Page 2 of 5 FirstFirst 12345 LastLast
Results 16 to 30 of 63
  1. #16
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Oh, I also cant seem to update AVG anymore after reinstalling it. Should I uninstall that entirely for the meantime so it does not interfere with your instructions? I did an overnight system scan and it didnt come up with anything.

    Huh... my web browsing seems inconsistent now. Im on-campus and steam updates at 1.1mb/s.
    Last edited by fatlazyhomer; 01-15-2009 at 05:56 PM.

  2. #17
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    Quote Originally Posted by fatlazyhomer View Post
    Combofix Log (too large to paste)-
    http://www.scribd.com/doc/10487624/Log
    Can you please post the Combofix log over several posts then or perhaps upload it to RapidShare? It makes the job MUCH easier for me. If you've already trashed it, then I'll just go with the image you created. There are nasties listed on there.

    Quote Originally Posted by fatlazyhomer View Post
    Oh, I also cant seem to update AVG anymore after reinstalling it. Should I uninstall that entirely for the meantime so it does not interfere with your instructions? I did an overnight system scan and it didnt come up with anything.

    Huh... my web browsing seems inconsistent now. Im on-campus and steam updates at 1.1mb/s.
    At this stage don't worry about AVG. At this stage I think you should be trying to avoid using the internet if you can, otherwise you run the risk of infecting others.

    If you want something else to do in the meantime, you can try downloading and running MalwareBytes Anti-Malware. That's more likely to have better success than the other scanners you've already tried. Post the log here.

  3. #18
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    ComboFix 09-01-13.04 - Force Commander 2009-01-15 10:53:20.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1404 [GMT -8:00]
    Running from: c:\documents and settings\David\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Autorun.inf
    c:\program files\Mozilla Firefox\components\iamfamous.dll
    C:\resycled
    c:\resycled\boot.com
    c:\windows\system32\micr0st.dll
    D:\Autorun.inf
    D:\resycled
    d:\resycled\boot.com
    H:\autorun.inf
    H:\resycled
    h:\resycled\boot.com
    J:\Autorun.inf
    J:\resycled
    j:\resycled\boot.com

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
    .

