Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security Cleanup » HJT Log: "System Security", Vundo, Koobface
Search Topic:
Uniqs:
1383		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona
Can't access internet »
« HJT- How to remove "adware-relevant knowledge" malware?  
AuthorAll Replies


trhgbtrh4

@teksavvy.com

HJT Log: "System Security", Vundo, Koobface

Rogue program "System Security" WAS running at startup, but it seems to be gone now. No other visible signs of further infection.

MBAM in safe mode, full scan, log:

Malwarebytes' Anti-Malware 1.36
Database version: 2162
Windows 5.1.2600 Service Pack 3

5/21/2009 8:41:48 PM
mbam-log-2009-05-21 (20-41-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 162908
Time elapsed: 41 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 7
Registry Data Items Infected: 1
Folders Infected: 6
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9e263d08-4127-4b99-9043-4fb044e6fcbc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9e263d08-4127-4b99-9043-4fb044e6fcbc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\systemsecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10560784 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90570776 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\10560784 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\90570776 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Application Data\digifast (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Application Data\pidle (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Application Data\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\10560784\10560784.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10560784\10560784.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10560784\pc10560784cnf (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10560784\pc10560784ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\90570776\90570776.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\870159\870159.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Local Settings\Temporary Internet Files\Content.IE5\KE70ZUQL\n1[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Local Settings\Temporary Internet Files\Content.IE5\KE70ZUQL\nfr[1].exe (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Application Data\digifast\config.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Start Menu\Programs\System Security\System Security 2009 Support.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Start Menu\Programs\System Security\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\GHOST\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv761242765100.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1242788278.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1242806706.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

MBAM in normal boot, quick scan, truncated log

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigiFast (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pidle (Trojan.Agent) -> Quarantined and deleted successfully.

MBAM in normal boot, quick scan, truncated log:

Registry Keys Infected:
HKEY_CLASSES_ROOT\ju495.ju495mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ju495.ju495mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9e263d08-4127-4b99-9043-4fb044e6fcbc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\870159 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Spybot in safe mode, truncated log:

--- Report generated: 2009-05-21 20:59 ---

Fake.SecurityAlert: [SBI $1CEE4DC2] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zip.plugin

Fraud.VirusDoctor: [SBI $0C71C5B8] Redirected host (Redirected host, fixed)
url.adtrgt.com=82.98.231.89

Fraud.VirusDoctor: [SBI $0C71C5B8] Redirected host (Redirected host, fixed)
googleads2.gdoubleclick.net=82.98.231.89

Virtumonde: [SBI $1D86E0B2] Configuration file (File, fixed)
C:\WINDOWS\Tasks\cgqzdpmz.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Virtumonde.Dll: [SBI $93929F73] Library (File, fixed)
C:\WINDOWS\system32\bojigenu.dll.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Virtumonde.Dll: [SBI $93929F73] Library (File, fixed)
C:\WINDOWS\system32\yetogusu.dll.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Virtumonde.sdn: [SBI $76125955] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=...doguvuvo.dll...

Virtumonde.sdn: [SBI $70056CE6] Data (File, fixed)
C:\WINDOWS\system32\vefevoyi
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Virtumonde.sdn: [SBI $0C71C5B8] Redirected host (Redirected host, fixed)
url.adtrgt.com=82.98.231.89

Virtumonde.sdn: [SBI $0C71C5B8] Redirected host (Redirected host, fixed)
googleads2.gdoubleclick.net=82.98.231.89

Spybot in normal boot, truncated log:

--- Report generated: 2009-05-21 21:59 ---

Speedrunner: [SBI $9B490B89] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1547161642-725345543-691866490-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{CAFB2180-BA09-11DC-95FF-0800200C9A66}

Win32.Iksmas.ai: [SBI $06907D50] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-725345543-691866490-1003\Software\Microsoft\Windows\CurrentVersion\FWDone

Win32.Iksmas.ai: [SBI $426323A7] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-725345543-691866490-1003\Software\Microsoft\Windows\CurrentVersion\MyID

Win32.Iksmas.ai: [SBI $B924DA40] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-725345543-691866490-1003\Software\Microsoft\Windows\CurrentVersion\RList

Virtumonde.sdn: [SBI $B981553F] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=...feyiloto.dll...

ESET log:

C:\Documents and Settings\GHOST\Local Settings\Application Data\Microsoft\Messenger\REMOVED\Sharing Folders\REMOVED\N.E.R.D - Seeing Sounds (2008)\N.E.R.D. - Windows.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\GHOST\Local Settings\Temporary Internet Files\Content.IE5\P60V88MD\pp.10[1].exe probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
D:\Ares\Music\Gym Class Heroes - The Quilt\06-gym_class_heroes-catch_me_if_you_can.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
D:\Ares\Music\N.E.R.D - Seeing Sounds (2008)\N.E.R.D. - Windows.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
D:\FLStudio8\FL.Studio.8.0.0.XXL.Producer.Edition\setup\flstudio_8.0_install.exe probably a variant of Win32/Delf trojan deleted - quarantined
D:\FLStudio8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll probably a variant of Win32/Delf trojan cleaned by deleting - quarantined

