The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Trojan horse backdoor generic 10.ARRA

Posted 2/12/2009 4:52 PM
#72410
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
Hi
Could please someone help with this virus :rolleyes:

2 days ago i had my pc fixed cuz of virus, silly me went on limewire and ended up with another virus.



i have AVG antivirus, spybot-s&d and Ad-aware



on AVG i keep getting the same virus and it seems to be in C/windows/system32,bitsprx.dll

the virus is Trojan horse backdoor generic 10.ARRA



i heal or move to vault but it keeps coming back :freaked:

(its done it 4 times now while im on here)

please can someone help



Angie
Posted 2/13/2009 10:00 AM
#72429
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello Angie :smile:





Download this program: https://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic.



Note : Fix_download.exe is detected by some antivirus programs as a "RiskTool" /infection; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.







If necessary, temporarily disable your anti-virus, real-time protection before downloading





NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/13/2009 10:12 AM
#72431
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
hya
it wont let me download i get..."cannot copy fix_download access denied :(
Posted 2/13/2009 10:17 AM
#72434
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok ->







Download: CCleaner
[color=#0000ff>https://www.majorgeeks.com/download4191.html[/url]
[color=#0000ff>https://www.ccleaner.com/[/url]

Once installed, run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data


Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok


Then click Run Cleaner (bottom right) then Exit

Reboot



Please download Malwarebytes' Anti-Malware:

https://www.spywarefri.dk/downloads1/mbam-setup.exe[/color]



Or here:

[color=#0000ff>https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968[/url]



to your desktop.



Double-click mbam-setup.exe and follow the prompts to install the program.



At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch




Malwarebytes' Anti-Malware, then click Finish.



If an update is found, it will download and install the latest version.



Please connect all your external hard drive/flash drive before running Malwarebyte



Once the program has loaded, select Perform full scan, then click Scan.



When the scan is complete, click OK, then Show Results to view the results.



Be sure that everything is checked, and click Remove Selected.



When completed, a log will open in Notepad. Please save it to a convenient location.







NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.



Click here:
https://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe[/color]



to download HJTinstall.exe

Save HJTinstall.exe to your desktop.
Double click on the HJTinstall.exe icon on your desktop.

By default it will install to C:\Program Files\Trend Micro\Hijack This.

Click I accept

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.

Click Save to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and Paste the log in your next reply.



DO NOT have Hijack This fix anything yet.

Most of what it finds will be harmless or even required.



Post hijackthis log along with Malwarebytes' Anti-Malware log

[/3][/color]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/13/2009 10:50 AM
#72436
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
ok here is my log..


Malwarebytes' Anti-Malware 1.34
Database version: 1757
Windows 5.1.2600 Service Pack 3

13/02/2009 10:44:43
mbam-log-2009-02-13 (10-44-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 79328
Time elapsed: 16 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5eda39df-0517-43aa-9229-c7a5c106531a} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5eda39df-0517-43aa-9229-c7a5c106531a} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bitsprx.dll (Trojan.BHO.H) -> Delete on reboot.
C:\System Volume Information\_restore{D5202972-2AD6-4366-AE2F-28FE3615F0B4}\RP23\A0004480.exe (Adware.SnappyAds) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5202972-2AD6-4366-AE2F-28FE3615F0B4}\RP27\A0004686.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\355.tmp (Worm.P2P) -> Quarantined and deleted successfully.
Posted 2/13/2009 11:00 AM
#72437
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
sorry this is the other log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:28, on 13/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5EDA39DF-0517-43AA-9229-C7A5C106531A} - C:\WINDOWS\system32\bitsprx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F873344.exe] C:\DOCUME~1\Finn\LOCALS~1\Temp\_A00F873344.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [EPSON Stylus Photo R285 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKE.EXE /FU "C:\WINDOWS\TEMP\E_S18D.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234197154784
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234197363643
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\dsdmoprp32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: c481d006530 - C:\WINDOWS\System32\dsdmoprp32.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5453 bytes
Posted 2/13/2009 11:44 AM
#72438
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It looks like you have more infections, I´ll therefore suggest you post a combolog ->







Please download Combofix:

https://download.bleepingcomputer.com/subs/combofix.exe



And save to the desktop.


Close all other browser windows.



Please connect all your external hard drive/flash drive before running Combofix, if you have any





Double-click on the combofix icon found on your desktop.



Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.


When finished, it will produce a logfile located at C:\combofix.txt.


Post the contents of that log in your next reply.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/13/2009 12:00 PM
#72439
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
ComboFix 09-02-12.03 - Finn 2009-02-13 11:53:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.572 [GMT -8:00]
Running from: c:\documents and settings\Finn\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Finn\Application Data\02000000d902af09530C.manifest
c:\documents and settings\Finn\Application Data\02000000d902af09530O.manifest
c:\documents and settings\Finn\Application Data\02000000d902af09530P.manifest
c:\documents and settings\Finn\Application Data\02000000d902af09530S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicy000.dat
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 10:56 . 2009-02-13 10:56 d-------- c:\program files\Trend Micro
2009-02-13 10:24 . 2009-02-13 10:26 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 10:24 . 2009-02-13 10:24 d-------- c:\documents and settings\Finn\Application Data\Malwarebytes
2009-02-13 10:24 . 2009-02-13 10:24 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 10:24 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 10:24 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-13 10:20 . 2009-02-13 10:20 d-------- c:\program files\CCleaner
2009-02-12 20:15 . 2009-02-12 20:15 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-12 20:12 . 2009-02-12 20:21 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-12 20:06 . 2009-02-12 20:06 d-------- c:\program files\Uniblue
2009-02-12 20:06 . 2009-02-12 20:06 d-------- c:\documents and settings\Finn\Application Data\Uniblue
2009-02-12 20:06 . 2009-02-12 20:07 d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-12 20:05 . 2009-02-12 20:06 d--h-c--- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-02-12 15:50 . 2009-02-12 15:50 d--hs---- c:\documents and settings\Finn\IECompatCache
2009-02-12 15:49 . 2009-02-12 15:49 d--hs---- c:\documents and settings\Finn\PrivacIE
2009-02-12 15:48 . 2009-02-12 15:48 d--hs---- c:\documents and settings\Finn\IETldCache
2009-02-12 15:46 . 2009-02-12 15:46 d-------- c:\windows\ie8updates
2009-02-12 15:44 . 2009-02-12 15:45 d--h-c--- c:\windows\ie8
2009-02-12 15:43 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-12 12:15 . 2009-02-12 12:15 d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-11 02:31 . 2009-02-11 02:31 d-------- c:\documents and settings\Finn\Application Data\InstallShield
2009-02-11 02:31 . 2009-02-11 02:31 d-------- c:\documents and settings\All Users\Application Data\EPSON
2009-02-11 02:24 . 2009-02-11 02:31 d-------- c:\program files\EPSON
2009-02-11 02:24 . 2009-02-11 02:24 25 --a------ c:\windows\CDER285EXPORT.ini
2009-02-11 02:21 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-11 02:21 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-11 01:00 . 2009-02-11 01:00 d-------- c:\documents and settings\All Users\Application Data\IM
2009-02-11 00:58 . 2009-02-11 00:59 d-------- c:\program files\IncrediMail
2009-02-11 00:58 . 2009-02-11 00:58 d-------- c:\documents and settings\All Users\Application Data\IncrediMail
2009-02-10 15:29 . 2009-02-10 15:29 d-------- c:\program files\Spybot - Search & Destroy
2009-02-10 15:29 . 2009-02-13 10:23 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 13:59 . 2009-02-10 13:59 0 --a------ c:\windows\nsreg.dat
2009-02-10 11:54 . 2009-02-10 11:54 d-------- c:\program files\Jasc Software Inc
2009-02-10 11:54 . 2009-02-10 11:54 d-------- c:\program files\Common Files\Jasc Software Inc
2009-02-10 11:54 . 2009-02-10 11:54 d-------- c:\documents and settings\Finn\Application Data\Jasc Software Inc
2009-02-10 11:37 . 2009-02-10 11:38 d-------- c:\program files\AceExpert3
2009-02-10 08:46 . 2009-02-10 08:31 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-10 08:31 . 2009-02-10 08:31 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-10 08:30 . 2009-02-10 08:30 d-------- c:\program files\Lavasoft
2009-02-10 08:30 . 2009-02-10 08:30 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-10 08:30 . 2009-02-10 08:30 d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-10 08:20 . 2009-02-13 11:30 d--h----- C:\$AVG8.VAULT$
2009-02-10 08:15 . 2009-02-13 09:31 d-------- c:\windows\system32\drivers\Avg
2009-02-10 08:15 . 2009-02-10 08:15 d-------- c:\program files\AVG
2009-02-10 08:15 . 2009-02-13 10:47 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-10 08:15 . 2009-02-10 08:15 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-10 08:15 . 2009-02-10 08:15 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-10 08:15 . 2009-02-10 08:15 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-10 06:34 . 2008-04-14 05:41 96,256 --a------ c:\windows\system32\bitsprx.dll
2009-02-10 06:31 . 2009-02-10 06:31 d--hs---- c:\windows\system32\LocalService32
2009-02-10 06:16 . 2009-02-10 06:16 d-------- c:\windows\Sun
2009-02-10 06:15 . 2009-02-10 06:15 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-10 05:42 . 2009-02-10 05:42 d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-02-10 05:31 . 2009-02-11 01:50 d-------- C:\Beads by Angie WEBSITE
2009-02-10 05:03 . 2009-02-10 05:03 d-------- c:\documents and settings\Finn\Application Data\GlobalSCAPE
2009-02-10 05:02 . 2009-02-10 05:02 d-------- c:\program files\GlobalSCAPE
2009-02-09 16:20 . 2009-02-09 16:20 d-------- c:\windows\ServicePackFiles
2009-02-09 16:20 . 2008-04-14 05:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2009-02-09 16:17 . 2008-10-13 13:55 26,144 --a------ c:\windows\system32\spupdsvc.exe
2009-02-09 16:17 . 2006-12-29 00:31 19,569 --a------ c:\windows\002584_.tmp
2009-02-09 16:16 . 2009-02-09 16:16 d-------- c:\windows\EHome
2009-02-09 16:13 . 2009-02-09 16:13 d-------- c:\program files\NETGEAR
2009-02-09 16:13 . 2004-04-18 16:43 651,264 --a------ c:\windows\system32\libeay32.dll
2009-02-09 16:13 . 2008-04-18 11:27 155,624 --a------ c:\windows\system32\drivers\ar5523.bin
2009-02-09 16:13 . 2004-04-18 16:43 147,456 --a------ c:\windows\system32\ssleay32.dll
2009-02-09 16:13 . 2003-07-24 12:10 94,208 --a------ c:\windows\system32\DNIN50.dll
2009-02-09 16:13 . 2009-02-09 16:13 21,275 --a------ c:\windows\system32\drivers\AegisP.sys
2009-02-09 16:13 . 2003-07-24 12:10 17,149 --a------ c:\windows\system32\DNINDIS5.sys
2009-02-09 16:06 . 2009-02-10 08:31 d----c--- c:\windows\system32\DRVSTORE
2009-02-09 16:06 . 2009-02-09 16:06 d-------- c:\program files\AMD
2009-02-09 16:06 . 2006-06-18 23:37 36,864 --a------ c:\windows\system32\drivers\AmdK8.sys
2009-02-09 16:05 . 2009-02-10 05:02 d-------- c:\windows\Downloaded Installations
2009-02-09 16:04 . 2009-02-09 16:05 d-------- c:\program files\Broadcom
2009-02-09 16:04 . 2006-05-17 11:03 44,544 -ra------ c:\windows\system32\drivers\bcm4sbxp.sys
2009-02-09 16:02 . 2009-02-09 16:02 d-------- c:\program files\SigmaTel
2009-02-09 16:02 . 2009-02-10 05:03 d--h----- c:\program files\InstallShield Installation Information
2009-02-09 16:02 . 2006-07-27 14:24 1,171,464 --a------ c:\windows\system32\drivers\sthda.sys
2009-02-09 16:02 . 2006-07-27 14:20 225,280 --a------ c:\windows\system32\stacapi.dll
2009-02-09 16:02 . 2006-07-27 14:21 117,248 --a------ c:\windows\system32\staco.dll
2009-02-09 16:00 . 2009-02-10 06:09 d-------- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 23:45 --------- d-----w c:\program files\microsoft frontpage
2009-02-09 17:27 --------- d-----w c:\program files\Reference Assemblies
2009-02-09 17:27 --------- d-----w c:\program files\MSBuild
2009-02-09 17:23 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 17:17 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDA39DF-0517-43AA-9229-C7A5C106531A}]
2008-04-14 05:41 96256 --a------ c:\windows\system32\bitsprx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]
"EPSON Stylus Photo R285 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKE.EXE" [2007-04-12 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-10 1601304]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-10 509784]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-10 08:15 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\dsdmoprp32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-10 64160]
R0 pjgiqcla;pjgiqcla;c:\windows\system32\drivers\pjgiqcla.sys [2004-08-04 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-10 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-10 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-10 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-10 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-02-09 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-10 08:31]
.
- - - - ORPHANS REMOVED - - - -

Notify-c481d006530 - c:\windows\System32\dsdmoprp32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-02-13 11:55:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-13 11:56:53
ComboFix-quarantined-files.txt 2009-02-13 19:56:50

Pre-Run: 73,534,988,288 bytes free
Post-Run: 73,541,136,384 bytes free

192 --- E O F --- 2009-02-13 03:10:56
Posted 2/14/2009 5:53 AM
#72458
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Open notepad and copy/paste the text in the quotebox below into it:




Quote:



[table style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: collapse; mso-border-alt: solid windowtext .75pt; mso-padding-alt: 0cm 3.5pt 0cm 3.5pt" cellSpacing=0 cellPadding=0 border=1]
[tr ][td style="BORDER-RIGHT: windowtext 0.75pt solid; PADDING-RIGHT: 3.5pt; BORDER-TOP: windowtext 0.75pt solid; PADDING-LEFT: 3.5pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: windowtext 0.75pt solid; WIDTH: 488.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: windowtext 0.75pt solid; BACKGROUND-COLOR: transparent" vAlign=top width=652][2]Killall::[/2]

[2] [/2]


[2]Snapshot::[/2]

[2] [/2]

File::

c:\windows\system32\bitsprx.dll

c:\windows\System32\dsdmoprp32.dll

c:\windows\system32\drivers\pjgiqcla.sys





Filelook::

c:\windows\CDER285EXPORT.ini



Driver::

Pjgiqcla



Hosts::


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDA39DF-0517-43AA-9229-C7A5C106531A}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-



[/td][/tr][/table]

Save this as:
CFScript



https://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post fresh combofix log.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/14/2009 9:21 AM
#72471
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
ComboFix 09-02-12.03 - Finn 2009-02-14 9:10:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.569 [GMT -8:00]
Running from: c:\documents and settings\Finn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Finn\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\bitsprx.dll
c:\windows\system32\drivers\pjgiqcla.sys
c:\windows\System32\dsdmoprp32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bitsprx.dll
c:\windows\system32\drivers\pjgiqcla.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PJGIQCLA
-------\Service_pjgiqcla


((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-13 10:56 . 2009-02-13 10:56 d-------- c:\program files\Trend Micro
2009-02-13 10:24 . 2009-02-13 10:26 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 10:24 . 2009-02-13 10:24 d-------- c:\documents and settings\Finn\Application Data\Malwarebytes
2009-02-13 10:24 . 2009-02-13 10:24 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 10:24 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 10:24 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-13 10:20 . 2009-02-13 10:20 d-------- c:\program files\CCleaner
2009-02-12 20:15 . 2009-02-12 20:15 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-12 20:12 . 2009-02-12 20:21 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-12 20:06 . 2009-02-12 20:06 d-------- c:\program files\Uniblue
2009-02-12 20:06 . 2009-02-12 20:06 d-------- c:\documents and settings\Finn\Application Data\Uniblue
2009-02-12 20:06 . 2009-02-12 20:07 d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-12 20:05 . 2009-02-12 20:06 d--h-c--- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-02-12 15:50 . 2009-02-12 15:50 d--hs---- c:\documents and settings\Finn\IECompatCache
2009-02-12 15:49 . 2009-02-12 15:49 d--hs---- c:\documents and settings\Finn\PrivacIE
2009-02-12 15:48 . 2009-02-12 15:48 d--hs---- c:\documents and settings\Finn\IETldCache
2009-02-12 15:46 . 2009-02-12 15:46 d-------- c:\windows\ie8updates
2009-02-12 15:44 . 2009-02-12 15:45 d--h-c--- c:\windows\ie8
2009-02-12 15:43 . 2009-01-10 21:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-12 12:15 . 2009-02-12 12:15 d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-11 02:31 . 2009-02-11 02:31 d-------- c:\documents and settings\Finn\Application Data\InstallShield
2009-02-11 02:31 . 2009-02-11 02:31 d-------- c:\documents and settings\All Users\Application Data\EPSON
2009-02-11 02:24 . 2009-02-11 02:31 d-------- c:\program files\EPSON
2009-02-11 02:24 . 2009-02-11 02:24 25 --a------ c:\windows\CDER285EXPORT.ini
2009-02-11 02:21 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-11 02:21 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-11 01:00 . 2009-02-11 01:00 d-------- c:\documents and settings\All Users\Application Data\IM
2009-02-11 00:58 . 2009-02-11 00:59 d-------- c:\program files\IncrediMail
2009-02-11 00:58 . 2009-02-11 00:58 d-------- c:\documents and settings\All Users\Application Data\IncrediMail
2009-02-10 15:29 . 2009-02-10 15:29 d-------- c:\program files\Spybot - Search & Destroy
2009-02-10 15:29 . 2009-02-13 10:23 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 13:59 . 2009-02-10 13:59 0 --a------ c:\windows\nsreg.dat
2009-02-10 11:54 . 2009-02-10 11:54 d-------- c:\program files\Jasc Software Inc
2009-02-10 11:54 . 2009-02-10 11:54 d-------- c:\program files\Common Files\Jasc Software Inc
2009-02-10 11:54 . 2009-02-10 11:54 d-------- c:\documents and settings\Finn\Application Data\Jasc Software Inc
2009-02-10 11:37 . 2009-02-10 11:38 d-------- c:\program files\AceExpert3
2009-02-10 08:46 . 2009-02-10 08:31 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-10 08:31 . 2009-02-10 08:31 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-10 08:30 . 2009-02-10 08:30 d-------- c:\program files\Lavasoft
2009-02-10 08:30 . 2009-02-10 08:30 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-10 08:30 . 2009-02-10 08:30 d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-10 08:20 . 2009-02-13 11:30 d--h----- C:\$AVG8.VAULT$
2009-02-10 08:15 . 2009-02-14 09:07 d-------- c:\windows\system32\drivers\Avg
2009-02-10 08:15 . 2009-02-10 08:15 d-------- c:\program files\AVG
2009-02-10 08:15 . 2009-02-13 10:47 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-10 08:15 . 2009-02-10 08:15 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-10 08:15 . 2009-02-10 08:15 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-10 08:15 . 2009-02-10 08:15 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-10 06:31 . 2009-02-10 06:31 d--hs---- c:\windows\system32\LocalService32
2009-02-10 06:16 . 2009-02-10 06:16 d-------- c:\windows\Sun
2009-02-10 06:15 . 2009-02-10 06:15 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-10 05:42 . 2009-02-10 05:42 d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-02-10 05:31 . 2009-02-11 01:50 d-------- C:\Beads by Angie WEBSITE
2009-02-10 05:03 . 2009-02-10 05:03 d-------- c:\documents and settings\Finn\Application Data\GlobalSCAPE
2009-02-10 05:02 . 2009-02-10 05:02 d-------- c:\program files\GlobalSCAPE
2009-02-09 16:20 . 2009-02-09 16:20 d-------- c:\windows\ServicePackFiles
2009-02-09 16:20 . 2008-04-14 05:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2009-02-09 16:17 . 2008-10-13 13:55 26,144 --a------ c:\windows\system32\spupdsvc.exe
2009-02-09 16:17 . 2006-12-29 00:31 19,569 --a------ c:\windows\002584_.tmp
2009-02-09 16:16 . 2009-02-09 16:16 d-------- c:\windows\EHome
2009-02-09 16:13 . 2009-02-09 16:13 d-------- c:\program files\NETGEAR
2009-02-09 16:13 . 2004-04-18 16:43 651,264 --a------ c:\windows\system32\libeay32.dll
2009-02-09 16:13 . 2008-04-18 11:27 155,624 --a------ c:\windows\system32\drivers\ar5523.bin
2009-02-09 16:13 . 2004-04-18 16:43 147,456 --a------ c:\windows\system32\ssleay32.dll
2009-02-09 16:13 . 2003-07-24 12:10 94,208 --a------ c:\windows\system32\DNIN50.dll
2009-02-09 16:13 . 2009-02-09 16:13 21,275 --a------ c:\windows\system32\drivers\AegisP.sys
2009-02-09 16:13 . 2003-07-24 12:10 17,149 --a------ c:\windows\system32\DNINDIS5.sys
2009-02-09 16:06 . 2009-02-10 08:31 d----c--- c:\windows\system32\DRVSTORE
2009-02-09 16:06 . 2009-02-09 16:06 d-------- c:\program files\AMD
2009-02-09 16:06 . 2006-06-18 23:37 36,864 --a------ c:\windows\system32\drivers\AmdK8.sys
2009-02-09 16:05 . 2009-02-10 05:02 d-------- c:\windows\Downloaded Installations
2009-02-09 16:04 . 2009-02-09 16:05 d-------- c:\program files\Broadcom
2009-02-09 16:04 . 2006-05-17 11:03 44,544 -ra------ c:\windows\system32\drivers\bcm4sbxp.sys
2009-02-09 16:02 . 2009-02-09 16:02 d-------- c:\program files\SigmaTel
2009-02-09 16:02 . 2009-02-10 05:03 d--h----- c:\program files\InstallShield Installation Information
2009-02-09 16:02 . 2006-07-27 14:24 1,171,464 --a------ c:\windows\system32\drivers\sthda.sys
2009-02-09 16:02 . 2006-07-27 14:20 225,280 --a------ c:\windows\system32\stacapi.dll
2009-02-09 16:02 . 2006-07-27 14:21 117,248 --a------ c:\windows\system32\staco.dll
2009-02-09 16:00 . 2009-02-10 06:09 d-------- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 23:45 --------- d-----w c:\program files\microsoft frontpage
2009-02-09 17:27 --------- d-----w c:\program files\Reference Assemblies
2009-02-09 17:27 --------- d-----w c:\program files\MSBuild
2009-02-09 17:23 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 17:17 --------- d-----w c:\program files\Windows Media Connect 2
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\CDER285EXPORT.ini -- Not a PE file.
MD5: bb6c38289f0a234e5d7dee5fa83453ba


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]
"EPSON Stylus Photo R285 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKE.EXE" [2007-04-12 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-10 1601304]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-10 509784]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-10 08:15 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c481d006530]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-10 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-10 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-10 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-10 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-10 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-02-09 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PJGIQCLA

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-10 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-02-14 09:14:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\IncrediMail\bin\ImApp.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-02-14 9:16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-14 17:16:28
ComboFix2.txt 2009-02-13 19:56:56

Pre-Run: 73,500,475,392 bytes free
Post-Run: 73,466,318,848 bytes free

200 --- E O F --- 2009-02-13 03:10:56
Posted 2/14/2009 9:39 AM
#72475
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
If you don´t know this file -> c:\windows\CDER285EXPORT.ini < - Delete it.




How are things running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/14/2009 10:05 AM
#72480
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
Well i hant had any more threat pop ups :) so i think its ok
should i run another scan with my AVG to see???

No i dont know what this file is, should i delete it then?? c:\windows\CDER285EXPORT.ini

BTW thank you so much for your help! xx
Posted 2/14/2009 10:41 AM
#72482
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
Ive just done the AVG scan and it found NOTHING!!!!!!! whoooo
only thing was i had a "threat" and it was a cookie didnt get the full location of it though!
Posted 2/16/2009 1:43 PM
#72506
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Great :smile:





Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.







Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.



I also suggest you read Tony Klein´s article :

So how did I get infected in the first place.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/16/2009 3:10 PM
#72518
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
What day to i restore to??
Posted 2/16/2009 6:42 PM
#72528
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It´s your own choice - what abut Today ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/16/2009 7:00 PM
#72530
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
ok ive done all that :)
will see if i get anymore threats...i havnt had any problems since, apart from the odd cookie threat
Thank you so very much xx
Posted 2/16/2009 7:02 PM
#72531
User avatar

bubblefizz Valued member

Date Joined Nov 2016
Total Posts: 12
Also the link doesnt work:

I also suggest you read Tony Klein´s article :
"So how did I get infected in the first place."
Posted 2/17/2009 5:52 AM
#72550
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Wednesday, August 10, 2022, 1:05 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
51 Guest(s), 0 Registered Member(s) are currently online.