Vegas_Bear

Members
  • Content Count

    34
  • Joined

  • Last visited

  • Days Won

    1

Vegas_Bear last won the day on January 14 2013

Vegas_Bear had the most liked content!

Community Reputation

1 Neutral

About Vegas_Bear

  • Rank
    Advanced Member
  1. Thank you Pierre67. That method worked out perfectly. Greatly appreciated, Bear
  2. The PC seems to running smoothly, but I followed the steps above to try and update the NET Frameworks. It still failed. I followed the other steps to remove combofix and the other tools. Bear
  3. Using the Secunias Software Inspector It says I need to update the below security update. Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2742597) I have tried several times to update this and it fails everytime. I have restarted PC and re downloaded the file and still no go. Any thoughts? Bear
  4. So i guess the Norton is no good. What antivirus program would you suggest? I will check with Secunias Software Inspector for older versions of programs. The two Java updates were removed. Bear EDIT: a friend recommended these, are they any good? SuperAntiSpyware AVG 2013
  5. The Eset scan took 17hrs, when done nothing was found and no log was produced. I ran the 3rd RK scan because the 2nd one didn't contain the files you said to remove, posted below along with the new dds scan. RogueKiller 2nd scan RogueKiller V8.4.2 [Jan 6 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bear [Admin rights] Mode : Scan -- Date : 01/08/2013 19:37:14 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x87C0E4A0) ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] 9ed3d55b79aa35a51b1526fe86f2e546 [bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2]_S_01082013_02d1937.txt >> RKreport[1]_S_01082013_02d0956.txt ; RKreport[2]_S_01082013_02d1937.txt DDS.txt DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 Run by Bear at 8:57:18 on 2013-01-09 . ============== Running Processes ================ . C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Program Files\DivX\DivX Update\DivXUpdate.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch C:\WINDOWS\system32\svchost.exe -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [Logitech Utility] Logi_MwX.Exe mRun: [statusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe mRun: [CTHelper] CTHELPER.EXE mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe StartupFolder: c:\docume~1\bear\startm~1\programs\startup\restar~1.lnk - f:\Viewsonic.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:323 uPolicies-Explorer: NoDriveAutoRun = dword:67108863 uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDrives = dword:0 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208005737100 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343110122984 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12 TCP: Interfaces\{8DA20054-D070-43F6-8030-E1EC8F25A103} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ============= SERVICES / DRIVERS =============== . . =============== Created Last 30 ================ . 2013-01-08 17:57:11 98816 ----a-w- c:\windows\sed.exe 2013-01-08 17:57:11 256000 ----a-w- c:\windows\PEV.exe 2013-01-08 17:57:11 208896 ----a-w- c:\windows\MBR.exe . ==================== Find3M ==================== . 2012-12-20 19:11:07 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-20 19:11:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 20:29:04 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl 2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec . ============= FINISH: 8:59:46.21 ===============
  6. I'd like to try and clean the PC if possible, I don't know how to re-install Windows. I didn't notice anything funny on the start menu, I already had those taken off of the menu. I re ran the RogueKiller and under the files tab, it was empty. Here is the log. RogueKiller RogueKiller V8.4.2 [Jan 6 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bear [Admin rights] Mode : Scan -- Date : 01/08/2013 19:47:31 ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] CTHELPER.EXE -- C:\WINDOWS\CTHELPER.EXE -> KILLED [TermProc] ¤¤¤ Registry Entries : 7 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8764A5E8) ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] 9ed3d55b79aa35a51b1526fe86f2e546 [bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3]_S_01082013_02d1947.txt >> RKreport[1]_S_01082013_02d0956.txt ; RKreport[2]_S_01082013_02d1937.txt ; RKreport[3]_S_01082013_02d1947.txt ComboFix ComboFix 13-01-08.01 - Bear 01/08/2013 19:52:13.6.2 - x86 Running from: c:\documents and settings\Bear\Desktop\ComboFix.exe * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2012-12-09 to 2013-01-09 ))))))))))))))))))))))))))))))) . . . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-20 19:11 . 2012-04-06 18:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-20 19:11 . 2011-06-18 20:57 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2003-03-31 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl 2012-11-13 01:25 . 2003-03-31 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02 . 2008-04-12 12:44 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2003-03-31 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-24 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992] "StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864] "TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2002-12-03 143360] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-05-29 520192] "CTHelper"="CTHELPER.EXE" [2005-08-07 16384] "CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192] "DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\Bear\Start Menu\Programs\Startup\ restart_vs.lnk - F:\Viewsonic.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-18 113664] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"= . R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL *Deregistered* - EraserUtilDrv11220 *Deregistered* - EraserUtilRebootDrv *Deregistered* - TrueSight . Contents of the 'Scheduled Tasks' folder . 2013-01-08 c:\windows\Tasks\Ad-Aware Scan (daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40] . 2013-01-08 c:\windows\Tasks\Ad-Aware Scan (weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40] . 2012-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34] . 2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39] . 2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-08 20:03 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(3596) c:\windows\system32\WININET.dll c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\progra~1\WINDOW~2\wmpband.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2013-01-08 20:05:31 ComboFix-quarantined-files.txt 2013-01-09 04:05 ComboFix2.txt 2013-01-08 18:12 ComboFix3.txt 2011-06-15 17:08 . Pre-Run: 161,293,881,344 bytes free Post-Run: 161,291,800,576 bytes free . - - End Of File - - 056B17C880C69EDEBE128F09A8332B96 aswMBr - smart scan was done aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software Run date: 2013-01-08 20:08:34 ----------------------------- 20:08:34.765 OS Version: Windows 5.1.2600 Service Pack 3 20:08:34.765 Number of processors: 2 586 0x2302 20:08:34.765 ComputerName: LARRY-GAME-BOX UserName: Bear 20:08:36.843 Initialize success 20:12:24.328 AVAST engine defs: 13010801 20:12:57.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 20:12:57.125 Disk 0 Vendor: WDC_WD5000AACS-00ZUB0 01.01B01 Size: 476940MB BusType: 3 20:12:57.140 Disk 0 MBR read successfully 20:12:57.140 Disk 0 MBR scan 20:12:57.218 Disk 0 Windows XP default MBR code 20:12:57.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63 20:12:57.234 Disk 0 scanning sectors +976752000 20:12:57.296 Disk 0 scanning C:\WINDOWS\system32\drivers 20:13:10.343 Service scanning 20:13:30.203 Modules scanning 20:13:37.875 Disk 0 trace - called modules: 20:13:37.890 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 20:13:37.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7d6ab8] 20:13:37.890 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000076[0x8a7ee9e8] 20:13:37.890 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-17[0x8a7bad98] 20:13:40.109 AVAST engine scan C:\WINDOWS 20:13:58.593 AVAST engine scan C:\WINDOWS\system32 20:17:57.421 AVAST engine scan C:\WINDOWS\system32\drivers 20:18:33.546 AVAST engine scan C:\Documents and Settings\Bear 20:21:59.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bear\Desktop\MBR.dat" 20:21:59.375 The log file has been saved successfully to "C:\Documents and Settings\Bear\Desktop\aswMBR.txt"
  7. Thank you for the quick reply CeciliaB. The two programs were downloaded and run. Here are the two logs you requested. ComboFix ComboFix 13-01-08.01 - Bear 01/08/2013 9:59.5.2 - x86 Running from: c:\documents and settings\Bear\Desktop\ComboFix.exe * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\1498149814 c:\documents and settings\All Users\Application Data\592624643 c:\documents and settings\Bear\ntuser.tmp c:\documents and settings\Bear\pmyukfhocdquyqud.exe c:\windows\system32\dllcache\wmpvis.dll c:\windows\system32\URTTemp c:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 ))))))))))))))))))))))))))))))) . . . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-20 19:11 . 2012-04-06 18:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-20 19:11 . 2011-06-18 20:57 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2003-03-31 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl 2012-11-13 01:25 . 