    2009-01-15 10:50 . 2009-01-15 10:50 <DIR> d-------- c:\program files\Trend Micro
    2009-01-14 22:39 . 2009-01-14 22:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-01-14 22:29 . 2009-01-14 22:29 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Antispyware
    2009-01-14 21:52 . 2009-01-14 21:52 <DIR> d-------- c:\windows\system32\drivers\Avg
    2009-01-14 21:52 . 2009-01-14 21:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
    2009-01-14 21:52 . 2009-01-14 21:52 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
    2009-01-14 21:52 . 2009-01-14 21:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
    2009-01-14 00:19 . 2009-01-14 00:19 <DIR> d-------- c:\program files\File Scavenger 3.0
    2009-01-14 00:12 . 2009-01-14 00:12 <DIR> d-------- c:\program files\uTorrent
    2009-01-14 00:12 . 2009-01-14 00:18 <DIR> d-------- c:\documents and settings\David\Application Data\uTorrent
    2009-01-13 11:55 . 2009-01-13 11:55 <DIR> d-------- c:\program files\Promise Technology, Inc
    2009-01-13 11:55 . 2009-01-13 11:55 <DIR> d-------- c:\program files\Promise
    2009-01-13 11:55 . 2003-11-05 18:06 110,592 --a------ c:\windows\system32\ulutil2.dll
    2009-01-13 11:55 . 2006-04-06 17:52 108,544 --a------ c:\windows\system32\drivers\ulsata2.sys
    2009-01-13 11:55 . 2003-11-05 08:45 17,408 --a------ c:\windows\system32\drivers\bb-run.sys
    2009-01-13 11:55 . 2004-06-29 14:25 7,680 --a------ c:\windows\system32\drivers\dontgo.sys
    2009-01-05 21:17 . 2009-01-13 21:57 <DIR> d-------- C:\Downloads
    2009-01-05 16:34 . 2009-01-05 16:34 <DIR> d-------- c:\program files\Western Digital
    2009-01-05 16:24 . 2009-01-14 21:52 <DIR> d-------- c:\windows\system32\NtmsData
    2009-01-04 03:37 . 2009-01-04 04:53 <DIR> d-------- c:\program files\Super DVD Ripper
    2009-01-04 02:36 . 2009-01-04 02:36 <DIR> d-------- C:\WinFast WorkArea
    2009-01-02 13:32 . 2009-01-02 13:33 <DIR> d-------- C:\WFDB
    2009-01-02 13:32 . 2009-01-02 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
    2009-01-02 13:32 . 2001-12-19 15:47 49,152 --a------ c:\windows\system32\TempDel.EXE
    2009-01-02 13:32 . 2005-01-06 16:55 9,446 --a------ c:\windows\system32\drivers\WFIOCTL.sys
    2009-01-02 13:25 . 2005-06-28 09:24 163,584 --a------ c:\windows\system32\drivers\cx88vid.sys
    2009-01-02 13:24 . 2009-01-02 13:24 <DIR> d-------- c:\windows\system32\WinFox
    2009-01-02 13:24 . 2009-01-02 13:25 <DIR> d-------- c:\windows\system32\WinFast
    2009-01-02 13:24 . 2005-03-25 18:24 9,600 --a------ c:\windows\system32\drivers\WINFOXIO.sys
    2009-01-02 13:14 . 2009-01-02 13:14 799 --a------ c:\windows\system\Cmicnfgp.ini
    2009-01-02 12:39 . 2009-01-02 12:39 <DIR> d-------- c:\program files\Common Files\Ulead Systems
    2009-01-02 12:37 . 2009-01-02 12:37 <DIR> d-------- c:\program files\WinFast
    2009-01-02 12:33 . 2009-01-02 12:33 <DIR> d-------- C:\WinFast
    2009-01-02 12:33 . 2009-01-02 13:25 <DIR> d-------- c:\windows\system32\DX9
    2009-01-02 00:18 . 2009-01-02 00:18 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Red Alert 3
    2008-12-29 17:49 . 2008-12-29 17:49 <DIR> d-------- c:\program files\eBay
    2008-12-29 17:49 . 2008-12-29 17:49 <DIR> d-------- c:\documents and settings\All Users\eBay
    2008-12-28 22:52 . 2008-12-28 22:52 <DIR> d-------- c:\program files\Combined Community Codec Pack
    2008-12-28 20:00 . 2009-01-14 12:57 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-12-26 19:57 . 2008-12-26 19:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seagate
    2008-12-26 19:56 . 2008-12-26 19:56 <DIR> d-------- c:\program files\Seagate
    2008-12-26 19:56 . 2008-12-26 19:56 441,760 --a------ c:\windows\system32\drivers\timntr.sys
    2008-12-26 19:56 . 2008-12-26 19:56 368,480 --a------ c:\windows\system32\drivers\tdrpman.sys
    2008-12-26 19:56 . 2008-12-26 19:56 132,224 --a------ c:\windows\system32\drivers\snapman.sys
    2008-12-26 19:56 . 2008-12-26 19:56 44,384 --a------ c:\windows\system32\drivers\tifsfilt.sys
    2008-12-24 19:41 . 2008-12-24 19:41 <DIR> d---s---- c:\documents and settings\David\UserData
    2008-12-24 19:02 . 2008-12-24 19:02 <DIR> d-------- c:\documents and settings\David\Application Data\FastStone
    2008-12-24 16:42 . 2008-12-24 16:42 <DIR> d-------- c:\documents and settings\David\Application Data\dvdcss
    2008-12-23 19:10 . 2008-12-23 19:10 <DIR> d-------- c:\documents and settings\David\Application Data\Red Alert 3
    2008-12-23 18:54 . 2008-12-23 18:54 <DIR> d-------- c:\windows\Logs
    2008-12-23 18:54 . 2008-12-23 18:54 <DIR> d-------- c:\program files\Electronic Arts
    2008-12-23 18:54 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
    2008-12-23 18:54 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
    2008-12-23 18:54 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
    2008-12-23 18:53 . 2008-12-23 19:04 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\DAEMON Tools
    2008-12-23 18:52 . 2008-12-23 18:52 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Aim
    2008-12-21 22:32 . 2008-12-21 22:32 <DIR> d-------- c:\program files\Common Files\Adobe
    2008-12-21 22:31 . 2009-01-02 13:00 <DIR> d-------- c:\documents and settings\Administrator
    2008-12-21 22:14 . 2008-12-21 22:14 <DIR> d-------- c:\program files\Common Files\Adobe AIR
    2008-12-21 22:11 . 2008-12-21 22:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe(2)
    2008-12-21 22:10 . 2008-12-21 22:11 <DIR> d-------- c:\program files\Common Files\Adobe(2)
    2008-12-20 21:20 . 2008-12-20 21:20 <DIR> d-------- c:\documents and settings\David\Application Data\Creative
    2008-12-20 11:04 . 2008-12-20 11:04 <DIR> d-------- c:\documents and settings\David\Application Data\vlc
    2008-12-20 11:00 . 2008-12-20 11:00 <DIR> d-------- c:\program files\Winamp
    2008-12-20 11:00 . 2008-12-20 11:02 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Winamp
    2008-12-20 10:58 . 2008-12-20 11:02 <DIR> d-------- c:\documents and settings\David\Application Data\Winamp
    2008-12-20 01:04 . 2008-12-20 01:04 <DIR> d-------- c:\documents and settings\David\Application Data\Media Player Classic
    2008-12-19 07:52 . 2008-12-21 12:31 <DIR> d-------- c:\windows\system32\CatRoot_bak

  4. #19
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\FaxCtr
    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\DivX
    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\ASUS
    2008-12-18 21:48 . 2009-01-02 13:00 <DIR> d-------- c:\documents and settings\Force Commander
    2008-12-18 21:48 . 2009-01-14 12:44 69 --a------ c:\windows\NeroDigital.ini
    2008-12-18 19:47 . 2008-12-18 19:47 <DIR> d-------- c:\documents and settings\David\Application Data\FaxCtr
    2008-12-18 19:47 . 2008-12-18 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Creative
    2008-12-18 18:51 . 2008-12-18 18:51 <DIR> d-------- c:\program files\AVG
    2008-12-18 18:51 . 2009-01-14 21:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2008-12-18 18:44 . 2009-01-15 01:11 <DIR> d-------- c:\program files\lx_cats
    2008-12-18 18:43 . 2008-12-18 19:41 <DIR> d-------- c:\program files\Lexmark Fax Solutions
    2008-12-18 18:43 . 2008-12-18 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\FaxCtr
    2008-12-18 18:43 . 2008-08-14 02:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
    2008-12-18 18:43 . 2008-08-14 01:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
    2008-12-18 18:43 . 2008-08-14 01:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
    2008-12-18 18:43 . 2008-08-14 01:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
    2008-12-18 18:43 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
    2008-12-18 18:43 . 2005-12-23 06:18 339,968 --a------ c:\windows\system32\IMGMAN32.DLL
    2008-12-18 18:43 . 2005-12-23 06:18 98,345 --a------ c:\windows\system32\IMHOST32.DLL
    2008-12-18 18:43 . 2005-12-23 06:18 98,304 --a------ c:\windows\system32\IM31XPNG.DEL
    2008-12-18 18:43 . 2005-12-23 06:18 69,632 --a------ c:\windows\system32\IM31XTIF.DEL
    2008-12-18 18:43 . 2005-12-23 06:18 49,152 --a------ c:\windows\system32\IM31IMG.DIL
    2008-12-18 18:43 . 2006-02-02 00:26 12,288 --a------ c:\windows\system32\LXPMONRC.DLL
    2008-12-18 18:42 . 2008-12-18 18:42 <DIR> d-------- c:\program files\Lexmark Toolbar
    2008-12-18 18:42 . 2008-12-18 18:44 <DIR> d-------- c:\program files\Lexmark 3400 Series
    2008-12-18 18:42 . 2008-12-18 18:42 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint
    2008-12-18 18:37 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
    2008-12-18 18:36 . 2008-12-18 19:36 <DIR> d--h----- c:\windows\$hf_mig$
    2008-12-18 18:30 . 2004-07-20 17:24 1,568,768 --------- c:\windows\system32\ImagX7.dll
    2008-12-18 18:30 . 2004-07-20 17:24 476,320 --------- c:\windows\system32\ImagXpr7.dll
    2008-12-18 18:30 . 2004-07-20 17:24 471,040 --------- c:\windows\system32\ImagXRA7.dll
    2008-12-18 18:30 . 2004-07-09 09:43 364,544 --------- c:\windows\system32\TwnLib4.dll
    2008-12-18 18:30 . 2004-07-20 17:24 262,144 --------- c:\windows\system32\ImagXR7.dll
    2008-12-18 18:30 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
    2008-12-18 18:30 . 2001-06-26 08:15 38,912 --------- c:\windows\system32\picn20.dll
    2008-12-18 18:29 . 2008-12-18 18:31 <DIR> d-------- c:\program files\Common Files\Ahead
    2008-12-18 18:29 . 2008-12-18 18:30 <DIR> d-------- c:\program files\Ahead
    2008-12-18 18:29 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
    2008-12-18 18:16 . 2008-12-18 18:16 <DIR> d--h----- c:\program files\Creative Installation Information
    2008-12-18 18:16 . 2008-12-18 18:16 <DIR> d-------- c:\program files\Common Files\Creative
    2008-12-18 18:16 . 1999-12-13 09:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE
    2008-12-18 18:16 . 1999-11-18 09:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE
    2008-12-18 18:15 . 2008-12-18 18:16 <DIR> d-------- c:\program files\Creative
    2008-12-18 18:14 . 2008-12-20 17:40 <DIR> d-------- c:\documents and settings\David\Application Data\DivX
    2008-12-18 18:13 . 2008-12-18 18:13 <DIR> d-------- c:\program files\Vodei
    2008-12-18 18:13 . 2008-12-18 18:13 <DIR> d-------- c:\program files\DirectVobSub
    2008-12-18 18:12 . 2008-12-18 18:12 <DIR> d-------- c:\program files\VideoLAN
    2008-12-18 18:12 . 2008-12-18 18:12 <DIR> d-------- c:\program files\Gabest
    2008-12-18 18:11 . 2008-12-18 18:11 <DIR> d-------- c:\program files\eRightSoft
    2008-12-18 18:10 . 2009-01-15 00:58 <DIR> d-------- c:\program files\Steam
    2008-12-18 18:10 . 2008-12-18 18:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-12-18 18:10 . 2008-12-25 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-18 18:09 . 2008-12-18 18:09 <DIR> d-------- c:\program files\Real Alternative
    2008-12-18 18:09 . 2008-12-18 18:09 <DIR> d-------- c:\program files\nKast

