Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92362 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] finding dakeyras.


  • This topic is locked This topic is locked
27 replies to this topic

#16 Dakeyras

Dakeyras

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 549 posts

Posted 28 November 2009 - 06:53 AM

Hi. :)

OK, fair play. Please be aware some of the instructions I will post can be somewhat technical in nature. So to start with I am going to request a few benign scans so I am more able to reassess the situation.

Next:
  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file and post it in your next reply.
Scan with Rooter:

Please download Rooter to your desktop.
  • Double click on Rooter.exe to start the application.
  • Now click on the Scan button.
  • When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
  • Now click on Close button to exit Rooter.
Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$

Scan with RSIT:
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
Make sure that RSIT.exe is on the your Desktop before running the application!
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
Note: Both logs can also be located within this folder rsit at the root of your installed Hard-Drive. EG: C:\rsit

When completed the above, please post back the following in the order asked for:
  • How is you computer performing now, any further symptoms and or problems encountered?
  • MGADiag Log.
  • Rooter Log.
  • Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.

Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

    Advertisements

Register to Remove


#17 crasher12

crasher12

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 28 November 2009 - 05:23 PM

Dakeyras. Hope I got this right my friend. I will be attempting to send the files you have asked for and onc again thanks for your patience. When I cliked on MGADiag.exe and then continue I then clicked copy, but I did not know how to go from there. I opened notepad but could not work out how to paste the contents and save the file.I think I might have the other two RSIT.exe files right. Hoping this can do the trick. Thanks again.

Attached Files



#18 crasher12

crasher12

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 28 November 2009 - 05:24 PM

dAKEYRAS. Hoping the other got through. Here is the second log.

Attached Files

  • Attached File  RSIT.txt   22.23KB   353 downloads


#19 Dakeyras

Dakeyras

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 549 posts

Posted 29 November 2009 - 07:32 AM

Hi. :)

OK run MGADiag.exe again as per the instructions. Open Notepad and right click within and select Paste >> File >> Save As... name it results and save the file to the Desktop. Then post the contents in your next reply. How to do so is explained below.

Next:

Open the results log >> click on Edit >> Select All >> Edit >> Copy >> then to actually post the contents back in this topic:-

To do so click on ADD REPLY then right click in the reply window and select Paste >> Add Reply.

Edited by Dakeyras, 29 November 2009 - 07:36 AM.

Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

#20 crasher12

crasher12

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 29 November 2009 - 06:09 PM

Diagnostic Report (1.9.0011.0): ----------------------------------------- WGA Data--> Validation Status: Genuine Validation Code: 0 Cached Validation Code: N/A Windows Product Key: *****-*****-RTXGX-C9TC8-9J4WG Windows Product Key Hash: uXsgKGFBvT0liRi80Xw0h1QnFKM= Windows Product ID: 76487-OEM-2245125-44042 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 5.1.2600.2.00010100.3.0.pro ID: {372664AA-D115-4F0A-B667-2C37B383DD7C}(3) Is Admin: Yes TestCab: 0x0 WGA Version: Registered, 1.9.40.0 Signed By: Microsoft Product Name: N/A Architecture: N/A Build lab: N/A TTS Error: N/A Validation Diagnostic: 025D1FF3-230-1 Resolution Status: N/A WgaER Data--> ThreatID(s): N/A Version: N/A WGA Notifications Data--> Cached Result: 0 File Exists: Yes Version: 1.9.40.0 WgaTray.exe Signed By: Microsoft WgaLogon.dll Signed By: Microsoft OGA Notifications Data--> Cached Result: 100 Version: 2.0.48.0 OGAExec.exe Signed By: Microsoft OGAAddin.dll Signed By: Microsoft OGA Data--> Office Status: 100 Genuine Microsoft Office Word 2003 - 100 Genuine Microsoft Office Publisher 2007 - 100 Genuine OGA Version: Registered, 2.0.48.0 Signed By: Microsoft Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{372664AA-D115-4F0A-B667-2C37B383DD7C}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-9J4WG</PKey><PID>76487-OEM-2245125-44042</PID><PIDType>3</PIDType><SID>S-1-5-21-1454471165-343818398-682003330</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>OptiPlex GX270 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A06</Version><SMBIOSVersion major="2" minor="3"/><Date>20040929000000.000000+000</Date></BIOS><HWID>5DB432E701848053</HWID><UserLCID>0C09</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>AUS Eastern Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{901B0409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Word 2003</Name><Ver>11</Ver><Val>516919A364705F3</Val><Hash>spKTkAlzSKuvtYDvy+g+l+VK2Pk=</Hash><Pid>70210-761-5948702-55156</Pid><PidType>1</PidType></Product><Product GUID="{91120000-0019-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Publisher 2007</Name><Ver>12</Ver><PidType>0</PidType></Product></Products><Applications><App Id="1B" Version="11" Result="100"/><App Id="19" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> Licensing Data--> N/A HWID Data--> N/A OEM Activation 1.0 Data--> BIOS string matches: yes Marker string from BIOS: 1B16E:Dell Inc|10008:Microsoft Corporation|1B16E:Microsoft Corporation Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005 OEM Activation 2.0 Data--> N/A

#21 Dakeyras

Dakeyras

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 549 posts

Posted 30 November 2009 - 06:06 AM

Hi. :)

I have a few guidelines I would like for your good self to read before proceeding, thank you. Please take note of the below:-
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications. My advice would be to uninstall Ares 2.0.9. If not do not use it during the malware removal process at all please.

The same apply's for the application uTorrent also.

ComboFix Advice:

I notice this very powerful application has been used. My advice never use this without trained supervision otherwise you machine could very well end up not thing more than a expensive doorstop!

However I would like to review the log created after the application was ran. It can be located here as follows:-

C:\ComboFix.txt

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK
firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

Boot.ini Check

I would like to check the current state of the Boot.ini file to check if it is corrupted or not as follows:
  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad: <----Start >> Run... type in notepad and select OK
@Echo off
xcopy C:\boot.ini "%userprofile%\desktop\" /h
attrib -s -h "%userprofile%\desktop\boot.ini"
ren "%userprofile%\desktop\boot.ini" bootini.txt
Del %0
  • Go to File >> Save As
  • Save File name as "Look.bat" <-- Make sure to include the aprostrious.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look like this: Posted Image
Now double click on the desktop Look.bat to run the batch file. It will self-delete when completed and produce a notepad text file named bootini on your desktop.

Security Application Check:

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document in your next reply.
When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any further symptoms and or problems encountered?
  • ComboFix Log.
  • Boot.ini Log.
  • SecurityCheck Log.

Edited by Dakeyras, 30 November 2009 - 06:08 AM.

Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

#22 crasher12

crasher12

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 30 November 2009 - 06:19 AM

ComboFix 09-11-18.06 - Administrator 19/11/2009 12:45.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.145 [GMT 11:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-19 01:38 . 2009-11-19 01:40 -------- d-----w- C:\32788R22FWJFW
2009-11-17 10:41 . 2009-11-17 10:41 -------- d-----w- c:\program files\Trend Micro
2009-11-15 06:48 . 2009-11-19 01:44 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2009-11-13 17:13 . 2009-11-09 22:38 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-13 17:13 . 2009-11-09 22:37 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-13 17:13 . 2009-11-09 22:37 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-13 17:13 . 2009-11-09 22:34 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-13 17:13 . 2009-11-03 06:29 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-13 17:13 . 2009-11-03 06:29 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-12 01:41 . 2009-11-12 01:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-12 01:32 . 2009-11-12 01:32 -------- d-----w- c:\program files\iPod
2009-11-12 01:31 . 2009-11-12 01:34 -------- d-----w- c:\program files\iTunes
2009-11-12 01:06 . 2009-11-12 01:06 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 22:40 . 2009-11-03 06:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 22:33 . 2009-11-03 06:28 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 22:33 . 2009-11-03 06:28 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 13:14 . 2009-11-09 13:14 -------- d-----w- c:\documents and settings\Administrator\SmitfraudFix
2009-11-08 21:53 . 2009-11-08 21:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-11-07 11:58 . 2009-11-19 00:39 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2009-11-03 09:29 . 2009-11-03 09:29 -------- d-----w- C:\ST2TEMP
2009-11-03 06:31 . 2009-11-03 06:35 -------- d-----w- C:\$AVG
2009-11-03 06:28 . 2009-11-03 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-29 13:28 . 2009-10-29 13:29 -------- d-----w- c:\windows\LMI5F.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 10:28 . 2008-04-18 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-14 00:28 . 2009-06-20 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-13 04:03 . 2008-08-06 00:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-12 01:48 . 2009-03-23 22:46 -------- d-----w- c:\program files\Safari
2009-11-12 01:32 . 2009-01-19 15:36 -------- d-----w- c:\program files\Common Files\Apple
2009-11-09 22:37 . 2009-09-20 21:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 21:53 . 2008-04-13 12:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 21:50 . 2008-10-11 05:23 -------- d-----w- c:\program files\IncrediGames
2009-11-08 00:15 . 2008-04-18 16:21 -------- d-----w- c:\program files\Picasa2
2009-11-07 16:00 . 2009-08-26 12:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdwareAlert
2009-11-04 05:21 . 2008-04-13 06:13 80144 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 09:55 . 2009-06-20 06:55 -------- d-----w- c:\program files\Microsoft Works
2009-11-03 06:30 . 2009-09-20 21:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 06:30 . 2009-09-20 21:16 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-03 06:29 . 2009-09-20 21:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 06:28 . 2008-05-01 00:29 -------- d-----w- c:\program files\AVG
2009-10-21 04:58 . 2008-12-29 10:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-10-19 11:16 . 2008-04-15 22:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-18 22:37 . 2008-04-14 04:35 -------- d-----w- c:\program files\IncrediMail
2009-10-18 10:10 . 2008-08-06 01:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-18 08:51 . 2009-08-26 11:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\RegistrySmart
2009-10-18 08:51 . 2009-08-26 10:59 -------- d-----w- c:\program files\RegistrySmart
2009-10-18 08:36 . 2009-10-16 23:01 -------- d-----w- c:\program files\AVS4YOU
2009-10-18 08:35 . 2009-10-18 08:35 -------- d-----w- c:\program files\NOS
2009-10-17 02:19 . 2008-07-24 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-16 23:03 . 2009-10-16 23:01 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-14 23:32 . 2008-10-11 05:23 -------- d-----w- c:\program files\Oberon Media
2009-10-14 03:42 . 2009-10-14 03:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\CLOUDY Demo
2009-10-14 03:24 . 2009-10-14 03:24 -------- d-----w- c:\program files\Ubisoft
2009-10-14 00:18 . 2009-10-14 00:18 64924 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 23:13 . 2009-10-13 23:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\HpUpdate
2009-10-13 23:13 . 2009-10-13 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-10-13 23:10 . 2009-02-23 02:19 -------- d-----w- c:\program files\HP
2009-10-13 04:39 . 2009-01-19 15:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-10-11 10:29 . 2009-10-11 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-11 10:21 . 2009-10-11 10:19 -------- d-----w- c:\program files\QuickTime
2009-10-05 10:44 . 2009-10-05 10:44 80144 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-05 10:43 . 2009-10-05 10:26 117353 ----a-w- c:\windows\hpoins11.dat
2009-10-05 10:40 . 2009-10-05 10:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\HP
2009-10-05 10:36 . 2009-10-05 10:36 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-10-05 10:35 . 2009-10-05 10:33 -------- d-----w- c:\program files\Common Files\HP
2009-10-05 10:30 . 2009-03-31 01:54 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-05 03:41 . 2009-09-20 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-20 21:29 . 2008-04-15 05:24 -------- d-----w- c:\program files\Common Files\Real
2009-09-20 21:29 . 2009-09-20 21:29 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-20 21:28 . 2008-04-15 02:07 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-20 21:28 . 2008-04-15 02:07 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-20 21:28 . 2009-09-20 21:28 -------- d-----w- c:\program files\real
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 08:42 . 2009-06-02 03:05 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 08:42 . 2009-06-02 03:05 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-11-13_04.23.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-18 23:56 . 2009-11-18 23:56 16384 c:\windows\temp\Perflib_Perfdata_1a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-03 06:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hiro-Media Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hiro-Media Client.lnk
backup=c:\windows\pss\Hiro-Media Client.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Picasa2\\Picasa2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21/09/2009 8:16 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/09/2009 8:16 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/11/2009 5:28 PM 285392]
S2 gupdate1c9f40b597695f2;Google Update Service (gupdate1c9f40b597695f2);c:\program files\Google\Update\GoogleUpdate.exe [24/06/2009 1:02 AM 133104]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [4/08/2004 11:00 PM 14336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/08/2008 11:48 AM 29744]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

2009-11-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-15 07:54]

2009-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 13:59]

2009-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 13:59]

2009-11-19 c:\windows\Tasks\User_Feed_Synchronization-{6A46A9DC-B188-4BF2-912A-5A886A6CB15A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wngrx74m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://mystart.incredimail.com/
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 13:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-343818398-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,7e,8c,23,f6,49,41,4d,89,95,e2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,34,9e,42,12,05,81,43,a5,50,6a,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,7e,8c,23,f6,49,41,4d,89,95,e2,\

[HKEY_USERS\S-1-5-21-1454471165-343818398-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:33,bc,70,6c,7d,d6,42,83,79,38,b4,00,a7,e0,28,c3,3c,2e,5c,b5,83,
70,12,b0,7e,1c,a3,fe,03,78,80,e8,67,96,db,5a,1d,c3,73,5e,6a,f3,4b,35,9f,17,\
"rkeysecu"=hex:24,bb,10,37,03,c7,2e,54,83,03,89,53,90,f8,97,a5

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,7e,8c,23,f6,49,41,4d,89,95,e2,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,7e,8c,23,f6,49,41,4d,89,95,e2,\
.
Completion time: 2009-11-19 13:08
ComboFix-quarantined-files.txt 2009-11-19 02:06
ComboFix2.txt 2009-11-15 07:13
ComboFix3.txt 2009-11-13 04:30
ComboFix4.txt 2009-10-18 09:47
ComboFix5.txt 2009-11-19 01:40

Pre-Run: 20,329,648,128 bytes free
Post-Run: 20,333,834,240 bytes free

- - End Of File - - CAEF9DF3E5B10C00F69E03037E1AD4BB

#23 crasher12

crasher12

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 30 November 2009 - 06:29 AM

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
McAfee Security Scan
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

HijackThis 2.0.2
Java™ 6 Update 14
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

#24 crasher12

crasher12

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 30 November 2009 - 06:56 AM

;) ;) Dakeyras. I have had some problems here and hope you still hve patience. I think I worked out how to send the combo fix log, I cannot work out the CODE firewall.cpl and the Click on the Advince tab>>Restore Defaults>> etc. I went on to open notepad, copy and past everythng from the Code Box below into Notepad etcc. I later save file name a "Look.bat" and then changed Save as Type to All files and save the file to desktop. It did come out on my desktop and looked as you said it would, but when I double clicked on it I got this message "Documents&Settings\Administrator\Desktop\Look.bat is not valid Win 32 application." I tried it three times with the same result. Sorry about this but thanks for you patience. My computer is still the same, fast one minujte, then extremely slow and freezing the next.

#25 Dakeyras

Dakeyras

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 549 posts

Posted 30 November 2009 - 09:12 AM

Hi. :)

OK I have given this some thought and taking into account my original assessment and what has come to light recently. I highly recommend a reformat and reinstallation of the Windows operating system, and that is the course I strongly recommend.

The original problems and what appears to be countless runs of ComboFix and other applications used have exacerbated all. Unfortunately there is only so much I can advise via the written word and if this was one of my own machines I would not hesitate to to carry out what I advise.

I appreciate you mentioned you cannot find the Genuine XP CD-ROM reinstalltion disk. You will either have to find it and or purchase a new one. Then see if anyone can assist yourself with my prior instructions. If that still proves not to be a option the only other viable suggestion I have is to take the machine to a reputable local IT Repair centre, explain the situation and have them perform the necessary work.
Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

    Advertisements

Register to Remove


#26 crasher12

crasher12

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 01 December 2009 - 11:11 PM

Dakeyras, Many thanks anyway for your patience, I will find a tech and get him to do as you suggested./ Many thanks.

#27 Dakeyras

Dakeyras

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 549 posts

Posted 02 December 2009 - 04:51 AM

OK and you're welcome! :)
Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

#28 Dakeyras

Dakeyras

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 549 posts

Posted 02 December 2009 - 04:51 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users