2003-03-31 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02 . 2008-04-12 12:44 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2003-03-31 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-24 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992] "StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864] "TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2002-12-03 143360] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-05-29 520192] "CTHelper"="CTHELPER.EXE" [2005-08-07 16384] "CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192] "DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\Bear\Start Menu\Programs\Startup\ restart_vs.lnk - F:\Viewsonic.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-18 113664] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - TRUESIGHT *Deregistered* - EraserUtilDrv11220 *Deregistered* - EraserUtilRebootDrv *Deregistered* - Lavasoft Kernexplorer *Deregistered* - TrueSight . Contents of the 'Scheduled Tasks' folder . 2013-01-08 c:\windows\Tasks\Ad-Aware Scan (daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40] . 2013-01-08 c:\windows\Tasks\Ad-Aware Scan (weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 07:40] . 2012-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34] . 2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39] . 2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 08:39] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-08 10:09 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2013-01-08 10:12:13 ComboFix-quarantined-files.txt 2013-01-08 18:11 ComboFix2.txt 2011-06-15 17:08 . Pre-Run: 161,266,044,928 bytes free Post-Run: 161,267,294,208 bytes free . - - End Of File - - B0110F968443ABE8091EA91BD022EB30 RogueKiller [/size][/size][/size][/size][/size][/size][/size] RogueKiller V8.4.2 [Jan 6 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/[/size] [size=3]Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bear [Admin rights] Mode : Scan -- Date : 01/08/2013 09:56:17[/size] [size=3]¤¤¤ Bad processes : 0 ¤¤¤[/size] [size=3]¤¤¤ Registry Entries : 8 ¤¤¤ [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[/size] [size=3]¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\n --> FOUND [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\n --> FOUND [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\@ --> FOUND [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\U --> FOUND [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\U --> FOUND [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$cca498e978e6533ac8deb78144fa710d\L --> FOUND [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-1275210071-1682526488-839522115-1003\$cca498e978e6533ac8deb78144fa710d\L --> FOUND[/size] [size=3]¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x87C0E4A0)[/size] [size=3]¤¤¤ Infection : ZeroAccess ¤¤¤[/size] [size=3]¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts[/size] [size=3]127.0.0.1 localhost[/size] [size=3]¤¤¤ MBR Check: ¤¤¤[/size] [size=3]+++++ PhysicalDrive0: +++++ --- User --- [MBR] 9ed3d55b79aa35a51b1526fe86f2e546 [bSP] 6e10de559c15b72a6e89fbc7457d0b08 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK![/size] [size=3]Finished : << RKreport[1]_S_01082013_02d0956.txt >> RKreport[1]_S_01082013_02d0956.txt ComboFix did not list a rootkit found in the scan. Awaiting further instructions and thanks again for the help. Bear
  8. Hello, my PC has been infected and I am looking for some help. The dds files are attached. Any help would be greatly appreciated. Bear attach.txt dds.txt
  9. Thank you very much Blade81. I really appreciate all your time and effort to help me. I sent you a PM, plz take a look at it. Everything seems to be working great now. I followed the steps to secure my system and have updated my programs. Again, Thanks! Vegas_Bear
  10. Blade81, Okay, here are the new dds logs. Vegas_Bear
  11. Hey Blade81, Okay your instructions were followed. When I ran the Registry Search tool for bgk.exe, it came back w/ nothing found. No log was produced. Awaiting further. Vegas_Bear
  12. Blade81, Okay, got the tool and ran the scan. Here is the log from the tool. Vegas_Bear
  13. Hello Blade81, Both of those registry entries were already set to what you posted. I do not have much experience editing registry entries, I don't know how to change the data values JFI. I uploaded 2 pictures to show what I saw when I first navigated to the entries you listed. Awaiting further instructions. Again, thanks for the help. I really appreciate it. Vegas_Bear
  14. Blade81, Okay the above was done and a new log files are attached. Vegas_Bear
  15. Okay Blade81, The file was run. reboot, and logs attached. Vegas_Bear