Cant renew ip address after running combofix

May 9, 2009 at 01:58:53
Specs: Windows XP service pack 3
I recently aquired the google-redirect virus and attempted to get rid of it by following many of the google-redirect posts found on this forum however now whenever i try to connect to the internet it fails to renew the ip address. I connect to the internet using a netgear usb wireless adapter, so I reinstalled the drivers thinking it might solve the problem but still cannot connect to the internet

When removing the virus, first i ran hijackThis, then malwarebytes, then combofix. while combofix was running it asked me to download windows recovery console however at that point i had disabled my internet connection so I couldnt download it the recovery console.

Any help would be greatly appreciated

Thank You

if you require the logs from either hijackthis, malwarebytes or combofix please ask


See More: Cant renew ip address after running combofix

Report •


#1
May 21, 2009 at 10:47:09
Hi still need help. please post you combofix and malwarebytes logs.

--------------------------------------------
To Private Message me Click Here


Report •

#2
May 22, 2009 at 03:45:53
Hi thanks for the reply but managed to solve the problem, however I'm not quite sure how i did it as i was trying a multitude of different things from re-installing my wireless adapter, replacing my tcpip.sys file, reseting the tcp/ip stack and winsock settings. I think the problem was my tcpip.sys file because of something i saw in the combofix log but im not 100% sure.

Heres my logs anyway maybe someone will be able to pin point the problem


Report •

#3
May 22, 2009 at 03:47:57
COMBOFIX LOG

ComboFix 09-05-07.A01 - Jamie 05/08/2009 19:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1598 [GMT 1:00]
Running from: c:\documents and settings\Jamie\Desktop\toolb.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jamie\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\2.exe
c:\windows\install.exe
c:\windows\system32\drivers\ovfsthnpkkjyrxddsoitywyifopvfoylvigpch.sys
c:\windows\system32\msvcsv60.dll
c:\windows\system32\ovfsthcpeoawyaluipltlqtkctnmoomritmhtb.dat
c:\windows\system32\ovfsthnlfwevxjsnyoiphpxdhytgbjficvdftc.dat
c:\windows\system32\ovfsthscvcwagxmgyobarixdvkcyemyonmdaep.dll
c:\windows\system32\ovfsthtlkhbftxdveuenayfxrmyxfyynoeatac.dll
c:\windows\system32\ovfsthxfxadwqjlkvehnsahgmlguidvpbvvvxu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthpjyuhtkkdtqlccrmodjuowtyddvbrrue


((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))
.

2009-05-08 18:13 . 2009-05-08 18:13 -------- d-----w c:\documents and settings\Jamie\Application Data\Malwarebytes
2009-05-08 18:13 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-08 18:13 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 18:13 . 2009-05-08 18:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-08 18:13 . 2009-05-08 18:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 22:02 . 2009-05-06 22:02 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-06 11:33 . 2009-05-06 11:33 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-05-05 21:32 . 2009-05-05 21:55 -------- d-----w c:\documents and settings\Jamie\Application Data\Move Networks
2009-04-21 20:28 . 2009-04-21 20:29 -------- d--h--w c:\program files\Zero G Registry
2009-04-21 20:26 . 2009-04-21 20:26 -------- d--h--w c:\documents and settings\Jamie\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 20:12 . 2008-03-11 20:07 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-06 21:36 . 2008-10-14 19:26 -------- d-----w c:\program files\Unreal Tournament 2004
2009-04-23 17:48 . 2006-12-16 21:20 -------- d-----w c:\program files\Java
2009-04-05 13:30 . 2009-04-05 13:30 2678 ----a-w c:\windows\java\Packages\Data\VRV5FZHN.DAT
2009-04-05 13:30 . 2009-04-05 13:30 2678 ----a-w c:\windows\java\Packages\Data\5NN3VTVF.DAT
2009-04-05 13:30 . 2009-04-05 13:30 2678 ----a-w c:\windows\java\Packages\Data\IEVXZPV7.DAT
2009-04-05 13:30 . 2009-04-05 13:30 2678 ----a-w c:\windows\java\Packages\Data\69JHF3ZB.DAT
2009-04-05 13:30 . 2009-04-05 13:30 2678 ----a-w c:\windows\java\Packages\Data\PVJBPZ3V.DAT
2009-04-05 13:29 . 2004-11-25 15:11 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-05 13:26 . 2006-05-15 17:23 23388 -c--a-w c:\windows\system32\emptyregdb.dat
2009-03-28 12:33 . 2009-03-28 12:33 -------- d-----w c:\program files\Lame for Audacity
2009-03-11 10:31 . 2009-03-11 10:31 -------- d-----w c:\program files\WinPcap
2009-03-09 04:19 . 2009-03-17 20:23 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-26 20:07 . 2009-02-20 14:21 155384 ----a-w c:\windows\system32\guard32.dll
2009-02-26 20:06 . 2009-02-20 14:21 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-20 14:21 . 2009-02-20 14:21 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-20 13:26 . 2006-05-15 17:25 86327 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-02-14 17:39 . 2007-11-05 23:37 21 -c--a-w c:\program files\Common Files\appop.log
2009-02-09 21:49 . 2009-02-03 22:49 16 ----a-w c:\windows\msocreg32.dat
2008-05-16 18:30 . 2007-08-15 21:41 88 --sh--r c:\windows\system32\10C0F754DE.sys
2008-05-16 18:30 . 2007-08-15 21:41 1004 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2005-08-18 113152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"SW20"="c:\windows\system32\sw20.exe" [2006-09-07 208896]
"SW24"="c:\windows\system32\sw24.exe" [2006-09-07 69632]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-02-26 1851128]
"Netgear WG111T"="c:\program files\NETGEAR\WG111T\wlan111t.exe" [2006-01-25 884840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-17 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-11-25 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bandwidth Meter.lnk - c:\windows\Installer\{297849A8-EEC6-4ABA-AAE5-C66A093FEDE3}\_220B71AEDE14BCA11ADB1D.exe [2009-3-2 1150]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ c:\windows\system32\lzwwubtk.exe c:\windows\system32\lzwwubtk.exe:changelist\[u]0[/u]autocheck autochk *\[u]0[/u]lsdelete\[u]0[/u]sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Jamie\\Desktop\\utorrent.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Kontiki\\KHost.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft XNA\\XNA Game Studio\\v3.0\\Tools\\AudConsole.exe"=
"c:\\Program Files\\Microsoft XNA\\XNA Game Studio\\v3.0\\Tools\\Xact.exe"=

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [3/17/2008 12:58 AM 181760]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2/20/2009 3:21 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2/20/2009 3:21 PM 24336]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 8:13 AM 34064]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [9/2/2007 7:18 PM 17149]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [2/18/2009 7:47 PM 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [2/18/2009 7:47 PM 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [2/18/2009 7:47 PM 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [2/18/2009 7:47 PM 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [2/18/2009 7:47 PM 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [2/18/2009 7:47 PM 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [2/18/2009 7:47 PM 117544]
S3 XD2_DspCtrl;XD2 DSP Control;c:\windows\system32\drivers\XD2_DspCtrl.sys [4/17/2007 8:03 PM 84256]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1355938d-ef0f-11dd-9d00-00146ce8252c}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38b465fe-7835-11dc-9a5b-001731e22b92}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ac9b0d-064c-11dd-9b92-00146ce8252c}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\f19p0xpfxm.exe
HKU-Default-Run-autochk - c:\docume~1\NETWOR~1\protect.dll
HKU-Default-RunOnce-nltide2 - rundll32 advpack.dll
ShellExecuteHooks-{F6B1F430-52B5-4478-9FC6-A94F79D423C3} - (no file)
Notify-rqromno - rqromno.dll
Notify-__c007AEBE - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
TCP: {AD0A50E1-AAED-4FBE-A8D4-956CF072F135} = 87.86.189.16,195.40.1.36
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jamie\Application Data\Mozilla\Firefox\Profiles\cdgvgxwq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Jamie\Application Data\Mozilla\Firefox\Profiles\cdgvgxwq.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\Jamie\Application Data\Mozilla\Firefox\Profiles\cdgvgxwq.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 19:54
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1757981266-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:79,98,61,82,ad,56,78,4f,52,34,21,a9,29,15,6e,09,e6,62,81,a9,c9,2a,29,
07,96,8b,f8,76,19,40,33,43,d5,1f,f1,62,91,f0,be,ec,97,2f,1e,17,80,56,1a,4d,\
"??"=hex:fd,85,80,05,84,8f,ca,36,07,08,96,70,c6,c5,b5,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\guard32.dll
c:\windows\system32\iphlpapi.dll

- - - - - - - > 'lsass.exe'(1068)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1792)
c:\windows\system32\guard32.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\spm\spmd.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\bandwidthmeter\BandwidthMeter.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-05-08 19:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-08 18:59

Pre-Run: 92,417,536,000 bytes free
Post-Run: 92,290,375,680 bytes free

225 --- E O F --- 2009-02-20 13:29


Report •

Related Solutions

#4
May 22, 2009 at 03:49:32
Malwarebytes' Anti-Malware 1.36
Database version: 2095
Windows 5.1.2600 Service Pack 3

5/8/2009 7:24:10 PM
mbam-log-2009-05-08 (19-24-10).txt

Scan type: Quick Scan
Objects scanned: 84770
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\afnoinkdsfe.dll (Trojan.Ertfor) -> Delete on reboot.
C:\WINDOWS\system32\__c007AEBE.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c007aebe (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fe824b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nltide1 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\afnoinkdsfe.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\SystemProfile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-823518204-1757981266-839522115-500\Dc104.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_A00FE824B.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\syssetub.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c007AEBE.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\results.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\libmcl-3.1.1.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ak1.exe (Virus.Virut) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winglsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loader49.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Report •

#5
May 22, 2009 at 04:26:47
Seems like you still have unwanted stuff in your system (registry and files) that combofix didn't clean. Would you like to delete it?

--------------------------------------------
To Private Message me Click Here


Report •

#6
May 22, 2009 at 06:37:16
yes please any help would be greatly appreciated because I'm still being redirected when I click on links from google

Report •

#7
May 22, 2009 at 08:10:32
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

--------------------------------------------
To Private Message me Click Here


Report •

#8
Report •

#9
May 22, 2009 at 10:20:40
Run this script in AVZ you PC will reboot.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
RegKeyDel('HKCU','Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2');
QuarantineFile('c:\windows\system32\10C0F754DE.sys','');
DeleteFile('c:\windows\system32\10C0F754DE.sys');
QuarantineFile('c:\windows\Fonts\desktop.ini','');
DeleteFile('c:\windows\Fonts\desktop.ini');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteRepair(14);
ExecuteRepair(15);
BC_Activate;
RebootWindows(true);
end.

Do you have external drivers attached G: and F:?

--------------------------------------------
To Private Message me Click Here


Report •

#10
May 22, 2009 at 11:01:56
The only other drive i use is my usb pen drive (F:)

Report •

#11
May 22, 2009 at 11:09:59
can you renew ip now?

--------------------------------------------
To Private Message me Click Here


Report •

#12
May 22, 2009 at 11:16:56
Yeah I've been able to renew my ip for a while now. I mentioned in an earlier post that I had solved that problem, even though i didnt know quite how i did it as i tried a whole host of different things.

The issue is that I'm still being redirected whenever i click on links from Google


Report •

#13
May 22, 2009 at 11:23:25
Ah i See it seems your usb pen drive is also infected. Please scan it. Follow these steps next:

Download and run Kaspersky AVP tool:

http://devbuilds.kaspersky-labs.com...

Once you download and start the tool select all the objects/places (including your pen drive) to be scanned and hit Scan. Fix what it detects and at the end of the scan post screen shot/log of detected items that is fixed and which it could not fix.

--------------------------------------------
To Private Message me Click Here


Report •

#14
May 22, 2009 at 11:36:29
Doing the scan now, may take a while though, I'll post the results when its finished

Report •


Ask Question