Cannot access Antivirus Sites/Google/Avast etc.

expatpete · 31-10-2009, 07:29 AM

Thank you.

This is the Combo fix report from Thursday. I tried to download today but I received an error message "you cannot rename as "fix(2)"?

ComboFix 09-10-28.06 - Administrator 10/29/2009 16:24.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.874.66.1033.18.1526.1061 [GMT 7:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\My Documents\cc_20090910_202607.reg
c:\windows\system32\Desktop_.ini
c:\windows\system32\msconfig.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 09:18 . 2009-10-29 09:21 -------- d-----w- C:\Fix
2009-10-29 08:06 . 2009-10-29 08:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-10-29 08:06 . 2009-10-29 08:06 -------- d-----w- c:\program files\IObit
2009-10-29 05:59 . 2009-10-29 09:30 698721 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-29 05:55 . 2009-10-29 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-10-29 05:55 . 2009-10-29 05:55 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-10-29 05:55 . 2009-10-29 05:55 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-10-29 05:55 . 2009-10-29 05:55 179792 ----a-w- c:\windows\system32\guard32.dll
2009-10-29 05:55 . 2009-10-29 05:55 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-10-29 05:55 . 2009-10-29 05:55 -------- d-----w- c:\program files\COMODO
2009-10-17 07:47 . 2009-10-29 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 07:47 . 2009-10-17 07:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-17 06:29 . 2009-10-17 06:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-10-16 23:55 . 2009-10-17 06:14 -------- d-----w- c:\program files\EAV Antivirus Suite
2009-10-16 07:16 . 2009-10-16 16:07 33312 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-16 07:16 . 2009-10-16 16:07 2007072 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-16 05:20 . 2009-10-16 09:03 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-10-16 05:20 . 2009-10-16 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-10-13 06:38 . 2009-10-13 06:38 -------- d-----w- c:\program files\YouTube Downloader
2009-10-10 01:54 . 2009-10-10 01:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-19 07:19 . 2009-08-25 06:36 -------- d-----w- c:\program files\BitComet
2009-10-17 08:48 . 2009-08-26 08:38 26176 ----a-w- c:\documents and settings\Administrator\Loca

Regards

expatpete

**Strider** · 31-10-2009, 04:56 PM

@expatpete:

This is not the full log file. I need the complete logfile to find the infection status. Please post the entire log file here.

expatpete · 01-11-2009, 06:59 AM

Stryder,

Sorry. I think this is a complete log from the scan I have just completed.

Code:

ComboFix 09-10-30.01 - Administrator 11/01/2009  8:13.2.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.874.66.1033.18.1526.1113 [GMT 7:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2009-10-01 to 2009-11-01  )))))))))))))))))))))))))))))))
.

2009-10-29 09:18 . 2009-10-29 09:21    --------    d-----w-    C:\Fix
2009-10-29 08:06 . 2009-10-29 08:06    --------    d-----w-    c:\documents and settings\Administrator\Application Data\IObit
2009-10-29 08:06 . 2009-10-29 08:06    --------    d-----w-    c:\program files\IObit
2009-10-29 05:59 . 2009-11-01 01:20    778257    ----a-w-    c:\windows\system32\drivers\sfi.dat
2009-10-29 05:55 . 2009-10-29 06:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\Comodo
2009-10-29 05:55 . 2009-10-29 05:55    87104    ----a-w-    c:\windows\system32\drivers\inspect.sys
2009-10-29 05:55 . 2009-10-29 05:55    25160    ----a-w-    c:\windows\system32\drivers\cmdhlp.sys
2009-10-29 05:55 . 2009-10-29 05:55    179792    ----a-w-    c:\windows\system32\guard32.dll
2009-10-29 05:55 . 2009-10-29 05:55    132296    ----a-w-    c:\windows\system32\drivers\cmdguard.sys
2009-10-29 05:55 . 2009-10-29 05:55    --------    d-----w-    c:\program files\COMODO
2009-10-17 07:47 . 2009-10-30 10:17    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 07:47 . 2009-10-30 06:34    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2009-10-17 06:29 . 2009-10-17 06:29    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Uniblue
2009-10-16 23:55 . 2009-10-17 06:14    --------    d-----w-    c:\program files\EAV Antivirus Suite
2009-10-16 07:16 . 2009-10-16 16:07    33312    --sha-w-    c:\windows\system32\drivers\fidbox2.dat
2009-10-16 07:16 . 2009-10-16 16:07    2007072    --sha-w-    c:\windows\system32\drivers\fidbox.dat
2009-10-16 05:20 . 2009-10-16 09:03    --------    d-----w-    c:\program files\Common Files\ParetoLogic
2009-10-16 05:20 . 2009-10-16 09:03    --------    d-----w-    c:\documents and settings\All Users\Application Data\ParetoLogic
2009-10-13 06:38 . 2009-10-13 06:38    --------    d-----w-    c:\program files\YouTube Downloader
2009-10-10 01:54 . 2009-10-10 01:54    --------    d-----w-    c:\documents and settings\Administrator\Application Data\AVG8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 07:19 . 2009-08-25 06:36    --------    d-----w-    c:\program files\BitComet
2009-10-17 08:48 . 2009-08-26 08:38    26176    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 16:07 . 2009-10-16 07:16    4172    --sha-w-    c:\windows\system32\drivers\fidbox2.idx
2009-10-16 16:07 . 2009-10-16 07:16    27956    --sha-w-    c:\windows\system32\drivers\fidbox.idx
2009-10-16 09:39 . 2009-08-25 06:33    --------    d-----w-    c:\documents and settings\All Users\Application Data\avg8
2009-09-25 04:03 . 2009-09-25 04:02    --------    d-----w-    c:\program files\SPSSEVAL
2009-09-25 04:01 . 2009-08-25 06:35    --------    d-----w-    c:\program files\Common Files\InstallShield
2009-09-17 04:39 . 2009-09-17 04:39    --------    d-----w-    c:\documents and settings\Administrator\Application Data\AVS4YOU
2009-09-17 04:39 . 2009-09-17 04:39    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVS4YOU
2009-09-17 04:39 . 2009-09-17 04:38    --------    d-----w-    c:\program files\AVS4YOU
2009-09-17 04:39 . 2009-09-17 04:38    --------    d-----w-    c:\program files\Common Files\AVSMedia
2009-09-17 01:16 . 2009-09-17 01:16    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Nero
2009-09-02 02:23 . 2009-09-02 02:23    411368    ----a-w-    c:\windows\system32\deploytk.dll
2009-09-02 02:23 . 2009-08-31 04:41    --------    d-----w-    c:\program files\Java
2009-08-25 12:13 . 2009-08-25 12:13    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2009-08-25 12:13 . 2009-08-25 12:13    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2009-08-25 08:37 . 2009-08-25 08:37    0    ----a-w-    c:\windows\nsreg.dat
2009-08-12 17:20 . 2001-08-17 15:37    77891    ----a-w-    c:\windows\system32\usrmlnka.exe
2009-08-12 17:15 . 2009-08-12 17:35    2560    ----a-w-    c:\windows\system32\xpsp4res.dll
2009-08-12 17:14 . 2009-08-12 17:24    84992    ----a-w-    c:\windows\system32\avifil32.dll
2009-08-12 17:14 . 2009-08-12 17:24    58880    ----a-w-    c:\windows\system32\atl.dll
2009-08-12 17:14 . 2009-08-12 17:23    138496    ----a-w-    c:\windows\system32\drivers\afd.sys
2009-08-12 17:14 . 2009-08-12 17:23    617472    ----a-w-    c:\windows\system32\advapi32.dll
2009-08-12 15:23 . 2009-08-12 15:23    2272    ----a-w-    c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-12 11:22 . 2009-08-12 11:53    5886    ----a-w-    c:\windows\system32\oeminfo.cmd
2009-08-12 11:07 . 2009-08-12 11:07    21640    ----a-w-    c:\windows\system32\emptyregdb.dat
2009-08-12 10:15 . 2009-08-12 11:06    453120    ----a-w-    c:\windows\system32\wbem\wmiprvsd.dll
2009-08-12 10:15 . 2009-08-12 11:06    227840    ----a-w-    c:\windows\system32\wbem\wmiprvse.exe
2009-08-12 10:15 . 2009-08-12 11:06    91648    ----a-w-    c:\windows\system32\mtxoci.dll
2009-08-12 10:15 . 2009-08-12 11:06    956928    ----a-w-    c:\windows\system32\msdtctm.dll
2009-08-12 10:15 . 2009-08-12 11:06    161792    ----a-w-    c:\windows\system32\msdtcuiu.dll
2009-08-12 10:15 . 2009-08-12 11:06    428032    ----a-w-    c:\windows\system32\msdtcprx.dll
2009-08-12 10:15 . 2009-08-12 11:06    58880    ----a-w-    c:\windows\system32\msdtclog.dll
2009-08-12 10:15 . 2009-08-12 11:06    2066432    ----a-w-    c:\windows\system32\mstscax.dll
2009-08-12 10:15 . 2009-08-12 11:07    691712    ----a-w-    c:\windows\system32\inetcomm.dll
2009-08-12 10:15 . 2009-08-12 11:06    473600    ----a-w-    c:\windows\system32\wbem\fastprox.dll
2009-08-12 08:20 . 2009-08-12 17:32    1614848    ----a-w-    c:\windows\system32\sfcfiles.dll
2009-08-12 08:19 . 2009-08-12 17:33    990208    ----a-w-    c:\windows\system32\syssetup.dll
.

------- Sigcheck -------

[-] 2009-08-12 . 1D5F85E666EBD1D3CBDDB66FC740E50E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys


[-] 2009-08-12 . A5AC6F07DA7CB3500CDB615A9CF60F75 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\system32\wscntfy.exe ... is missing !!
.
(((((((((((((((((((((((((((((   SnapShot@2009-10-29_09.36.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-12 17:31 . 2009-11-01 00:05    66376              c:\windows\system32\perfc009.dat
- 2009-08-12 17:31 . 2009-10-29 07:44    66376              c:\windows\system32\perfc009.dat
+ 2009-08-12 17:31 . 2009-11-01 00:05    430180              c:\windows\system32\perfh009.dat
- 2009-08-12 17:31 . 2009-10-29 07:44    430180              c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Safely Remove"="c:\program files\USB Safely Remove\USBSafelyRemove.exe" [2009-04-08 1252624]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-09-02 1682744]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"protect_autorun"="c:\documents and settings\Administrator\Desktop\CPE17AntiAutorun1400.exe" [2009-01-28 139264]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-12 850440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-25 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-02 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-10-29 1799952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-14 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\AVS4YOU\\Registration.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\avira_antivir_personal_en.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\avast_home_setup(2).exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\avira_antivir_personal_en(8).exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7355:TCP"= 7355:TCP:hwxlows
"26582:TCP"= 26582:TCP:BitComet 26582 TCP
"26582:UDP"= 26582:UDP:BitComet 26582 UDP

R0 iaStor8;Intel AHCI Controller 8;c:\windows\system32\drivers\iastor8.sys [1/12/2551 17:21 328728]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [29/10/2552 12:55 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [29/10/2552 12:55 25160]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [25/8/2552 13:38 213264]
S2 khrkj;Boot Security;c:\windows\system32\svchost.exe -k netsvcs [13/8/2552 0:33 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
khrkj
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-10-29 02:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bloomberg.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: ดาวน์ฺโหลดด้วย BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: ดาวน์โหลดทั้งหมดด้วย BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: ดาวน์โหลดวิดีโอทั้งหมดด้วย BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vxt1abr8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bloomberg.com
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vxt1abr8.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-01 08:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\khrkj]
"ServiceDll"="c:\windows\system32\gnbpbgl.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1960)
c:\windows\system32\btmmhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-01  8:25
ComboFix-quarantined-files.txt  2009-11-01 01:25
ComboFix2.txt  2009-10-29 09:40

Pre-Run: 21,788,352,512 bytes free
Post-Run: 22,349,570,048 bytes free

- - End Of File - - 0B689057D5E723BEB8CA8F0C3C988992

Thanks again for your time,

expatpete

aina · 04-11-2009, 07:00 PM

I also have the same problem, this is the hijack this logfile

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:13 AM, on 11/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\VistaDrive.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\installers\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpeedBitVideoAccelerator] C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O4 - Global Startup: Shortcut to sidebar.lnk = C:\Program Files\Windows Sidebar\sidebar.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B55B11B-8B30-41AC-B931-FEEDA3620D81}: NameServer = 202.78.97.41 210.4.2.61
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B55B11B-8B30-41AC-B931-FEEDA3620D81}: NameServer = 202.78.97.41 210.4.2.61
O17 - HKLM\System\CS3\Services\Tcpip\..\{1B55B11B-8B30-41AC-B931-FEEDA3620D81}: NameServer = 202.78.97.41 210.4.2.61
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9653 bytes

**Strider** · 04-11-2009, 07:35 PM

@aina:

1. Turn off System Restore in all the drives.

2. Download & run ComboFix and post the generated log file here.

**Strider** · 04-11-2009, 07:50 PM

@expatpete:

After disabling system restore in all the drives, reboot in to the safe mode. Then:

1. Delete the following file. Use Killbox if needed.

Code:

c:\windows\system32\gnbpbgl.dll

2. Open Registry editor (Start > Run > regedit). Navigate to the following keys and delete them.

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
khrkj


HKEY_LOCAL_MACHINE\System\ControlSet001\Services\khrkj

Search in the registry for any furhter references of khrkj and delete them carefully. It's recommended to backup the keys before deleting them.

3. Reboot in to normal mode and see if the problems are resolved. Post a fresh Combofix log if you need further help.

expatpete · 05-11-2009, 09:47 AM

I followed the instructions (correctly, I think) however I could not find
c:\windows\system32\gnbpbgl.dllI used 'killbox' and the search function but neither found this file.

Nor could I locate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
khrkj
I did find
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\k hrkj

but when I tried to delete it, I received a message saying " Unable to delete

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\k hrkj "

I am really not sure what I did incorrectly.

expatpete

"

**Strider** · 05-11-2009, 10:49 AM

First of all, are you doing the deletion in safe mode? If you copy paste the path c:\windows\system32\gnbpbgl.dll in to the Run box and press Enter what's happening? Also if search for khrkj in the registry is there any results?

The above entries are reported to be there in your computer from the ComboFix log. Can you run ComboFix again and post a fresh & full log file. Malware are known to change the names to avoid detection.

aina · 05-11-2009, 11:40 AM

hi, this is the logfile on combo fix

Code:

ComboFix 09-11-03.03 - Admin 11/05/2009 22:43.3.1 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.511.235 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

(((((((((((((((((((((((((   Files Created from 2009-10-06 to 2009-11-06  )))))))))))))))))))))))))))))))
.

2009-11-05 15:10 . 2009-11-05 15:10    --------    d-----w-    C:\FOUND.001
2009-11-05 14:13 . 2009-11-05 14:13    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2009-11-05 13:56 . 2009-11-05 13:56    --------    d-----w-    c:\windows\system32\wbem\snmp
2009-11-05 13:56 . 2009-11-05 13:56    --------    d-----w-    c:\windows\system32\xircom
2009-11-05 13:56 . 2009-11-05 13:56    --------    d-----w-    c:\program files\microsoft frontpage
2009-11-05 12:53 . 2009-11-05 12:53    --------    d-----w-    c:\documents and settings\Admin\Application Data\AVG8
2009-11-05 12:40 . 2009-11-05 12:41    50688    ----a-w-    c:\windows\system32\wbhelp2.dll
2009-11-04 15:59 . 2009-11-04 15:59    --------    d-----w-    C:\FOUND.000
2009-11-03 18:08 . 2005-05-18 18:55    32768    ----a-w-    c:\windows\VMZoom.exe
2009-11-03 18:08 . 2005-05-18 18:54    24576    ----a-w-    c:\windows\VMPipe.dll
2009-11-03 18:08 . 2005-10-25 20:56    61440    ----a-w-    c:\windows\VM303_STI.EXE
2009-11-03 18:08 . 2005-05-03 23:51    176128    ----a-w-    c:\windows\amcap.exe
2009-11-03 18:08 . 2005-05-03 00:45    53248    ----a-w-    c:\windows\Sti303.exe
2009-11-03 18:08 . 2005-05-01 02:46    81920    ----a-w-    c:\windows\system32\VM303Sti.dll
2009-11-03 18:08 . 2005-05-01 02:46    102400    ----a-w-    c:\windows\VM303Cap.exe
2009-11-03 18:08 . 2009-11-03 18:08    --------    d-----w-    c:\windows\CatRoot
2009-11-03 18:08 . 2005-10-27 22:34    390849    ----a-w-    c:\windows\system32\drivers\usbVM303.sys
2009-11-03 18:08 . 2009-11-03 18:08    --------    d-----w-    c:\windows\EffectResources
2009-11-03 18:08 . 2009-11-03 18:08    --------    d-----w-    c:\program files\Vimicro
2009-11-02 09:05 . 2009-11-02 09:05    --------    d-----w-    C:\FOUND.016
2009-11-02 08:40 . 2009-11-02 08:40    --------    d-----w-    C:\FOUND.015
2009-11-02 07:47 . 2009-11-02 07:47    --------    d-----w-    C:\FOUND.014
2009-10-18 18:16 . 2009-10-18 18:16    --------    d-----w-    c:\documents and settings\Admin\Local Settings\Application Data\Temp
2009-10-18 18:16 . 2009-10-18 18:16    --------    d-----w-    c:\documents and settings\Admin\Local Settings\Application Data\Google
2009-10-17 14:36 . 2005-06-21 23:43    163840    ----a-w-    c:\windows\system32\igfxres.dll
2009-10-17 14:32 . 2008-05-16 19:31    446464    ----a-w-    c:\windows\system32\nvudisp.exe
2009-10-17 14:30 . 2008-05-16 19:48    446464    ----a-w-    c:\windows\system32\NVUNINST.EXE
2009-10-17 14:23 . 2009-10-17 14:23    --------    d-----w-    c:\windows\system32\wbem\Repository
2009-10-17 13:22 . 2009-10-17 13:22    --------    d-----w-    c:\windows\nview
2009-10-17 07:32 . 2009-10-17 07:32    --------    d-----w-    c:\windows\PixArt
2009-10-17 07:32 . 2009-10-17 07:32    --------    d-----w-    c:\program files\Common Files\PAP7501
2009-10-17 07:04 . 2008-05-16 19:31    6557408    ----a-w-    c:\windows\system32\drivers\nv4_mini.sys
2009-10-17 07:04 . 2008-05-16 19:31    6108928    ----a-w-    c:\windows\system32\nv4_disp.dll
2009-10-17 07:04 . 2004-08-04 08:56    4274816    ----a-w-    c:\windows\system32\nv4_disp(6).dll
2009-10-17 07:04 . 2004-08-04 08:56    4274816    ----a-w-    c:\windows\system32\nv4_disp(5).dll
2009-10-17 07:04 . 2004-08-04 08:56    4274816    ----a-w-    c:\windows\system32\nv4_disp(4).dll
2009-10-17 07:04 . 2004-08-04 08:56    4274816    ----a-w-    c:\windows\system32\nv4_disp(3).dll
2009-10-17 07:04 . 2004-08-04 08:56    4274816    ----a-w-    c:\windows\system32\nv4_disp(2).dll
2009-10-07 20:21 . 2009-10-07 20:21    2560    ----a-w-    c:\windows\_MSRSTRT.EXE
2009-10-07 18:59 . 2009-10-07 18:59    --------    d-----w-    c:\windows\system32\NtmsData

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 06:24 . 2009-07-23 03:15    90112    ----a-w-    c:\windows\DUMP905f.tmp
2009-11-05 15:14 . 2009-07-23 03:15    90112    ----a-w-    c:\windows\DUMP22e0.tmp
2009-11-05 13:56 . 2009-07-23 03:15    90112    ----a-w-    c:\windows\DUMP950d.tmp
2009-10-31 15:39 . 2009-07-23 03:59    334912    ----a-w-    c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-30 12:49 . 2009-07-23 03:15    90112    ----a-w-    c:\windows\DUMP90bd.tmp
2009-10-17 14:50 . 2009-07-23 03:15    90112    ----a-w-    c:\windows\DUMPb01c.tmp
2007-12-28 13:30 . 2007-12-28 13:30    164072    --sh--r-    c:\windows\system32\qzvfb.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2009-07-23 1443432]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-12-03 1230848]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-11-05 3114496]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"VistaDrive"="c:\windows\VistaDrive.exe" [2007-10-12 1596230]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-12-28 124928]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
Y'z Shadow.lnk - c:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-5-21 155648]
UberIcon.lnk - c:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-5-21 180224]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-18 630784]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages    REG_MULTI_SZ       msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DAP\\DAP.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1065:TCP"= 1065:TCP:smmsyki

R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm [?]
S2 ergiai;Server Time;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 12:00 PM 14336]
S3 GUCI_AVS;USB2.0 VGA Video Device;c:\windows\system32\DRIVERS\GUCI_AVS.sys --> c:\windows\system32\DRIVERS\GUCI_AVS.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
ergiai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 23:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.Yahoo!
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Highlight - c:\windows\WEB\highlight.htm
IE: &Links List - c:\windows\WEB\urllist.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: Download ALL with IDA
IE: Download with IDA
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: I&mages List - c:\windows\Web\imglist.htm
IE: Open Frame in &New Window - c:\windows\WEB\frm2new.htm
IE: Zoom &In - c:\windows\WEB\zoomin.htm
IE: Zoom O&ut - c:\windows\WEB\zoomout.htm
LSP: c:\progra~1\SPEEDB~2\sblsp.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\su73akvk.default\
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - f:\installers\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-05 22:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...  

scanning hidden autostart entries ... 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@?????????????? 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ergiai]
"ServiceDll"="c:\windows\system32\qzvfb.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(784)
c:\progra~1\SPEEDB~2\sblsp.dll
c:\program files\SpeedBit Video Accelerator\ConfigDB.dll
c:\program files\SpeedBit Video Accelerator\Accelerator.dll
c:\program files\SpeedBit Video Accelerator\CommPipe.dll
c:\program files\SpeedBit Video Accelerator\Collector.dll

- - - - - - - > 'explorer.exe'(1620)
c:\windows\system32\SHDOCVW.dll
c:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-11-06 22:54
ComboFix-quarantined-files.txt  2009-11-06 06:54
ComboFix2.txt  2009-11-05 14:00

Pre-Run: 14,024,441,856 bytes free
Post-Run: 14,019,624,960 bytes free

expatpete · 05-11-2009, 12:13 PM

Strider,

Yes, I was in Safe Mode and the System Restore was turned off.

When I copy paste the path c:\windows\system32\gnbpbgl.dll in to the Run box and press Enter, I received this message 'You are attempting to open a file of "Application Extension" (.dll)'

When I used the 'Find' function in Registry Editor, I found the following 2 entries;

Name Type Data
Service REG_SZ khrkj

Name Type Data
NextInstance REG_DWORD 0x00000001 (1)

This is the latest ComboFix Report:

Code:

ComboFix 09-11-04.02 - Administrator 11/05/2009 13:14.3.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.874.66.1033.18.1526.1026 [GMT 7:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2009-10-05 to 2009-11-05  )))))))))))))))))))))))))))))))
.

2009-11-05 03:21 . 2009-11-05 03:21    --------    d-----w-    C:\!KillBox
2009-11-04 06:00 . 2009-11-04 06:00    152576    ----a-w-    c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 05:41 . 2009-11-03 05:41    --------    d-----w-    c:\documents and settings\All Users\Application Data\TVU Networks
2009-11-03 05:41 . 2009-11-03 05:41    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks
2009-11-03 05:40 . 2009-11-03 05:40    --------    d-----w-    c:\documents and settings\Administrator\LocalLow
2009-11-03 05:40 . 2009-11-03 05:41    --------    d-----w-    c:\program files\TVUPlayer
2009-10-30 06:51 . 2009-10-29 15:56    613888    ----a-w-    c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vxt1abr8.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2009-10-29 09:18 . 2009-10-29 09:21    --------    d-----w-    C:\Fix
2009-10-29 08:06 . 2009-10-29 08:06    --------    d-----w-    c:\documents and settings\Administrator\Application Data\IObit
2009-10-29 08:06 . 2009-10-29 08:06    --------    d-----w-    c:\program files\IObit
2009-10-29 05:59 . 2009-11-05 06:21    811905    ----a-w-    c:\windows\system32\drivers\sfi.dat
2009-10-29 05:55 . 2009-10-29 06:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\Comodo
2009-10-29 05:55 . 2009-10-29 05:55    87104    ----a-w-    c:\windows\system32\drivers\inspect.sys
2009-10-29 05:55 . 2009-10-29 05:55    25160    ----a-w-    c:\windows\system32\drivers\cmdhlp.sys
2009-10-29 05:55 . 2009-10-29 05:55    179792    ----a-w-    c:\windows\system32\guard32.dll
2009-10-29 05:55 . 2009-10-29 05:55    132296    ----a-w-    c:\windows\system32\drivers\cmdguard.sys
2009-10-29 05:55 . 2009-10-29 05:55    --------    d-----w-    c:\program files\COMODO
2009-10-17 07:47 . 2009-10-30 10:17    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-17 07:47 . 2009-10-30 06:34    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2009-10-17 06:29 . 2009-10-17 06:29    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Uniblue
2009-10-16 23:55 . 2009-10-17 06:14    --------    d-----w-    c:\program files\EAV Antivirus Suite
2009-10-16 07:50 . 2009-10-16 07:50    2520888    ----a-w-    c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vxt1abr8.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-10-16 07:16 . 2009-10-16 16:07    33312    --sha-w-    c:\windows\system32\drivers\fidbox2.dat
2009-10-16 07:16 . 2009-10-16 16:07    2007072    --sha-w-    c:\windows\system32\drivers\fidbox.dat
2009-10-16 05:20 . 2009-10-16 09:03    --------    d-----w-    c:\program files\Common Files\ParetoLogic
2009-10-16 05:20 . 2009-10-16 09:03    --------    d-----w-    c:\documents and settings\All Users\Application Data\ParetoLogic
2009-10-13 06:38 . 2009-10-13 06:38    --------    d-----w-    c:\program files\YouTube Downloader
2009-10-10 01:54 . 2009-10-10 01:54    --------    d-----w-    c:\documents and settings\Administrator\Application Data\AVG8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 06:02 . 2009-08-31 04:41    --------    d-----w-    c:\program files\Java
2009-10-19 07:19 . 2009-08-25 06:36    --------    d-----w-    c:\program files\BitComet
2009-10-17 08:48 . 2009-08-26 08:38    26176    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 16:07 . 2009-10-16 07:16    4172    --sha-w-    c:\windows\system32\drivers\fidbox2.idx
2009-10-16 16:07 . 2009-10-16 07:16    27956    --sha-w-    c:\windows\system32\drivers\fidbox.idx
2009-10-16 09:39 . 2009-08-25 06:33    --------    d-----w-    c:\documents and settings\All Users\Application Data\avg8
2009-10-10 21:17 . 2009-09-02 02:23    411368    ----a-w-    c:\windows\system32\deploytk.dll
2009-09-25 04:03 . 2009-09-25 04:02    --------    d-----w-    c:\program files\SPSSEVAL
2009-09-25 04:01 . 2009-08-25 06:35    --------    d-----w-    c:\program files\Common Files\InstallShield
2009-09-17 04:39 . 2009-09-17 04:39    --------    d-----w-    c:\documents and settings\Administrator\Application Data\AVS4YOU
2009-09-17 04:39 . 2009-09-17 04:39    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVS4YOU
2009-09-17 04:39 . 2009-09-17 04:38    --------    d-----w-    c:\program files\AVS4YOU
2009-09-17 04:39 . 2009-09-17 04:38    --------    d-----w-    c:\program files\Common Files\AVSMedia
2009-09-17 01:16 . 2009-09-17 01:16    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Nero
2009-09-02 02:23 . 2009-09-02 02:23    152576    ----a-w-    c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-25 12:13 . 2009-08-25 12:13    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2009-08-25 12:13 . 2009-08-25 12:13    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2009-08-25 08:37 . 2009-08-25 08:37    0    ----a-w-    c:\windows\nsreg.dat
2009-08-25 06:51 . 2009-08-25 06:51    10134    ----a-r-    c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{78764173-3805-4916-B3CE-B433702B8870}\ARPPRODUCTICON.exe
2009-08-12 17:20 . 2001-08-17 15:37    77891    ----a-w-    c:\windows\system32\usrmlnka.exe
2009-08-12 17:15 . 2009-08-12 17:35    2560    ----a-w-    c:\windows\system32\xpsp4res.dll
2009-08-12 17:14 . 2009-08-12 17:24    84992    ----a-w-    c:\windows\system32\avifil32.dll
2009-08-12 17:14 . 2009-08-12 17:24    58880    ----a-w-    c:\windows\system32\atl.dll
2009-08-12 17:14 . 2009-08-12 17:23    138496    ----a-w-    c:\windows\system32\drivers\afd.sys
2009-08-12 17:14 . 2009-08-12 17:23    617472    ----a-w-    c:\windows\system32\advapi32.dll
2009-08-12 15:23 . 2009-08-12 15:23    2272    ----a-w-    c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-12 11:22 . 2009-08-12 11:53    5886    ----a-w-    c:\windows\system32\oeminfo.cmd
2009-08-12 11:07 . 2009-08-12 11:07    21640    ----a-w-    c:\windows\system32\emptyregdb.dat
2009-08-12 10:15 . 2009-08-12 11:06    453120    ----a-w-    c:\windows\system32\wbem\wmiprvsd.dll
2009-08-12 10:15 . 2009-08-12 11:06    227840    ----a-w-    c:\windows\system32\wbem\wmiprvse.exe
2009-08-12 10:15 . 2009-08-12 11:06    91648    ----a-w-    c:\windows\system32\mtxoci.dll
2009-08-12 10:15 . 2009-08-12 11:06    956928    ----a-w-    c:\windows\system32\msdtctm.dll
2009-08-12 10:15 . 2009-08-12 11:06    161792    ----a-w-    c:\windows\system32\msdtcuiu.dll
2009-08-12 10:15 . 2009-08-12 11:06    428032    ----a-w-    c:\windows\system32\msdtcprx.dll
2009-08-12 10:15 . 2009-08-12 11:06    58880    ----a-w-    c:\windows\system32\msdtclog.dll
2009-08-12 10:15 . 2009-08-12 11:06    2066432    ----a-w-    c:\windows\system32\mstscax.dll
2009-08-12 10:15 . 2009-08-12 11:07    691712    ----a-w-    c:\windows\system32\inetcomm.dll
2009-08-12 10:15 . 2009-08-12 11:06    473600    ----a-w-    c:\windows\system32\wbem\fastprox.dll
2009-08-12 08:20 . 2009-08-12 17:32    1614848    ----a-w-    c:\windows\system32\sfcfiles.dll
2009-08-12 08:19 . 2009-08-12 17:33    990208    ----a-w-    c:\windows\system32\syssetup.dll
.

------- Sigcheck -------

[-] 2009-08-12 . 1D5F85E666EBD1D3CBDDB66FC740E50E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys


[-] 2009-08-12 . A5AC6F07DA7CB3500CDB615A9CF60F75 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\system32\wscntfy.exe ... is missing !!
.
(((((((((((((((((((((((((((((   SnapShot@2009-10-29_09.36.20   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-05 05:41 . 2009-11-05 05:41    16384              c:\windows\temp\Perflib_Perfdata_6a0.dat
+ 2009-08-12 17:31 . 2009-11-05 05:45    66376              c:\windows\system32\perfc009.dat
- 2009-08-12 17:31 . 2009-10-29 07:44    66376              c:\windows\system32\perfc009.dat
+ 2009-08-12 17:31 . 2009-11-05 05:45    430180              c:\windows\system32\perfh009.dat
- 2009-08-12 17:31 . 2009-10-29 07:44    430180              c:\windows\system32\perfh009.dat
+ 2009-09-02 02:23 . 2009-10-10 21:17    149280              c:\windows\system32\javaws.exe
- 2009-09-02 02:23 . 2009-09-02 02:23    149280              c:\windows\system32\javaws.exe
+ 2009-09-02 02:23 . 2009-10-10 21:17    145184              c:\windows\system32\javaw.exe
- 2009-09-02 02:23 . 2009-09-02 02:23    145184              c:\windows\system32\javaw.exe
- 2009-09-02 02:23 . 2009-09-02 02:23    145184              c:\windows\system32\java.exe
+ 2009-09-02 02:23 . 2009-10-10 21:17    145184              c:\windows\system32\java.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Safely Remove"="c:\program files\USB Safely Remove\USBSafelyRemove.exe" [2009-04-08 1252624]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-09-02 1682744]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"protect_autorun"="c:\documents and settings\Administrator\Desktop\CPE17AntiAutorun1400.exe" [2009-01-28 139264]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-12 850440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-25 198160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-10-29 1799952]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-14 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\AVS4YOU\\Registration.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\avira_antivir_personal_en.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\avast_home_setup(2).exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\avira_antivir_personal_en(8).exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7355:TCP"= 7355:TCP:hwxlows
"26582:TCP"= 26582:TCP:BitComet 26582 TCP
"26582:UDP"= 26582:UDP:BitComet 26582 UDP

R0 iaStor8;Intel AHCI Controller 8;c:\windows\system32\drivers\iastor8.sys [1/12/2551 17:21 328728]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [29/10/2552 12:55 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [29/10/2552 12:55 25160]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [25/8/2552 13:38 213264]
S2 khrkj;Boot Security;c:\windows\system32\svchost.exe -k netsvcs [13/8/2552 0:33 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
khrkj
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bloomberg.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: ดาวน์ฺโหลดด้วย BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: ดาวน์โหลดทั้งหมดด้วย BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: ดาวน์โหลดวิดีโอทั้งหมดด้วย BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vxt1abr8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bloomberg.com
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vxt1abr8.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vxt1abr8.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-05 13:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\khrkj]
"ServiceDll"="c:\windows\system32\gnbpbgl.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(620)
c:\windows\system32\btmmhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-05 13:26
ComboFix-quarantined-files.txt  2009-11-05 06:26
ComboFix2.txt  2009-11-01 01:25
ComboFix3.txt  2009-10-29 09:40

Pre-Run: 20,418,314,240 bytes free
Post-Run: 20,963,028,992 bytes free

expapete

31-10-2009, 07:29 AM	#761
expatpete Newbie Join Date: Oct 2009 Location: Bangkok Age: 50 Posts: 5 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 0 OS:	Re: Cannot access Antivirus Sites/Google/Avast etc. Thank you. This is the Combo fix report from Thursday. I tried to download today but I received an error message "you cannot rename as "fix(2)"? ComboFix 09-10-28.06 - Administrator 10/29/2009 16:24.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.874.66.1033.18.1526.1061 [GMT 7:00] Running from: c:\documents and settings\Administrator\My Documents\Downloads\Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\My Documents\cc_20090910_202607.reg c:\windows\system32\Desktop_.ini c:\windows\system32\msconfig.exe . ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 ))))))))))))))))))))))))))))))) . 2009-10-29 09:18 . 2009-10-29 09:21 -------- d-----w- C:\Fix 2009-10-29 08:06 . 2009-10-29 08:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit 2009-10-29 08:06 . 2009-10-29 08:06 -------- d-----w- c:\program files\IObit 2009-10-29 05:59 . 2009-10-29 09:30 698721 ----a-w- c:\windows\system32\drivers\sfi.dat 2009-10-29 05:55 . 2009-10-29 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo 2009-10-29 05:55 . 2009-10-29 05:55 87104 ----a-w- c:\windows\system32\drivers\inspect.sys 2009-10-29 05:55 . 2009-10-29 05:55 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2009-10-29 05:55 . 2009-10-29 05:55 179792 ----a-w- c:\windows\system32\guard32.dll 2009-10-29 05:55 . 2009-10-29 05:55 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys 2009-10-29 05:55 . 2009-10-29 05:55 -------- d-----w- c:\program files\COMODO 2009-10-17 07:47 . 2009-10-29 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-17 07:47 . 2009-10-17 07:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-17 06:29 . 2009-10-17 06:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue 2009-10-16 23:55 . 2009-10-17 06:14 -------- d-----w- c:\program files\EAV Antivirus Suite 2009-10-16 07:16 . 2009-10-16 16:07 33312 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-10-16 07:16 . 2009-10-16 16:07 2007072 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-10-16 05:20 . 2009-10-16 09:03 -------- d-----w- c:\program files\Common Files\ParetoLogic 2009-10-16 05:20 . 2009-10-16 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic 2009-10-13 06:38 . 2009-10-13 06:38 -------- d-----w- c:\program files\YouTube Downloader 2009-10-10 01:54 . 2009-10-10 01:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-10-19 07:19 . 2009-08-25 06:36 -------- d-----w- c:\program files\BitComet 2009-10-17 08:48 . 2009-08-26 08:38 26176 ----a-w- c:\documents and settings\Administrator\Loca Regards expatpete

31-10-2009, 04:56 PM	#762
Strider Founder Join Date: Nov 2005 Location: The Last City Zion! Posts: 3,539 Thanks: 287 Thanked 345 Times in 298 Posts Rep Power: 62 OS:	Re: Cannot access Antivirus Sites/Google/Avast etc. @expatpete: This is not the full log file. I need the complete logfile to find the infection status. Please post the entire log file here. __________________ Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

04-11-2009, 07:35 PM	#765
Strider Founder Join Date: Nov 2005 Location: The Last City Zion! Posts: 3,539 Thanks: 287 Thanked 345 Times in 298 Posts Rep Power: 62 OS:	Re: Cannot access Antivirus Sites/Google/Avast etc. @aina: 1. Turn off System Restore in all the drives. 2. Download & run ComboFix and post the generated log file here. __________________ Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

04-11-2009, 07:50 PM	#766
Strider Founder Join Date: Nov 2005 Location: The Last City Zion! Posts: 3,539 Thanks: 287 Thanked 345 Times in 298 Posts Rep Power: 62 OS:	Re: Cannot access Antivirus Sites/Google/Avast etc. @expatpete: After disabling system restore in all the drives, reboot in to the safe mode. Then: 1. Delete the following file. Use Killbox if needed. Code: c:\windows\system32\gnbpbgl.dll 2. Open Registry editor (Start > Run > regedit). Navigate to the following keys and delete them. Code: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost khrkj HKEY_LOCAL_MACHINE\System\ControlSet001\Services\khrkj Search in the registry for any furhter references of khrkj and delete them carefully. It's recommended to backup the keys before deleting them. 3. Reboot in to normal mode and see if the problems are resolved. Post a fresh Combofix log if you need further help. __________________ Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

05-11-2009, 09:47 AM	#767
expatpete Newbie Join Date: Oct 2009 Location: Bangkok Age: 50 Posts: 5 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 0 OS:	Re: Cannot access Antivirus Sites/Google/Avast etc. I followed the instructions (correctly, I think) however I could not find c:\windows\system32\gnbpbgl.dllI used 'killbox' and the search function but neither found this file. Nor could I locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost khrkj I did find HKEY_LOCAL_MACHINE\System\ControlSet001\Services\k hrkj but when I tried to delete it, I received a message saying " Unable to delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\k hrkj " I am really not sure what I did incorrectly. expatpete "

05-11-2009, 10:49 AM	#768
Strider Founder Join Date: Nov 2005 Location: The Last City Zion! Posts: 3,539 Thanks: 287 Thanked 345 Times in 298 Posts Rep Power: 62 OS:	Re: Cannot access Antivirus Sites/Google/Avast etc. First of all, are you doing the deletion in safe mode? If you copy paste the path c:\windows\system32\gnbpbgl.dll in to the Run box and press Enter what's happening? Also if search for khrkj in the registry is there any results? The above entries are reported to be there in your computer from the ComboFix log. Can you run ComboFix again and post a fresh & full log file. Malware are known to change the names to avoid detection. __________________ Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

New To Site?	Need Help?
Register to Participate Meet our Staff Refer Forum Rules Contact Us	Frequently Asked Questions Did you forget your password? Mark Forums Read

Cannot access Antivirus Sites/Google/Avast etc.

Computer Security