WiredWX Hobby Weather ToolsLog in

 


win32nuquel

2 posters

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Tried to update, that is.

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    win32nuquel - Page 2 CF_download_FF

    win32nuquel - Page 2 CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    win32nuquel - Page 2 Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    win32nuquel - Page 2 Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
May have made a mistake. Didn't realize I could close anti-spyware programs so removed them. Hope that's not a problem. Here's log...

ComboFix 10-08-02.01 - Josh 08/02/2010 17:24:13.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.469 [GMT -7:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-03 00:14 . 2010-08-03 00:14 -------- d-----w- c:\windows\LastGood
2010-08-02 19:24 . 2010-08-02 19:24 -------- d-----w- C:\_OTL
2010-07-30 09:40 . 2010-07-30 09:40 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-30 09:40 . 2010-07-30 09:40 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-30 09:39 . 2010-07-30 09:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-30 09:38 . 2010-07-30 09:38 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-30 09:38 . 2010-07-30 09:38 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-30 09:38 . 2010-07-30 09:38 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-30 09:38 . 2010-07-30 09:38 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-21 18:54 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 00:15 . 2010-02-10 18:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-03 00:13 . 2010-02-12 22:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-03 00:11 . 2010-02-12 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-03 00:08 . 2010-02-09 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 17:44 . 2010-02-08 22:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-31 08:19 . 2009-09-30 20:58 27744 ----a-w- c:\windows\system32\nvModes.dat
2010-07-30 09:39 . 2010-02-12 22:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-30 09:39 . 2010-02-12 22:47 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-22 17:35 . 2009-10-01 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-24 05:04 . 2009-10-17 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media
2010-06-24 05:04 . 2010-06-24 05:04 4150 ----a-r- c:\documents and settings\Josh\Application Data\Microsoft\Installer\{A8720634-4D22-4867-991E-DC24DB9C5FB6}\_6FEFF9B68218417F98F549.exe
2010-06-24 05:03 . 2010-06-24 05:03 -------- d-----w- c:\program files\Sling Media
2010-06-24 04:54 . 2010-06-24 04:54 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb9.tmp.exe
2010-06-14 14:31 . 2009-09-30 20:24 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 20:19 . 2010-03-18 16:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 19:29 . 2010-02-12 22:47 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-06 09:42 . 2010-02-06 09:42 87040 --sha-r- c:\windows\system32\sysprtjp.dll
2010-02-08 22:00 . 2010-02-08 21:38 57376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-08 22:00 . 2010-02-08 21:38 6176 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 17:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-30 2065760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-30 09:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/1/2009 12:01 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/12/2010 3:47 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/12/2010 3:48 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/30/2010 2:39 AM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:48 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder

2010-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:48]

2010-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://betaimg.sling.com/sli/sling_player_ax/WebSlingPlayer.cab?1.2.0.60
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 17:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-08-02 17:29:13
ComboFix-quarantined-files.txt 2010-08-03 00:29

Pre-Run: 105,665,404,928 bytes free
Post-Run: 105,645,649,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8D8E346133354F34D16BDB65862196A4


descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride =

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    win32nuquel - Page 2 Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
This is probably gonna sound really stupid, but when you say "open notepad," what exactly do you mean?

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Found it. Ran combofix. Here's log...ComboFix 10-08-03.02 - Josh 08/03/2010 19:26:36.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.459 [GMT -7:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-02 19:24 . 2010-08-02 19:24 -------- d-----w- C:\_OTL
2010-07-30 09:40 . 2010-07-30 09:40 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-30 09:40 . 2010-07-30 09:40 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-30 09:39 . 2010-07-30 09:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-30 09:38 . 2010-07-30 09:38 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-30 09:38 . 2010-07-30 09:38 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-30 09:38 . 2010-07-30 09:38 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-30 09:38 . 2010-07-30 09:38 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-21 18:54 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 00:15 . 2010-02-10 18:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-03 00:13 . 2010-02-12 22:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-03 00:11 . 2010-02-12 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-03 00:08 . 2010-02-09 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 17:44 . 2010-02-08 22:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-31 08:19 . 2009-09-30 20:58 27744 ----a-w- c:\windows\system32\nvModes.dat
2010-07-30 09:39 . 2010-02-12 22:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-30 09:39 . 2010-02-12 22:47 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-22 17:35 . 2009-10-01 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-24 05:04 . 2009-10-17 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media
2010-06-24 05:04 . 2010-06-24 05:04 4150 ----a-r- c:\documents and settings\Josh\Application Data\Microsoft\Installer\{A8720634-4D22-4867-991E-DC24DB9C5FB6}\_6FEFF9B68218417F98F549.exe
2010-06-24 05:03 . 2010-06-24 05:03 -------- d-----w- c:\program files\Sling Media
2010-06-24 04:54 . 2010-06-24 04:54 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb9.tmp.exe
2010-06-14 14:31 . 2009-09-30 20:24 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 20:19 . 2010-03-18 16:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 19:29 . 2010-02-12 22:47 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-06 09:42 . 2010-02-06 09:42 87040 --sha-r- c:\windows\system32\sysprtjp.dll
2010-02-08 22:00 . 2010-02-08 21:38 57376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-08 22:00 . 2010-02-08 21:38 6176 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-08-03_00.27.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-05-22 05:30 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2010-05-22 05:30 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2004-08-04 12:00 . 2010-08-03 00:17 71520 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-08-03 16:49 71520 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-08-03 16:49 441560 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-08-03 00:17 441560 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 17:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-30 2065760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-30 09:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/1/2009 12:01 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/12/2010 3:47 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/12/2010 3:48 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/30/2010 2:39 AM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:48 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:48]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://betaimg.sling.com/sli/sling_player_ax/WebSlingPlayer.cab?1.2.0.60
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-03 19:31:52
ComboFix-quarantined-files.txt 2010-08-04 02:31
ComboFix2.txt 2010-08-03 00:29

Pre-Run: 105,590,718,464 bytes free
Post-Run: 105,579,577,344 bytes free

- - End Of File - - 0C5D8F976E157252FB0F8A223F0E6A2D


descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Found it... Here's log...

ComboFix 10-08-03.02 - Josh 08/03/2010 19:26:36.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.459 [GMT -7:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-02 19:24 . 2010-08-02 19:24 -------- d-----w- C:\_OTL
2010-07-30 09:40 . 2010-07-30 09:40 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-30 09:40 . 2010-07-30 09:40 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-30 09:39 . 2010-07-30 09:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-30 09:38 . 2010-07-30 09:38 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-30 09:38 . 2010-07-30 09:38 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-30 09:38 . 2010-07-30 09:38 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-30 09:38 . 2010-07-30 09:38 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-21 18:54 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 00:15 . 2010-02-10 18:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-03 00:13 . 2010-02-12 22:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-03 00:11 . 2010-02-12 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-03 00:08 . 2010-02-09 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 17:44 . 2010-02-08 22:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-31 08:19 . 2009-09-30 20:58 27744 ----a-w- c:\windows\system32\nvModes.dat
2010-07-30 09:39 . 2010-02-12 22:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-30 09:39 . 2010-02-12 22:47 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-22 17:35 . 2009-10-01 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-24 05:04 . 2009-10-17 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media
2010-06-24 05:04 . 2010-06-24 05:04 4150 ----a-r- c:\documents and settings\Josh\Application Data\Microsoft\Installer\{A8720634-4D22-4867-991E-DC24DB9C5FB6}\_6FEFF9B68218417F98F549.exe
2010-06-24 05:03 . 2010-06-24 05:03 -------- d-----w- c:\program files\Sling Media
2010-06-24 04:54 . 2010-06-24 04:54 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb9.tmp.exe
2010-06-14 14:31 . 2009-09-30 20:24 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 20:19 . 2010-03-18 16:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 19:29 . 2010-02-12 22:47 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-06 09:42 . 2010-02-06 09:42 87040 --sha-r- c:\windows\system32\sysprtjp.dll
2010-02-08 22:00 . 2010-02-08 21:38 57376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-08 22:00 . 2010-02-08 21:38 6176 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-08-03_00.27.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-05-22 05:30 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2010-05-22 05:30 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2004-08-04 12:00 . 2010-08-03 00:17 71520 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-08-03 16:49 71520 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-08-03 16:49 441560 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-08-03 00:17 441560 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 17:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-30 2065760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-30 09:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/1/2009 12:01 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/12/2010 3:47 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/12/2010 3:48 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/30/2010 2:39 AM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:48 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:48]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 23:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://betaimg.sling.com/sli/sling_player_ax/WebSlingPlayer.cab?1.2.0.60
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-03 19:31:52
ComboFix-quarantined-files.txt 2010-08-04 02:31
ComboFix2.txt 2010-08-03 00:29

Pre-Run: 105,590,718,464 bytes free
Post-Run: 105,579,577,344 bytes free

- - End Of File - - 0C5D8F976E157252FB0F8A223F0E6A2D

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Log...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=3a5f010ad99a9a4e9dab1640ad5d03ff
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-04 07:35:10
# local_time=2010-08-04 12:35:10 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 14350331 14350331 0 0
# compatibility_mode=1024 16777191 100 0 14851706 14851706 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=38438
# found=0
# cleaned=0
# scan_time=1152
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=3a5f010ad99a9a4e9dab1640ad5d03ff
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-04 07:58:19
# local_time=2010-08-04 12:58:19 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 14352736 14352736 0 0
# compatibility_mode=1024 16777191 100 0 14854111 14854111 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=3452
# found=0
# cleaned=0
# scan_time=136

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
How is the machine running now?

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
It's running fine. It's been running fine for last couple days.

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Or at least since running OTL.

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Okay, this looks good now. Smile...

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
Thank you very much.

descriptionwin32nuquel - Page 2 EmptyRe: win32nuquel

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum