WiredWX Hobby Weather ToolsLog in

 


Please help with malware problem

3 posters

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
hmmm wont let me delete, says access is denied. make sure the disk is not full or in use.

Smile...

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
oh i forgot to add i double clicked on fix reg, but there was no choice to run it, it simply ask if i wanted to add the info in C;? etc after choosing yes, a message then said that info has been entered.
Did i do this right?

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
Yep.
Still can't remove the folder?

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
Nope cannot remove the folder, it wont let me... what ever "it" is Smile...

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
Fine, lets see if with stand this.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Folders to delete:
c:\program files\GenerousAdsForYou


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
i seriously didnt think anything was going to work, cross fingers this has...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\program files\GenerousAdsForYou" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
GMER 1.0.15.15077 [9t11vtb8.exe] - http://www.gmer.net
Rootkit scan 2009-09-04 23:53:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75AC87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75ACBFE]

Code 82E3B018 ZwDuplicateObject
Code 8310CC18 ZwSetInformationFile
Code 82F4A208 ZwSetSystemInformation
Code 82F50710 ZwWriteFile
Code 82E3B017 NtDuplicateObject
Code 8310CC17 NtSetInformationFile
Code 82F5070F NtWriteFile

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!IoGetBootDiskInformation + 66F 80576917 7 Bytes JMP 82F8343C
PAGE ntkrnlpa.exe!NtSetInformationFile 8057B010 7 Bytes JMP 8310CC1C
PAGE ntkrnlpa.exe!NtWriteFile 8057CEF2 7 Bytes JMP 82F50714
PAGE ntkrnlpa.exe!ObCloseHandle + 17 805BC4F3 7 Bytes JMP 82F51EEC
PAGE ntkrnlpa.exe!NtDuplicateObject 805BDFD0 7 Bytes JMP 82E3B01C
PAGE ntkrnlpa.exe!ZwSetSystemInformation 8060F3E4 5 Bytes JMP 82F4A20C
PAGE Fastfat.SYS B84169C8 7 Bytes JMP 82FE68AC

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2580] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7951390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F79513EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F795163A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7951616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7951616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F79513EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7951390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F795163A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F795163A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7951616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F79513EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7951390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7951616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F795163A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7951390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F79513EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7951390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F79513EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7951616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F795163A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7951616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F79513EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7951390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7951390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F79513EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F795163A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F7951616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7951616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F795163A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7951390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F79513EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

Device \FileSystem\Fastfat \FatCdrom Code 82FE68A8
Device \Driver\Tcpip \Device\Ip GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \Driver\Tcpip \Device\Tcp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \Driver\Tcpip \Device\RawIp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \Driver\Tcpip \Device\IPMULTICAST GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \FileSystem\Fastfat \Fat Code 82FE68A8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
I would like to add (no pun intended) that the popup adds have gone... but running very slow still, but then other times it would run ok. Sometimes i am unable to open IE
thanks Smile...

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
Hello.
Please run Combofix one more time.

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
k...


ComboFix 09-09-03.02 - danni 05/09/2009 1:23.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.144 [GMT 9.5:30]
Running from: c:\documents and settings\danni\Desktop\Combo-Fix.exe
AV: BP Security Anti-Virus *On-access scanning enabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
AV: eTrust Vet Antivirus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 00:51 . 2009-09-04 00:53 -------- d-----w- c:\documents and settings\danni\Local Settings\Application Data\Temp
2009-09-02 22:35 . 2009-09-02 22:35 -------- d-----w- c:\documents and settings\danni\Local Settings\Application Data\PCHealth
2009-08-29 15:28 . 2009-08-29 15:28 -------- d-----w- c:\program files\Java
2009-08-28 10:41 . 2009-08-29 14:45 -------- d-----w- c:\documents and settings\danni\.SunDownloadManager
2009-08-28 00:11 . 2009-08-28 00:11 -------- d-----w- c:\documents and settings\danni\Application Data\Malwarebytes
2009-08-28 00:10 . 2009-08-03 04:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 00:10 . 2009-08-30 02:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 00:10 . 2009-08-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-28 00:10 . 2009-08-03 04:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 17:45 . 2009-08-22 17:45 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 17:45 . 2009-08-22 17:45 -------- d-----w- c:\program files\MSBuild
2009-08-22 17:45 . 2009-08-22 17:45 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 17:43 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 17:43 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 17:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 17:43 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 17:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 17:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 17:43 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 17:43 . 2009-08-22 17:44 -------- d-----w- C:\7c9bf4456f3faaa3b5f116b92a
2009-08-19 09:03 . 2009-08-19 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-08-19 09:02 . 2009-08-19 09:03 -------- d-----w- c:\program files\Common Files\Jasc Software Inc
2009-08-19 09:02 . 2009-08-19 09:02 -------- d-----w- c:\program files\Jasc Software Inc
2009-08-19 09:02 . 2009-08-19 09:02 -------- d-----w- c:\documents and settings\danni\Application Data\Jasc Software Inc
2009-08-18 23:49 . 2009-08-18 23:49 -------- d-----w- c:\program files\Windows Defender
2009-08-16 13:16 . 2009-08-16 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 13:16 . 2009-08-16 23:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-15 14:02 . 2009-09-04 15:32 -------- d-----w- c:\windows\CAVTemp
2009-08-15 12:37 . 2009-08-15 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-15 12:36 . 2009-08-15 12:36 -------- d-----w- c:\program files\Common Files\iS3
2009-08-15 12:36 . 2009-08-16 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-15 03:21 . 2009-08-15 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-08-15 03:21 . 2009-08-15 03:21 26787 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-08-15 03:15 . 2009-08-15 03:15 75304 ----a-w- c:\windows\system32\VetRedir.dll
2009-08-15 03:15 . 2009-08-15 03:15 116264 ----a-w- c:\windows\UnVet32.exe
2009-08-15 03:15 . 2009-08-15 03:15 112168 ----a-w- c:\windows\AVShlExt.dll
2009-08-15 03:15 . 2009-08-15 03:21 879832 ----a-w- c:\windows\system32\drivers\VetEFile.sys
2009-08-15 03:15 . 2009-08-15 03:21 108360 ----a-w- c:\windows\system32\drivers\VetEBoot.sys
2009-08-15 03:15 . 2009-08-15 03:15 21031 ----a-w- c:\windows\system32\drivers\Vet-Filt.sys
2009-08-15 03:15 . 2009-08-15 03:15 15735 ----a-w- c:\windows\system32\drivers\VetFDDNT.sys
2009-08-15 03:15 . 2009-08-15 03:15 15478 ----a-w- c:\windows\system32\drivers\Vet-Rec.sys
2009-08-15 03:15 . 2009-08-15 03:15 -------- d-----w- c:\program files\CA
2009-08-15 03:15 . 2005-08-30 00:52 244264 ----a-w- c:\windows\unicows.dll
2009-08-15 03:15 . 2005-08-30 00:52 95784 ----a-w- c:\windows\system32\ISafeIf.dll
2009-08-15 03:15 . 2005-08-30 00:52 75304 ----a-w- c:\windows\system32\iSafProd.dll
2009-08-14 12:44 . 2008-06-19 07:54 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-14 12:44 . 2009-08-14 12:44 -------- d-----w- c:\program files\Panda Security
2009-08-14 00:00 . 2009-08-14 00:00 -------- d--h--w- c:\windows\PIF
2009-08-13 12:04 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 00:54 . 2009-03-15 00:11 -------- d-----w- c:\program files\Google
2009-09-03 23:09 . 2009-03-15 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-29 14:02 . 2009-02-01 11:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 07:08 . 2009-04-28 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-28 10:51 . 2009-02-01 09:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-22 18:06 . 2009-01-26 07:20 23128 ----a-w- c:\documents and settings\danni\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 09:02 . 2009-01-26 04:04 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-17 12:18 . 2009-07-03 11:57 -------- d-----w- c:\documents and settings\danni\Application Data\LimeWire
2009-08-16 14:08 . 2009-08-16 14:06 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-16 01:46 . 2009-02-01 09:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-16 01:46 . 2009-02-01 09:10 -------- d-----w- c:\program files\NOS
2009-08-15 00:23 . 2009-04-19 07:34 -------- d-----w- c:\program files\Corel
2009-08-09 04:57 . 2009-05-27 02:55 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-08-09 04:57 . 2009-05-27 02:55 88 --sh--r- c:\documents and settings\All Users\Application Data\5E3A968772.sys
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 09:33 . 2009-08-04 09:13 68941 ----a-w- c:\windows\hpoins05.dat
2009-08-04 09:22 . 2009-01-26 04:41 -------- d-----w- c:\program files\HP
2009-08-01 06:23 . 2009-03-14 03:17 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-07-26 10:14 . 2009-07-26 10:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-26 09:50 . 2009-07-26 09:50 -------- d-----w- c:\documents and settings\danni\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-07-25 13:50 . 2009-07-25 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\QICAPUUCYG
2009-07-21 09:24 . 2009-03-17 09:37 -------- d-----w- c:\program files\EA GAMES
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:13 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 13:17 . 2009-04-28 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-07-11 06:05 . 2009-07-11 06:05 -------- d-----w- c:\documents and settings\danni\Application Data\ieSpell
2009-07-11 05:57 . 2009-07-11 05:57 -------- d-----w- c:\program files\ieSpell
2009-07-09 13:36 . 2009-04-19 14:13 -------- d-----w- c:\program files\InstantEyedropper
2009-07-08 07:58 . 2009-07-08 07:58 -------- d--h--r- c:\documents and settings\danni\Application Data\SecuROM
2009-07-08 07:58 . 2009-07-08 07:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-03 17:09 . 2006-02-28 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-02-28 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-02-28 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2006-02-28 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2006-02-28 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2006-02-28 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-02-28 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-02-28 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 23:49 . 2009-01-26 03:44 2066432 ----a-w- c:\windows\system32\mstscax.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-01_06.39.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-04 00:51 . 2009-09-04 00:51 22528 c:\windows\Installer\4319fd.msi
+ 2009-09-04 00:54 . 2009-09-04 00:54 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
+ 2009-09-04 00:54 . 2009-09-04 00:54 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-09-04 00:54 . 2009-09-04 00:54 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-09-04 00:54 . 2009-09-04 00:54 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-09-04 00:54 . 2009-09-04 00:54 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-09-04 00:54 . 2009-09-04 00:54 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ARPPRODUCTICON.exe
+ 2009-09-04 00:54 . 2009-09-04 00:54 1401344 c:\windows\Installer\431a03.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BigPond Connection Client"="c:\program files\Telstra\BigPond Connection Client\BigPondCC.exe" [2008-09-30 1328128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 270336]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-06 520024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"CaAvTray"="c:\program files\CA\eTrust Vet Antivirus\CAVTray.exe" [2009-08-15 230952]
"CAVRID"="c:\program files\CA\eTrust Vet Antivirus\CAVRID.exe" [2009-08-15 185896]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 GRFILTER;Authentium NDIS Driver;c:\windows\system32\drivers\GRFilter.sys [17/06/2008 11:44 AM 21000]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/03/2009 4:22 PM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [14/08/2009 10:14 PM 28544]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 4:42 PM 156968]
R2 GRTdiMon;Authentium TDI Mon;c:\windows\system32\drivers\GRTdiMon.sys [17/06/2008 11:44 AM 39688]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [19/01/2009 7:04 AM 1029456]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/09/2009 10:21 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 08:01]

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:04]

2009-09-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-15 11:25]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 00:51]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 00:51]

2009-09-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:50]

2009-09-04 c:\windows\Tasks\User_Feed_Synchronization-{D41236AF-9FA8-4195-A6A8-D567EC869DB1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 19:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8F7C7F1C-8B7E-4282-1312-F28718A5BBAA} - c:\program files\GenerousAdsForYou\GenerousAdsForYou.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://files.authentium.com/bigpond/bin/wizard.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 01:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(3464)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-04 1:40
ComboFix-quarantined-files.txt 2009-09-04 16:10
ComboFix2.txt 2009-09-01 07:17
ComboFix3.txt 2009-09-01 06:44

Pre-Run: 139,706,028,032 bytes free
Post-Run: 139,750,264,832 bytes free

228 --- E O F --- 2009-09-04 03:28

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Please help with malware problem - Page 2 CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
Ok, ive only just woke up and the machine seems fine, but yesterday it seemed to run fine, then by the evening, openng IE was very difficult.

I will run combofix/u now and post back soon Smile...

descriptionPlease help with malware problem - Page 2 EmptyRe: Please help with malware problem

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum