MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Here they go again...
November 13, 2019, 05:29:51 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 13, 2019, 05:29:51 AM

Login with username, password and session length
 Featured Sites:
News
New  Looking for cheap hardware and/or software?
Visit our new Online Store where you will be able to purchase from a reputable vendor by country.
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Here they go again...  (Read 8961 times)
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« on: October 21, 2008, 08:13:53 PM »

Well, I been clean for some time now, 6 months + i bellieve.  Well, recently, a group of overnight guests decided to go surfing.  I got a lot of the extra unwanted goodies removed via add/remove programs and some virus scans but something apparently is left over and I cant seem to put my finger on it.  Here are 2 logs.  The first one was before the 01 - Hosts files were deleted, the second one is after the hosts files were deleted and PC was rebooted.

Symptoms:  Google searches redirect me to advertising websites.  for example, if i google "1957 chevrolet" and click on the first result that is supposed to go to "www.1957chevy.com" instead it redirects me to some marketing website with THEIR wonderful search results (sarcasim). 

Another annoying symptom is that AVG will no longer update.  It tells me there is no connection to their server, but 2 other pc's connect to it fine at the same time. 

Log Below:
___________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 2:14:54 PM, on 10/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ask.com/iesearch/index.asp?partner=7019
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?zoneid=TNZ057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ask.com/index.asp?partner=7019
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Bellsouth.Net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 209.8.161.233 voyeurweb.com
O1 - Hosts: 209.8.161.233 sleazydream.com
O1 - Hosts: 209.8.161.233 mmm100.com
O1 - Hosts: 209.8.161.233 video-post.com
O1 - Hosts: 209.8.161.233 mature-post.com
O1 - Hosts: 209.8.161.233 call-kelly.com
O1 - Hosts: 209.8.161.233 cowlist.com
O1 - Hosts: 209.8.161.233 p*rnno.com
O1 - Hosts: 209.8.161.233 *****.org
O1 - Hosts: 209.8.161.233 pinkworld.com
O1 - Hosts: 209.8.161.233 vidsvidsvids.com
O1 - Hosts: 209.8.161.233 catlist.com
O1 - Hosts: 209.8.161.233 teenax.com
O1 - Hosts: 209.8.161.233 projectvoyeur.com
O1 - Hosts: 209.8.161.233 buldog.com
O1 - Hosts: 209.8.161.233 bunnyteens.com
O1 - Hosts: 209.8.161.233 sugarnow.com
O1 - Hosts: 209.8.161.233 freeones.com
O1 - Hosts: 209.8.161.233 jennysbookmarks.com
O1 - Hosts: 209.8.161.233 ****ingfreemovies.com
O1 - Hosts: 209.8.161.233 jizzhut.com
O1 - Hosts: 209.8.161.233 auntpolly.com
O1 - Hosts: 209.8.161.233 zadina.com
O1 - Hosts: 209.8.161.233 boneprone.com
O1 - Hosts: 209.8.161.233 alexmovies.com
O1 - Hosts: 209.8.161.233 grannypictures.com
O1 - Hosts: 209.8.161.233 raw*****.com
O1 - Hosts: 209.8.161.233 stickyhole.com
O1 - Hosts: 209.8.161.233 amsterdams*xxx.com
O1 - Hosts: 209.8.161.233 babes4free.com
O1 - Hosts: 209.8.161.233 ultradonkey.com
O1 - Hosts: 209.8.161.233 persiankitty.com
O1 - Hosts: 209.8.161.233 ah-me.com
O1 - Hosts: 209.8.161.233 bangthumbs.com
O1 - Hosts: 209.8.161.233 freeheaven.com
O1 - Hosts: 209.8.161.233 freebigmovies.com
O1 - Hosts: 209.8.161.233 voyeurzine.com
O1 - Hosts: 209.8.161.233 hanksgalleries.com
O1 - Hosts: 209.8.161.233 smashingthumbs.com
O1 - Hosts: 209.8.161.233 smokinmovies.com
O1 - Hosts: 209.8.161.233 hammervideo.com
O1 - Hosts: 209.8.161.233 gallview.com
O1 - Hosts: 209.8.161.233 ramis-movies.com
O1 - Hosts: 209.8.161.233 www.worlds*x.com
O1 - Hosts: 209.8.161.233 www.voyeurweb.com
O1 - Hosts: 209.8.161.233 www.sleazydream.com
O1 - Hosts: 209.8.161.233 www.mmm100.com
O1 - Hosts: 209.8.161.233 www.thumbzilla.com
O1 - Hosts: 209.8.161.233 www.video-post.com
O1 - Hosts: 209.8.161.233 www.absolut-series.com
O1 - Hosts: 209.8.161.233 www.mature-post.com
O1 - Hosts: 209.8.161.233 www.call-kelly.com
O1 - Hosts: 209.8.161.233 www.cowlist.com
O1 - Hosts: 209.8.161.233 www.p*rnno.com
O1 - Hosts: 209.8.161.233 www.*****.org
O1 - Hosts: 209.8.161.233 www.pinkworld.com
O1 - Hosts: 209.8.161.233 www.vidsvidsvids.com
O1 - Hosts: 209.8.161.233 www.catlist.com
O1 - Hosts: 209.8.161.233 www.teenax.com
O1 - Hosts: 209.8.161.233 www.projectvoyeur.com
O1 - Hosts: 209.8.161.233 www.buldog.com
O1 - Hosts: 209.8.161.233 www.bunnyteens.com
O1 - Hosts: 209.8.161.233 www.sugarnow.com
O1 - Hosts: 209.8.161.233 www.freeones.com
O1 - Hosts: 209.8.161.233 www.jennysbookmarks.com
O1 - Hosts: 209.8.161.233 www.****ingfreemovies.com
O1 - Hosts: 209.8.161.233 www.jizzhut.com
O1 - Hosts: 209.8.161.233 www.auntpolly.com
O1 - Hosts: 209.8.161.233 www.zadina.com
O1 - Hosts: 209.8.161.233 www.boneprone.com
O1 - Hosts: 209.8.161.233 www.alexmovies.com
O1 - Hosts: 209.8.161.233 www.grannypictures.com
O1 - Hosts: 209.8.161.233 www.raw*****.com
O1 - Hosts: 209.8.161.233 www.stickyhole.com
O1 - Hosts: 209.8.161.233 www.amsterdams*xxx.com
O1 - Hosts: 209.8.161.233 www.babes4free.com
O1 - Hosts: 209.8.161.233 www.ultradonkey.com
O1 - Hosts: 209.8.161.233 www.persiankitty.com
O1 - Hosts: 209.8.161.233 www.ah-me.com
O1 - Hosts: 209.8.161.233 www.bangthumbs.com
O1 - Hosts: 209.8.161.233 www.freeheaven.com
O1 - Hosts: 209.8.161.233 www.freebigmovies.com
O1 - Hosts: 209.8.161.233 www.voyeurzine.com
O1 - Hosts: 209.8.161.233 www.hanksgalleries.com
O1 - Hosts: 209.8.161.233 www.smashingthumbs.com
O1 - Hosts: 209.8.161.233 www.smokinmovies.com
O1 - Hosts: 209.8.161.233 www.hammervideo.com
O1 - Hosts: 209.8.161.233 www.gallview.com
O1 - Hosts: 209.8.161.233 www.ramis-movies.com
O1 - Hosts: 209.8.161.233 lovetgp.com
O1 - Hosts: 209.8.161.233 photos-de-cul.com
O1 - Hosts: 209.8.161.233 vidsvidsvids.com
O1 - Hosts: 209.8.161.233 gimmep*rn.net
O1 - Hosts: 209.8.161.233 teenvideos.tv
O1 - Hosts: 209.8.161.233 bizarre-rituals.com
O1 - Hosts: 209.8.161.233 4whw.com
O1 - Hosts: 209.8.161.233 3tgp.com
O1 - Hosts: 209.8.161.233 teenax.com
O1 - Hosts: 209.8.161.233 start******.nl
O1 - Hosts: 209.8.161.233 free2peek.com
O1 - Hosts: 209.8.161.233 www.lovetgp.com
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.18\AMVConverter\grab.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Shop - {3CD1161F-2AE3-44D5-8155-66039B4CD896} - http://www.eznshopper.com/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ask.com/index.asp?partner=7019
O15 - Trusted Zone: www.avg.com
O15 - Trusted Zone: *.avg.com
O15 - Trusted Zone: www.grisoft.com
O15 - Trusted Zone: *.grisoft.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://kohler1.view22.com/apps/view22RTE.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/2.0.0.33/player.virtools.com/downloads/player/Install2.0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: gzipmod - gzipmod.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: dMarc Direct Agent - Unknown owner - c:\dmarc\agent\chaind.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

END OF FIRST LOG
________________________________________________
Logged

 
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #1 on: October 21, 2008, 08:14:46 PM »

BEGIN OF SECOND LOG
_________________________________

Logfile of HijackThis v1.99.1
Scan saved at 2:58:08 PM, on 10/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\dmarc\agent\chaind.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\PcHelpWare_server.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\7zS2.tmp\PcHelpWare.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ask.com/iesearch/index.asp?partner=7019
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?zoneid=TNZ057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ask.com/index.asp?partner=7019
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Bellsouth.Net
O1 - Hosts: 172.16.176.70 wnkxcr #PRE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.18\AMVConverter\grab.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ask.com/index.asp?partner=7019
O15 - Trusted Zone: www.avg.com
O15 - Trusted Zone: *.avg.com
O15 - Trusted Zone: www.grisoft.com
O15 - Trusted Zone: *.grisoft.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: dMarc Direct Agent - Unknown owner - c:\dmarc\agent\chaind.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

END OF LOGFILE
_______________________________________________________
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #2 on: October 21, 2008, 10:10:36 PM »

You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.



Please download HijackThis to your desktop..

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

===========================================

Download the program HostsXpert 

Unzip HostsXpert.zip
It will create a folder named HostsXpert in whatever folder you extract it to.
Run HostsXpert.exe by double clicking on it.
Click the Make Writeable? button.
Click Restore Microsoft's Hosts File and then click OK.
Click the X to exit the program


=====================================

Run both these programs.


Please download Malwarebytes' Anti-Malware from one of these places:

 http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

 http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


=====================================================================================

=====================================================================================


Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This  applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2.Do not use for Vista.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.





Logged

An Australian Member of

EDDY
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #3 on: October 23, 2008, 10:16:15 PM »

Here are the logs you asked for after the scans and removal.  HijackThis, ComboFix and the Anti-Malware program:
____________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:28 PM, on 10/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?zoneid=TNZ057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.18\AMVConverter\grab.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ask.com/index.asp?partner=7019
O15 - Trusted Zone: www.avg.com
O15 - Trusted Zone: *.avg.com
O15 - Trusted Zone: www.grisoft.com
O15 - Trusted Zone: *.grisoft.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: dMarc Direct Agent - Unknown owner - c:\dmarc\agent\chaind.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O24 - Desktop Component 0: (no name) - http://img.bellsouth.net/cobrand/bellsouth/img/ui/bg-grad-at.png
O24 - Desktop Component 1: (no name) - http://images.intellicast.com/WeatherImg/Radar/bwg.gif
O24 - Desktop Component 2: (no name) - http://a544.ac-images.myspacecdn.com/images01/40/l_d2fc3c293823e0ab111684cba4e24c57.png
O24 - Desktop Component 3: (no name) - http://grindersswitchhour.com/041907_1718a2.jpg

--
End of file - 5261 bytes
__________________________________________________________________

ComboFix 08-10-22.05 - Owner 2008-10-23 16:52:04.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.624 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\egme.exe
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssserf1.dll
C:\WINDOWS\system32\tdssservers.dat

.
(((((((((((((((((((((((((   Files Created from 2008-09-23 to 2008-10-23  )))))))))))))))))))))))))))))))
.

2008-10-23 16:28 . 2008-10-23 16:28   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-23 16:28 . 2008-10-23 16:28   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-23 16:28 . 2008-10-23 16:28   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-23 16:28 . 2008-10-22 16:28   38,496   --a------   C:\WINDOWS\SYSTEM32\drivers\mbamswissarmy.sys
2008-10-23 16:28 . 2008-10-22 16:28   15,504   --a------   C:\WINDOWS\SYSTEM32\drivers\mbam.sys
2008-10-21 14:22 . 2008-10-21 14:22   <DIR>   d--------   C:\temp_phw
2008-10-21 10:23 . 2008-10-21 10:25   135   --a------   C:\VothCDxUserPref.ini
2008-10-20 13:53 . 2008-10-20 13:53   0   --a------   C:\WINDOWS\nsreg.dat
2008-10-15 10:26 . 2008-09-15 07:12   1,846,400   ---------   C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-10-15 10:26 . 2008-09-08 05:41   333,824   ---------   C:\WINDOWS\SYSTEM32\dllcache\srv.sys
2008-10-15 10:25 . 2008-08-14 05:11   2,189,184   ---------   C:\WINDOWS\SYSTEM32\dllcache\ntoskrnl.exe
2008-10-15 10:25 . 2008-08-14 05:09   2,145,280   ---------   C:\WINDOWS\SYSTEM32\dllcache\ntkrnlmp.exe
2008-10-15 10:25 . 2008-08-14 04:33   2,066,048   ---------   C:\WINDOWS\SYSTEM32\dllcache\ntkrnlpa.exe
2008-10-15 10:25 . 2008-08-14 04:33   2,023,936   ---------   C:\WINDOWS\SYSTEM32\dllcache\ntkrpamp.exe
2008-10-07 10:24 . 2008-10-07 10:24   <DIR>   d--------   C:\WINDOWS\SYSTEM32\scripting
2008-10-07 10:24 . 2008-10-07 10:24   <DIR>   d--------   C:\WINDOWS\SYSTEM32\en
2008-10-07 10:24 . 2008-10-07 10:24   <DIR>   d--------   C:\WINDOWS\l2schemas

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-23 21:13   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AVG7
2008-10-21 19:30   ---------   d-----w   C:\Program Files\Virtools Web Player 2.0
2008-10-21 18:24   90,112   ----a-w   C:\WINDOWS\DUMP3fc8.tmp
2008-10-21 18:23   90,112   ----a-w   C:\WINDOWS\DUMP3f4b.tmp
2008-10-15 14:17   ---------   d-----w   C:\Program Files\BroadJump
2008-10-15 14:14   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-10-15 14:14   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-09-15 12:12   1,846,400   ----a-w   C:\WINDOWS\SYSTEM32\win32k.sys
2008-09-09 21:08   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\U3
2008-09-08 10:41   333,824   ----a-w   C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 12:50   ---------   d-----w   C:\Program Files\MP3 Player Utilities 4.18
2008-08-29 23:42   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-08-29 23:41   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-08-20 05:30   666,112   ----a-w   C:\WINDOWS\SYSTEM32\wininet.dll
2008-08-20 05:30   666,112   ------w   C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2008-08-20 05:30   619,520   ------w   C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2008-08-20 05:30   3,067,904   ------w   C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-08-20 05:30   1,499,136   ------w   C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2008-08-14 10:11   2,189,184   ----a-w   C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-08-14 10:04   138,496   ------w   C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-08-14 09:33   2,066,048   ----a-w   C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2003-07-10 06:06   106,525   ----a-w   C:\Documents and Settings\Owner\KL-Detector.exe
2001-07-22 02:45   94,784   --sha-w   C:\WINDOWS\twain.dll
2008-04-14 00:12   50,688   --sha-w   C:\WINDOWS\twain_32.dll
2008-04-14 00:11   1,028,096   --sha-w   C:\WINDOWS\SYSTEM32\mfc42.dll
2008-04-14 00:12   57,344   --sha-w   C:\WINDOWS\SYSTEM32\msvcirt.dll
2008-04-14 00:12   413,696   --sha-w   C:\WINDOWS\SYSTEM32\msvcp60.dll
2008-04-14 00:12   343,040   --sha-w   C:\WINDOWS\SYSTEM32\msvcrt.dll
2008-04-14 00:12   551,936   --sha-w   C:\WINDOWS\SYSTEM32\oleaut32.dll
2008-04-14 00:12   84,992   --sha-w   C:\WINDOWS\SYSTEM32\olepro32.dll
2008-04-14 00:12   11,776   --sha-w   C:\WINDOWS\SYSTEM32\regsvr32.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 28739]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 81920]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-16 77824]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-03 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-04-03 05:58 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nbf.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgwizfw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 dMarc Direct Agent;dMarc Direct Agent;c:\dmarc\agent\chaind.exe [2008-03-27 409600]
S3 HPPLSBULK;HPPLSBULK;C:\WINDOWS\system32\drivers\hpplsbulk.sys [2005-02-02 9344]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fc84a2a-0815-11da-81a7-0008a1742d12}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fc84a5d-0815-11da-81a7-0008a1742d12}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9195e624-82b5-11da-8262-0008a1742d12}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2002-02-21 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2008-04-13 19:12]

2002-02-21 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ConMgr.exe - C:\Program Files\EarthLink 5.0\ConMgr.exe
MSConfigStartUp-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6lv5u5n7.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 16:56:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\tdssserv.sys)]

.
Completion time: 2008-10-23 16:59:03
ComboFix-quarantined-files.txt  2008-10-23 21:58:57

Pre-Run: 6,108,512,256 bytes free
Post-Run: 6,634,573,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

179   --- E O F ---   2008-10-15 23:14:07
______________________________________________________________
Logged

 
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #4 on: October 23, 2008, 10:16:42 PM »

Malwarebytes' Anti-Malware 1.30
Database version: 1310
Windows 5.1.2600 Service Pack 3

10/23/2008 4:38:47 PM
mbam-log-2008-10-23 (16-38-47).txt

Scan type: Quick Scan
Objects scanned: 55220
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\TS-2009 (Rogue.TotalSecure) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\k86.bin (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\TmpRecentIcons\Total Secure 2009.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Program Files\TS-2009\totalsecure.s3 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
C:\Program Files\TS-2009\totalsecure.s2 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
C:\Program Files\TS-2009\scan.exe (Rogue.TotalSecure) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\vwnskbot.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysbase32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\woprdagt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\bkqxdons.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\aetlsrknpsb.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\k.txt (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\qnflkotm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\windfr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\pwrmgr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
___________________________________

Thanks
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: October 23, 2008, 10:46:00 PM »

Ok.Just this to fix and you are all done.

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote





Registry::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]
"imagepath"=-

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\tdssserv.sys)]




 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Logged

An Australian Member of

EDDY
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #6 on: October 24, 2008, 05:48:40 AM »

Here you go

______________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:04 AM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?zoneid=TNZ057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.18\AMVConverter\grab.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ask.com/index.asp?partner=7019
O15 - Trusted Zone: www.avg.com
O15 - Trusted Zone: *.avg.com
O15 - Trusted Zone: www.grisoft.com
O15 - Trusted Zone: *.grisoft.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: dMarc Direct Agent - Unknown owner - c:\dmarc\agent\chaind.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O24 - Desktop Component 0: (no name) - http://img.bellsouth.net/cobrand/bellsouth/img/ui/bg-grad-at.png
O24 - Desktop Component 1: (no name) - http://images.intellicast.com/WeatherImg/Radar/bwg.gif
O24 - Desktop Component 2: (no name) - http://a544.ac-images.myspacecdn.com/images01/40/l_d2fc3c293823e0ab111684cba4e24c57.png
O24 - Desktop Component 3: (no name) - http://grindersswitchhour.com/041907_1718a2.jpg

--
End of file - 5490 bytes
____________________

ComboFix 08-10-22.05 - Owner 2008-10-24  0:15:59.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.559 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Service_tdssserv.sys)


(((((((((((((((((((((((((   Files Created from 2008-09-24 to 2008-10-24  )))))))))))))))))))))))))))))))
.

2008-10-23 16:28 . 2008-10-23 16:28   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-23 16:28 . 2008-10-23 16:28   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-23 16:28 . 2008-10-23 16:28   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-23 16:28 . 2008-10-22 16:28   38,496   --a------   C:\WINDOWS\SYSTEM32\drivers\mbamswissarmy.sys
2008-10-23 16:28 . 2008-10-22 16:28   15,504   --a------   C:\WINDOWS\SYSTEM32\drivers\mbam.sys
2008-10-21 14:22 . 2008-10-21 14:22   <DIR>   d--------   C:\temp_phw
2008-10-21 10:23 . 2008-10-21 10:25   135   --a------   C:\VothCDxUserPref.ini
2008-10-20 13:53 . 2008-10-20 13:53   0   --a------   C:\WINDOWS\nsreg.dat
2008-10-15 10:26 . 2008-09-15 07:12   1,846,400   ---------   C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-10-15 10:26 . 2008-09-08 05:41   333,824   ---------   C:\WINDOWS\SYSTEM32\dllcache\srv.sys
2008-10-15 10:25 . 2008-08-14 05:11   2,189,184   ---------   C:\WINDOWS\SYSTEM32\dllcache\ntoskrnl.exe
2008-10-15 10:25 . 2008-08-14 05:09   2,145,280   ---------   C:\WINDOWS\SYSTEM32\dllcache\ntkrnlmp.exe
2008-10-15 10:25 . 2008-08-14 04:33   2,066,048   ---------   C:\WINDOWS\SYSTEM32\dllcache\ntkrnlpa.exe
2008-10-15 10:25 . 2008-08-14 04:33   2,023,936   ---------   C:\WINDOWS\SYSTEM32\dllcache\ntkrpamp.exe
2008-10-07 10:24 . 2008-10-07 10:24   <DIR>   d--------   C:\WINDOWS\SYSTEM32\scripting
2008-10-07 10:24 . 2008-10-07 10:24   <DIR>   d--------   C:\WINDOWS\SYSTEM32\en
2008-10-07 10:24 . 2008-10-07 10:24   <DIR>   d--------   C:\WINDOWS\l2schemas

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-23 22:54   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AVG7
2008-10-21 19:30   ---------   d-----w   C:\Program Files\Virtools Web Player 2.0
2008-10-21 18:24   90,112   ----a-w   C:\WINDOWS\DUMP3fc8.tmp
2008-10-21 18:23   90,112   ----a-w   C:\WINDOWS\DUMP3f4b.tmp
2008-10-15 14:17   ---------   d-----w   C:\Program Files\BroadJump
2008-10-15 14:14   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-10-15 14:14   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-09-09 21:08   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\U3
2008-09-08 10:41   333,824   ----a-w   C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 12:50   ---------   d-----w   C:\Program Files\MP3 Player Utilities 4.18
2008-08-29 23:42   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-08-29 23:41   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AdobeUM
2003-07-10 06:06   106,525   ----a-w   C:\Documents and Settings\Owner\KL-Detector.exe
2001-07-22 02:45   94,784   --sha-w   C:\WINDOWS\twain.dll
2008-04-14 00:12   50,688   --sha-w   C:\WINDOWS\twain_32.dll
2008-04-14 00:11   1,028,096   --sha-w   C:\WINDOWS\SYSTEM32\mfc42.dll
2008-04-14 00:12   57,344   --sha-w   C:\WINDOWS\SYSTEM32\msvcirt.dll
2008-04-14 00:12   413,696   --sha-w   C:\WINDOWS\SYSTEM32\msvcp60.dll
2008-04-14 00:12   343,040   --sha-w   C:\WINDOWS\SYSTEM32\msvcrt.dll
2008-04-14 00:12   551,936   --sha-w   C:\WINDOWS\SYSTEM32\oleaut32.dll
2008-04-14 00:12   84,992   --sha-w   C:\WINDOWS\SYSTEM32\olepro32.dll
2008-04-14 00:12   11,776   --sha-w   C:\WINDOWS\SYSTEM32\regsvr32.exe
.

(((((((((((((((((((((((((((((   snapshot@2008-10-23_16.58.25.25   )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28   163,328   ----a-w   C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 28739]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 81920]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-16 77824]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-23 590848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-03 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-04-03 05:58 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nbf.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgwizfw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 dMarc Direct Agent;dMarc Direct Agent;c:\dmarc\agent\chaind.exe [2008-03-27 409600]
S3 HPPLSBULK;HPPLSBULK;C:\WINDOWS\system32\drivers\hpplsbulk.sys [2005-02-02 9344]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fc84a2a-0815-11da-81a7-0008a1742d12}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fc84a5d-0815-11da-81a7-0008a1742d12}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9195e624-82b5-11da-8262-0008a1742d12}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe
.
Contents of the 'Scheduled Tasks' folder

2002-02-21 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2008-04-13 19:12]

2002-02-21 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2008-04-13 19:12]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 00:25:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
.
**************************************************************************
.
Completion time: 2008-10-24  0:32:11 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-24 05:32:02
ComboFix2.txt  2008-10-23 21:59:05

Pre-Run: 6,695,100,416 bytes free
Post-Run: 6,619,987,968 bytes free

160   --- E O F ---   2008-10-15 23:14:07
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: October 24, 2008, 06:39:22 AM »

I see no more malware.You should be fine now.

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below into the box  and click OK.



ComboFix /u



Logged

An Australian Member of

EDDY
cether01
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 90


Bookmark and Share

View Profile
« Reply #8 on: October 24, 2008, 10:58:49 AM »

OK i will do that.  Great.  Thanks so so so much for your help.  Everything seems to be back to normal.

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: October 24, 2008, 09:18:20 PM »

Ok.Good.
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 27, 2018, 07:11:55 PM