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

  5. #20
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    2009-01-02 21:14 413,696 ----a-w c:\windows\system32\wrap_oal.dll
    2009-01-02 21:14 102,400 ----a-w c:\windows\system32\OpenAL32.dll
    2008-12-19 00:55 --------- d-----w c:\program files\microsoft frontpage
    2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
    2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
    2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
    2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
    2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
    2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
    2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
    2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
    2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
    2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
    2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
    2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
    2008-11-05 20:23 49,152 ----a-r c:\windows\system32\inetwh32.dll
    2008-11-05 20:23 1,044,480 ----a-r c:\windows\system32\roboex32.dll
    2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
    2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
    2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
    2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
    2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
    2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
    2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
    2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
    2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
    2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
    2008-12-21 10:49 23,032 ----a-w c:\program files\mozilla firefox\components\browserdirprovider(2).dll
    2008-12-21 10:49 134,648 ----a-w c:\program files\mozilla firefox\components\brwsrcmp(2).dll
    2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="c:\program files\AIM\aim.exe" [2004-03-12 61440]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
    "Cmaudio8788GX"="c:\windows\system\HsMgr.exe" [2008-07-11 200704]
    "DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2004-02-28 144896]
    "CTCheck"="c:\program files\Creative\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2006-01-25 286720]
    "EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2006-02-06 98304]
    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
    "LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2005-12-01 65536]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2006-07-07 348160]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-14 1261336]
    "nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
    "PtiuPbmd"="ulutil2.dll" [2003-11-05 c:\windows\system32\ulutil2.dll]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

  6. #21
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2009-01-13 7680]
    R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2009-01-13 108544]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-14 97928]
    R3 cmudaxp;ASUS Xonar DX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-12-18 1983424]
    R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
    R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2009-01-02 9446]
    R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-14 231704]
    R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-14 76040]
    S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-14 875288]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{330d6bf6-e1ac-11dd-9bd8-000129d8a911}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
    \Shell\Open\command - g:\resycled\boot.com g:

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63d2d7b5-c36f-11dd-b31b-806d6172696f}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com j:
    \Shell\Open\command - "resycled\boot.

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63d2d7b7-c36f-11dd-b31b-806d6172696f}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com h:
    \Shell\Open\command - h:\resycled\boot.com h:

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63d2d7b8-c36f-11dd-b31b-806d6172696f}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
    \Shell\Open\command - d:\resycled\boot.com d:

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72b8857f-d3cb-11dd-a992-000129d8a911}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com i:
    \Shell\Open\command - i:\resycled\boot.com i:

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d934b22f-cd19-11dd-afce-806d6172696f}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com c:
    \Shell\Open\command - c:\resycled\boot.com c:
    .
    Contents of the 'Scheduled Tasks' folder

    2009-01-15 c:\windows\Tasks\Antispyware Scheduled Scan.job
    - c:\program files\Antispyware\Antispyware.exe []

    2009-01-15 c:\windows\Tasks\Antispyware Scheduled Scan.job
    - c:\program files\Antispyware []
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Antispyware - c:\program files\Antispyware\Antispyware.exe
    HKLM-Run-MultiRes - c:\program files\MultiRes\MultiRes.exe
    HKLM-Run-Cmaudio8788 - cmicnfgp.cpl


    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\documents and settings\Force Commander\Application Data\Mozilla\Firefox\Profiles\wlta00p6.default\
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - component: c:\program files\Mozilla Firefox\components\browserdirprovider(2).dll
    FF - component: c:\program files\Mozilla Firefox\components\brwsrcmp(2).dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-15 10:54:17
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    Completion time: 2009-01-15 10:54:47
    ComboFix-quarantined-files.txt 2009-01-15 18:54:46

    Pre-Run: 176,022,597,632 bytes free
    Post-Run: 176,595,939,328 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="H:\WINDOWS" HELP

    291 --- E O F --- 2008-12-19 03:36:44

  7. #22
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    I am now on my "backup" partition (H). Its on the same HD but appears uninfected. Can I do effective scans from here on (C)?

  8. #23
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    Yeah - you've got a better chance of detecting malicious software. You should scan all drives (H:, C: and J because H: and J: were infected with something and may still be infected.

    I won't be back for a few hours. It's the start of my work day over here. One other scan you might like to run is Kaspersky Online Scanner. It won't remove the infections, but will list what it finds. You might like to save the log and post it here also.

    Thanks for the CF Log. We should be able to get your PC cleaned up using those logs.

  9. #24
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Great, Thanks.

    Right now I am scanning all partitions with Normal Malware Cleaner from H:

    I will then do another scan with Combofix from here, followed by a scan with Malwarebytes and Kaspersky.

  10. #25
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Norman Malware Cleaner
    Copyright © 1990 - 2008, Norman ASA. Built 2009/01/13 01:26:28

    Norman Scanner Engine Version: 5.93.01
    Nvcbin.def Version: 5.93.00, Date: 2009/01/13 01:26:28, Variants: 2523344

    Running pre-scan cleanup routine:
    Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2
    Logged on user: SIMPSONS-99D8DD\Force Commander


    Scan started: 15/01/2009 15:09:32


    Scanning running processes and process memory...

    Number of processes/threads found: 1813
    Number of processes/threads scanned: 1813
    Number of processes/threads not scanned: 0
    Number of infected processes/threads terminated: 0
    Total scanning time: 23s


    Scanning file system...

    Scanning: C:\*.*

    C:\Qoobox\Quarantine\C\autorun.inf.vir (Infected with INI/DNSChanger.A)
    Deleted file

    C:\Qoobox\Quarantine\D\autorun.inf.vir (Infected with INI/DNSChanger.A)
    Deleted file

    C:\Qoobox\Quarantine\H\autorun.inf.vir (Infected with INI/DNSChanger.A)
    Deleted file

    C:\Qoobox\Quarantine\J\autorun.inf.vir (Infected with INI/DNSChanger.A)
    Deleted file

    C:\System Volume Information\_restore{892FDD21-5D11-423B-A4FC-5B08747DDE12}\RP9\A0003568.inf (Infected with INI/DNSChanger.A)
    Deleted file

    C:\WINDOWS\system32\gaopdxxepawvcp.dll (Error opening file: Access denied)

    Scanning: D:\*.*

    D:\autorun.inf (Infected with INI/DNSChanger.A)
    Deleted file

    Scanning: F:\*.*

    F:\autorun.inf (Infected with INI/DNSChanger.A)
    Deleted file

    Scanning: H:\*.*

    H:\autorun.inf (Infected with INI/DNSChanger.A)
    Deleted file

    H:\System Volume Information\_restore{892FDD21-5D11-423B-A4FC-5B08747DDE12}\RP9\A0003674.inf (Infected with INI/DNSChanger.A)
    Deleted file

    Scanning: c:\System Volume Information\*.*

    c:\System Volume Information\_restore{892FDD21-5D11-423B-A4FC-5B08747DDE12}\RP9\A0003671.dll (Error opening file: Access denied)

    Scanning: h:\System Volume Information\*.*


    Running post-scan cleanup routine:

    Number of files found: 131846
    Number of archives unpacked: 508
    Number of files scanned: 131737
    Number of files not scanned: 109
    Number of files skipped due to exclude list: 0
    Number of infected files found: 9
    Number of infected files repaired/deleted: 9
    Number of infections removed: 9
    Total scanning time: 37m 38s

  11. #26
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Malwarebytes' Anti-Malware 1.33
    Database version: 1656
    Windows 5.1.2600 Service Pack 2

    2009-01-15 17:15:46
    mbam-log-2009-01-15 (17-15-43).txt

    Scan type: Full Scan (C:\|D:\|F:\|H:\|)
    Objects scanned: 364983
    Time elapsed: 1 hour(s), 12 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Force Commander\Local Settings\Temp\tmpD.tmp (Trojan.FakeAlert) -> No action taken.
    C:\System Volume Information\_restore{892FDD21-5D11-423B-A4FC-5B08747DDE12}\RP9\A0003671.dll (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\drivers\gaopdxdltimrsv.sys (Trojan.FakeAlert) -> No action taken.

  12. #27
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Gr.... was 10% through the kaspersky scan then FF crashes. Gonna dl trial version and see how that goes.

  13. #28
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    I rebooted in safe mode and ran norman again. Man this thing wont die!

    Norman Malware Cleaner
    Copyright © 1990 - 2008, Norman ASA. Built 2009/01/13 01:26:28

    Norman Scanner Engine Version: 5.93.01
    Nvcbin.def Version: 5.93.00, Date: 2009/01/13 01:26:28, Variants: 2523344

    Running pre-scan cleanup routine:
    Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 2
    Logged on user: GNR-BC408DD91C0\Administrator

    Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
    Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000

    Scan started: 15/01/2009 18:57:37


    Scanning running processes and process memory...

    Number of processes/threads found: 546
    Number of processes/threads scanned: 546
    Number of processes/threads not scanned: 0
    Number of infected processes/threads terminated: 0
    Total scanning time: 12s


    Scanning file system...

    Scanning: C:\*.*

    Scanning: D:\*.*

    Scanning: H:\*.*

    H:\Documents and Settings\Force Commander\Local Settings\temp\Av-test.txt (Infected with EICAR_Test_file_not_a_virus!)
    Deleted file

    H:\System Volume Information\_restore{892FDD21-5D11-423B-A4FC-5B08747DDE12}\RP10\A0003764.sys (Infected with W32/Agent.HHSF)
    Deleted file

    Scanning: J:\*.*

    But I think Im finally clean now.

  14. #29
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Hopefully my last hijack this log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:30:23 PM, on 1/15/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system\HsMgr.exe
    C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
    C:\Program Files\Lexmark 3400 Series\lxcymon.exe
    C:\Program Files\Lexmark 3400 Series\ezprint.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\AIM\aim.exe
    C:\program files\steam\steam.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Cmaudio8788GX] C:\WINDOWS\system\HsMgr.exe Envoke
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 4308 bytes

  15. #30
    Joined
    Dec 2000
    Posts
    5,051

    Re: Leave my ••••• alone!

    Hate to jump into the middle of this but the reason it may be coming back is the System File Cache (SFC) may be infected.

    Which is protected from alteration by 3rd party utilities and needs to disabled in order to be cleaned.

    Here's a link on how to disable it.

    http://windowsitpro.com/article/arti...ws-xp-sp2.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •