 |
|
|
|
Next: HijackThis Logs: Checkup
|
| Author |
Message |
Joined: Apr 16, 2008
Posts: 3
|
(Msg. 1) Posted: Wed Apr 16, 2008 11:49 am
Post subject: Not in good standing!
|
|
|
Hey I logged on today about a half hour ago to find that my computer is infected with many trojan horses. Windows does not see that AVG is an installed Anti-Virus, my system restore-points are gone, and I cannot open the task manager. "Task manager has been disabled by your administrator."
I'm in desperate need of some assistance. Thanks. Here's the HijackThis log.
| Quote: |
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:01 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Qloud\iTunesQLoudPlugin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A3BF776-A90C-4A44-90F1-9EE8310497E6} - C:\WINDOWS\system32\cbXRIccd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {F3AEF888-A3E2-44EB-BD85-F0C85BA7673F} - C:\WINDOWS\system32\efcATMfG.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Y0yaAkf6EU] C:\Documents and Settings\All Users\Application Data\zwzklgnu\zqrcpsjc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: efcATMfG - efcATMfG.dll (file missing)
O21 - SSODL: VolumeRunOnce - {3fac2b35-fbfd-4d00-93c7-011e7e770af7} - C:\WINDOWS\Resources\VolumeRunOnce.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.dmp-trucks.net/spicons/folder.gif
--
End of file - 6382 bytes |
I hope thats what you need, if not guide me to showing you what you need.
UPDATE: after doing a little research I have unlocked the task manager. |
|
| Back to top |
|
 | |
Joined: Feb 03, 2003
Posts: 4824
Location: Brooklyn, NY
|
(Msg. 2) Posted: Wed Apr 16, 2008 6:28 pm
Post subject:
|
|
|
Welcome to Lockergnome.
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:
O2 - BHO: (no name) - {4A3BF776-A90C-4A44-90F1-9EE8310497E6} - C:\WINDOWS\system32\cbXRIccd.dll (file missing)
O2 - BHO: (no name) - {F3AEF888-A3E2-44EB-BD85-F0C85BA7673F} - C:\WINDOWS\system32\efcATMfG.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Policies\Explorer\Run: [Y0yaAkf6EU] C:\Documents and Settings\All Users\Application Data\zwzklgnu\zqrcpsjc.exe
O20 - Winlogon Notify: efcATMfG - efcATMfG.dll (file missing)
O21 - SSODL: VolumeRunOnce - {3fac2b35-fbfd-4d00-93c7-011e7e770af7} - C:\WINDOWS\Resources\VolumeRunOnce.dll (file missing)
Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):
C:\Documents and Settings\All Users\Application Data\zwzklgnu\
Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here. |
|
| Back to top |
|
| |
Joined: Apr 16, 2008
Posts: 3
|
(Msg. 3) Posted: Wed Apr 16, 2008 9:07 pm
Post subject:
|
|
|
| Quote: |
ComboFix 08-04-16.2 - Family 2008-04-16 21:06:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1573 [GMT -4:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Family\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\dccIRXbc.ini
C:\WINDOWS\system32\dccIRXbc.ini2
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.
2008-04-16 14:35 . 2008-04-16 14:55 5,604,940 --a------ C:\TEMP\avg75free_519a1276.exe
2008-04-16 11:50 . 2008-04-16 11:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-16 11:50 . 2008-04-16 11:50 812,344 --a------ C:\TEMP\HJTInstall.exe
2008-04-15 16:31 . 2008-04-16 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zwzklgnu
2008-04-15 16:27 . 2008-04-15 16:37 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Ringtone
2008-04-15 13:31 . 2008-04-15 13:31 <DIR> d-------- C:\Program Files\Qloud
2008-04-15 13:31 . 2008-04-15 13:31 1,624,075 --a------ C:\TEMP\iTunesQloudSetup.exe
2008-04-14 15:18 . 2008-04-16 13:30 <DIR> d-------- C:\Fraps
2008-04-14 15:18 . 2008-04-14 18:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 14:53 . 2008-04-15 13:31 <DIR> d-------- C:\Program Files\iTunes
2008-04-07 14:53 . 2008-04-07 14:53 <DIR> d-------- C:\Program Files\iPod
2008-04-07 14:53 . 2008-04-16 21:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-07 14:53 . 2008-04-07 14:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-07 14:51 . 2008-04-07 14:52 <DIR> d-------- C:\Program Files\QuickTime
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-01 21:41 . 2008-04-01 21:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-01 19:06 . 2008-04-01 19:06 <DIR> d-------- C:\Program Files\Microsoft Games
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 19:28 . 2008-03-25 19:28 <DIR> d-------- C:\Program Files\Publishit
2008-03-19 15:56 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-19 15:55 . 2008-03-19 15:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-17 16:48 . 2008-03-17 16:56 <DIR> d-------- C:\Program Files\Norton Security Scan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 01:04 --------- d-----w C:\Documents and Settings\Family\Application Data\Xfire
2008-04-16 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-16 17:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-16 17:07 --------- d-----w C:\Documents and Settings\Family\Application Data\LimeWire
2008-04-16 04:30 --------- d-----w C:\Program Files\Steam
2008-04-15 20:31 --------- d-----w C:\Documents and Settings\Family\Application Data\AVG7
2008-04-15 18:17 --------- d-----w C:\Program Files\Azureus
2008-04-15 18:17 --------- d-----w C:\Documents and Settings\Family\Application Data\Azureus
2008-04-14 16:12 --------- d-----w C:\Documents and Settings\Family\Application Data\teamspeak2
2008-04-11 00:18 --------- d-----w C:\Program Files\Xfire
2008-04-02 01:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 21:10 --------- d-----w C:\Documents and Settings\Family\Application Data\U3
2008-03-22 22:08 --------- d-----w C:\Program Files\ARCA Remax
2008-03-19 19:56 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 00:30 --------- d-----w C:\Program Files\LimeWire
2008-03-07 03:00 --------- d-----w C:\Program Files\AnMing
2008-03-07 00:13 --------- d-----w C:\Program Files\OBEX Commander
2008-03-06 00:13 17,144 ----a-w C:\Documents and Settings\Family\Application Data\GDIPFONTCACHEV1.DAT
2008-03-05 20:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-03-04 02:16 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-04 02:15 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-02 00:42 --------- d-----w C:\Program Files\rFactor
2008-03-01 01:02 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-02-28 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-22 20:09 --------- d-----w C:\Program Files\Infogrames
2008-02-22 20:00 --------- d-----w C:\Documents and Settings\Family\Application Data\Hamachi
2008-02-21 03:31 --------- d-----w C:\Program Files\DVD Shrink
2008-02-21 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-21 03:30 --------- d-----w C:\Program Files\RipIt4Me
2008-02-21 03:30 --------- d-----w C:\Program Files\DVD Decrypter
2008-02-21 03:30 --------- d-----w C:\Documents and Settings\Family\Application Data\RipIt4Me
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 04:04 --------- d-----w C:\Program Files\Handbrake
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-27 02:10 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-26 21:21 22,328 ----a-w C:\Documents and Settings\Family\Application Data\PnkBstrK.sys
2008-01-26 20:15 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-26 20:15 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-26 19:50 315,392 ----a-w C:\WINDOWS\HideWin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 03:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 06:22 579584]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-26 16:52 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-04-02 19:25:58 2987856]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 12:15 50528 C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-17 12:51 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Steam\\steamapps\\pulse24\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\pulse24\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Ubisoft\\Eagle Dynamics\\Lock On\\LockOn.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Steam\\steamapps\\pulse24\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ARCA Remax\\ARCA.exe"=
"C:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d470745-f795-11dc-9d11-00508db0bb9f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 12:30:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-16 22:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 21:09:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-16 21:12:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-17 01:12:21
Pre-Run: 252,189,556,736 bytes free
Post-Run: 252,260,483,072 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-09 18:52:46 --- E O F --- |
Already Windows recognizes AVG again... thanks for your time greyknight. Appreciate it! |
|
| Back to top |
|
| |
Joined: Feb 03, 2003
Posts: 4824
Location: Brooklyn, NY
|
(Msg. 4) Posted: Sat Apr 19, 2008 3:29 pm
Post subject:
|
|
|
Download OTMoveIt2 at http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
| Code: |
| C:\Documents and Settings\All Users\Application Data\zwzklgnu |
* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Your log is clean.
To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.
Are there any problems now? If none, go to Start->Run and type in Combofix /u and hit OK to remove Combofix. You should be set to go. |
|
| Back to top |
|
| |
Joined: Apr 16, 2008
Posts: 3
|
(Msg. 5) Posted: Sat Apr 19, 2008 4:36 pm
Post subject:
|
|
|
| Quote: |
File/Folder C:\Documents and Settings\All Users\Application Data\zwzklgnu not found.
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04192008_164204 |
I was able to find and delete that folder after running ComboFix.
There are no problems now, and I'm very grateful for your time and knowledge!!  |
|
| Back to top |
|
| |
Joined: Feb 03, 2003
Posts: 4824
Location: Brooklyn, NY
|
(Msg. 6) Posted: Sun Apr 20, 2008 11:06 am
Post subject:
|
|
|
No problem. Glad to help out.
Topic is now locked since issue is resolved. |
|
| Back to top |
|
| |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
Home
FAQ
Search
Profile
Private Messages
Log in/Register/Password
General