner
2009-09-07 23:46 . 2006-09-17 17:57 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-09-07 21:57 . 2004-11-16 04:32 -------- d-----w- c:\program files\Notebook Maximizer
2009-09-07 18:22 . 2008-08-17 20:53 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-08-29 03:31 . 2007-07-04 15:49 37592 -c--a-w- c:\documents and settings\Freddie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 05:46 . 2008-01-01 21:37 37592 ----a-w- c:\documents and settings\Cory\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 02:24 . 2006-08-25 20:58 37592 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 10:16 . 2009-08-25 10:16 -------- d-----w- c:\program files\MSBuild
2009-08-25 10:16 . 2009-08-25 10:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-25 10:03 . 2009-08-25 10:03 -------- d-----w- c:\program files\MSXML 6.0
2009-08-25 03:26 . 2008-10-27 01:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 03:26 . 2008-10-27 01:38 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 03:26 . 2008-10-27 01:38 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-18 18:04 . 2009-08-18 18:04 -------- d-----w- c:\program files\Marvell
2009-08-06 08:10 . 2009-08-06 08:10 282624 ----a-w- c:\windows\system32\yk51x86.dll
2009-08-06 08:10 . 2004-11-16 03:20 297728 ----a-w- c:\windows\system32\drivers\yk51x86.sys
2009-08-05 09:11 . 2004-11-15 23:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-11-15 23:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-11-15 23:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2008-02-10 04:01 . 2008-02-10 04:01 10752 --sha-w- c:\program files\Thumbs.db
2007-12-10 02:53 . 2007-12-10 02:41 1679619 ----a-w- c:\program files\Uninst.isu
2006-10-21 16:09 . 2006-10-21 16:09 985904 ----a-w- c:\program files\FreecorderSetup.exe
2001-09-02 00:01 . 2007-12-10 02:43 1486848 ----a-r- c:\program files\TONKA Monster Trucks.exe
2001-08-31 05:59 . 2007-12-10 02:43 21139 ------w- c:\program files\Readme.txt
2001-08-28 02:14 . 2007-12-10 02:43 40960 ------w- c:\program files\TONKA MONSTER TRUCKS Install Guide.DOC
2001-08-15 22:39 . 2007-12-10 02:43 2202 ------w- c:\program files\Tonka Monster Trucks.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-18 01:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 16:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-06 184320]
"AGRSMMSG"="c:\windows\AGRSMMSG.exe" [2004-10-28 88363]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2004-11-13 73728]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939]
"TPSMain"="c:\windows\system32\TPSMain.exe" [2004-08-27 278528]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-01-27 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-01-27 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-01-27 356352]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 1052672]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-15 368640]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 135168]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"TFncKy"="TFncKy.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"="SYSDLL" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-12-7 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2006-01-27 13:12 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 03:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TONKA« Construction 2 Registration.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\TONKA« Construction 2 Registration.lnk
backup=c:\windows\pss\TONKA« Construction 2 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/26/2008 6:38 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/26/2008 6:38 PM 297752]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [12/13/2007 12:07 PM 18944]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 12:53 PM 204816]
R2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 3:57 PM 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 12:53 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 3:58 PM 204873]
S3 bfastfao;bfastfao;\??\c:\docume~1\Owner\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Owner\LOCALS~1\Temp\bfastfao.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/games/zylom/zylomplayer.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-BearShare Test - e:\progra~1\BEARSH~1\UNWISE.EXE
AddRemove-HijackThis - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DSB0VWV\HijackThis.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - e:\malwarebytes' anti-malware\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 20:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(4736)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\DVDRAMSV.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
.
**************************************************************************
.
Completion time: 2009-09-29 20:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 03:17

Pre-Run: 21,442,486,272 bytes free
Post-Run: 21,425,373,184 bytes free

308 --- E O F --- 2009-09-09 05:16

Thanks, things have been running better, I know we have a ways to go.
Fred

#43 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 28 September 2009 - 09:49 PM

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://forums.whatthetech.com/Windows_Police_Pro_Blue_Screen_Death_t107127.html
    
    Collect::
    c:\windows\win32k.sys
    c:\windows\system32\drivers\tivmtqfoysnnvsji.sys
    
    Driver:: 
    bfastfao
    
    Registry:: 
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "SYSDLL"=-
    
    DDS::
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=localhost:7171
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#44 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 28 September 2009 - 10:15 PM

Currently creating the next report. Fred

#45 fredII

fredII

    Authentic Member

  • Authentic Member
  • PipPip
  • 79 posts

Posted 28 September 2009 - 10:25 PM

Second CF.TXT file

ComboFix 09-09-28.01 - Owner 09/28/2009 21:02.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1527.843 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: E:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\drivers\tivmtqfoysnnvsji.sys
file zipped: c:\windows\win32k.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\tivmtqfoysnnvsji.sys
c:\windows\win32k.sys

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BFASTFAO
-------\Service_bfastfao


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-26 06:33 . 2009-09-26 06:33 -------- d-----w- C:\found.000
2009-09-24 05:57 . 2009-09-24 05:14 71680 ----a-w- C:\mbr.exe
2009-09-13 05:42 . 2009-09-13 05:42 -------- d-----w- c:\documents and settings\Cory\Application Data\Malwarebytes
2009-09-12 04:24 . 2009-09-12 04:24 -------- d-----w- c:\documents and settings\Freddie\Application Data\Malwarebytes
2009-09-09 04:57 . 2009-09-09 04:57 -------- d-----w- c:\documents and settings\Owner\Application Data\GOL_byHasbro
2009-09-09 04:47 . 2009-09-09 04:47 -------- d-----w- C:\GameHouse Games
2009-09-09 04:45 . 2009-09-09 04:45 -------- d-----w- c:\program files\RealArcade
2009-09-07 17:57 . 2009-09-07 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\kds_kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 04:05 . 2008-05-27 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 21:54 . 2008-08-17 19:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2008-05-27 03:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 04:24 . 2008-09-07 04:19 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 04:41 . 2007-01-23 22:27 -------- d-----w- c:\program files\IKEA HomePlanner
2009-09-07 23:46 . 2006-09-17 17:57 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-09-07 21:57 . 2004-11-16 04:32 -------- d-----w- c:\program files\Notebook Maximizer
2009-09-07 18:22 . 2008-08-17 20:53 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-08-29 03:31 . 2007-07-04 15:49 37592 -c--a-w- c:\documents and settings\Freddie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 05:46 . 2008-01-01 21:37 37592 ----a-w- c:\documents and settings\Cory\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 02:24 . 2006-08-25 20:58 37592 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 10:16 . 2009-08-25 10:16 -------- d-----w- c:\program files\MSBuild
2009-08-25 10:16 . 2009-08-25 10:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-25 10:03 . 2009-08-25 10:03 -------- d-----w- c:\program files\MSXML 6.0
2009-08-25 03:26 . 2008-10-27 01:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 03:26 . 2008-10-27 01:38 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 03:26 . 2008-10-27 01:38 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-18 18:04 . 2009-08-18 18:04 -------- d-----w- c:\program files\Marvell
2009-08-06 08:10 . 2009-08-06 08:10 282624 ----a-w- c:\windows\system32\yk51x86.dll
2009-08-06 08:10 . 2004-11-16 03:20 297728 ----a-w- c:\windows\system32\drivers\yk51x86.sys
2009-08-05 09:11 . 2004-11-15 23:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-11-15 23:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-11-15 23:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2008-02-10 04:01 . 2008-02-10 04:01 10752 --sha-w- c:\program files\Thumbs.db
2007-12-10 02:53 . 2007-12-10 02:41 1679619 ----a-w- c:\program files\Uninst.isu
2006-10-21 16:09 . 2006-10-21 16:09 985904 ----a-w- c:\program files\FreecorderSetup.exe
2001-09-02 00:01 . 2007-12-10 02:43 1486848 ----a-r- c:\program files\TONKA Monster Trucks.exe
2001-08-31 05:59 . 2007-12-10 02:43 21139 ------w- c:\program files\Readme.txt
2001-08-28 02:14 . 2007-12-10 02:43 40960 ------w- c:\program files\TONKA MONSTER TRUCKS Install Guide.DOC
2001-08-15 22:39 . 2007-12-10 02:43 2202 ------w- c:\program files\Tonka Monster Trucks.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-18 01:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 16:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-06 184320]
"AGRSMMSG"="c:\windows\AGRSMMSG.exe" [2004-10-28 88363]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2004-11-13 73728]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939]
"TPSMain"="c:\windows\system32\TPSMain.exe" [2004-08-27 278528]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-01-27 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-01-27 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-01-27 356352]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 1052672]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-15 368640]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 135168]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-12-7 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2006-01-27 13:12 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 03:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TONKA« Construction 2 Registration.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\TONKA« Construction 2 Registration.lnk
backup=c:\windows\pss\TONKA« Construction 2 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/26/2008 6:38 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/26/2008 6:38 PM 297752]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [12/13/2007 12:07 PM 18944]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 12:53 PM 204816]
R2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 3:57 PM 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 12:53 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 3:58 PM 204873]
.
Contents of the 'Scheduled Tasks' folder

2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/games/zylom/zylomplayer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 21:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(5820)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\DVDRAMSV.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
.
**************************************************************************
.
Completion time: 2009-09-29 21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 04:17
ComboFix2.txt 2009-09-29 03:17

Pre-Run: 21,435,002,880 bytes free
Post-Run: 21,395,906,560 bytes free

210 --- E O F --- 2009-09-09 05:16


Thanks, Fred

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users