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:15 AM, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\AVG\AVG8\avgrsx.exe
D:\AVG\AVG8\avgnsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
D:\AVG\AVG8\avgemc.exe
D:\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
D:\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
D:\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D8EC463F-89ED-468C-B146-97FE78C47EFF} - C:\WINDOWS\system32\qoMDUmLe.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »gfx2.hotmail.com/mail/w3/resourc···Upld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos/On···nner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll tplszf.dll vfmypf.dll c:\windows\system32\pidokobo.dll c:\windows\system32\subiwizu.dll c:\windows\system32\sihosido.dll c:\windows\system32\yinuyoni.dll c:\windows\system32\bozujeyi.dll c:\windows\system32\biruwuta.dll c:\windows\system32\favogupo.dll c:\windows\system32\rugolara.dll c:\windows\system32\filokinu.dll C:\WINDOWS\system32\pafikiwu.dll c:\windows\system32\wuratapa.dll c:\windows\system32\fesusipa.dll c:\windows\system32\ c:\windows\system32\nawowami.dll c:\windows\system32\ c:\windows\system32\vinabino.dll c:\windows\system32\duzileru.dll c:\windows\system32\doyifari.dll c:\windows\system32\ledanozo.dll c:\windows\system32\vopereso.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: xxyXPihg - xxyXPihg.dll (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Ares\chatServer.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9373 bytes
to forum · permalink · 2009-05-22 03:05:12 · Reply to this


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA

 Hi trhgbtrh4

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

Clean your Cache and Cookies in IE:
-Close all instances of Outlook Express and Internet Explorer
-Go to Control Panel > Internet Options > General tab
-Click the "Delete Cookies" button
-Next to it, Click the "Delete Files" button
-When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Private Data).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
-Go to start > run and type: cleanmgr and click ok.
-Let it scan your system for files to remove.
-Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
-Press OK to remove them.

Please Run Malwarebytes' Anti-Malware.
- Click the Update tab.
- Click Check for Updates.
- If an update is found, it will download and install.
- Click the Scanner tab.
- Select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {D8EC463F-89ED-468C-B146-97FE78C47EFF} - C:\WINDOWS\system32\qoMDUmLe.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll tplszf.dll vfmypf.dll c:\windows\system32\pidokobo.dll c:\windows\system32\subiwizu.dll c:\windows\system32\sihosido.dll c:\windows\system32\yinuyoni.dll c:\windows\system32\bozujeyi.dll c:\windows\system32\biruwuta.dll c:\windows\system32\favogupo.dll c:\windows\system32\rugolara.dll c:\windows\system32\filokinu.dll C:\WINDOWS\system32\pafikiwu.dll c:\windows\system32\wuratapa.dll c:\windows\system32\fesusipa.dll c:\windows\system32\ c:\windows\system32\nawowami.dll c:\windows\system32\ c:\windows\system32\vinabino.dll c:\windows\system32\duzileru.dll c:\windows\system32\doyifari.dll c:\windows\system32\ledanozo.dll c:\windows\system32\vopereso.dll
O20 - Winlogon Notify: xxyXPihg - xxyXPihg.dll (file missing)

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\system32\qoMDUmLe.dll
c:\windows\system32\pidokobo.dll
c:\windows\system32\subiwizu.dll
c:\windows\system32\sihosido.dll
c:\windows\system32\yinuyoni.dll
c:\windows\system32\bozujeyi.dll
c:\windows\system32\biruwuta.dll
c:\windows\system32\favogupo.dll
c:\windows\system32\rugolara.dll
c:\windows\system32\filokinu.dll
C:\WINDOWS\system32\pafikiwu.dll
c:\windows\system32\wuratapa.dll
c:\windows\system32\fesusipa.dll
c:\windows\system32\nawowami.dll
c:\windows\system32\vinabino.dll
c:\windows\system32\duzileru.dll
c:\windows\system32\doyifari.dll
c:\windows\system32\ledanozo.dll
c:\windows\system32\vopereso.dll
c:\windows\system32\xxyXPihg.dll
C:\Windows\fmark2.dat
And any executable files in the Windows folder that start with kenny (C:\Windows\kenny*.exe)

Also delete the following folders if found:
C:\Program Files\TinyProxy
C:\Program Files\ProtectService

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- In the drop down box labeled Files of type change the type to Text file.
- Save the file to your desktop.
- Copy and paste that information in your next post.

Please post a new HijackThis log, the log from MBAM, the log from Kaspersky's online scan, and note any errors encountered.
--
Proud ASAP member since 2005
to forum · permalink · · 2009-05-22 18:51:32 · Reply to this


trhgbtrh4

@teksavvy.com

 I was unable to locate any of the files or folders you mentioned, I believe they may have been there during a previous infection.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:48 PM, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\AVG\AVG8\avgemc.exe
D:\AVG\AVG8\avgrsx.exe
D:\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
D:\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
D:\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
D:\AVG\AVG8\avgcsrvx.exe
D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »gfx2.hotmail.com/mail/w3/resourc···Upld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos/On···nner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Ares\chatServer.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8466 bytes

MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2168
Windows 5.1.2600 Service Pack 3

5/22/2009 7:08:04 PM
mbam-log-2009-05-22 (19-08-04).txt

Scan type: Quick Scan
Objects scanned: 87541
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 22, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 22, 2009 22:24:12
Records in database: 2219720
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 176310
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:15:56

No malware has been detected. The scan area is clean.

The selected area was scanned.
to forum · permalink · 2009-05-22 22:26:25 · Reply to this


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA

Everything looks good in those two logs, but I'd like to see the results of two other utilities before we declare success.

Download ComboFix© by sUBs from one of these locations:


* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix

- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.

- Double click on ComboFix.exe & follow the prompts.

- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Download Security Check by screen317 and save it to your Desktop:
- Unzip SecurityCheck.zip and a folder named Security Check should appear.
Open the Security Check folder and double-click Security Check.bat
Follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In the beginning of your topic you posted contents from a Spybot Search & Destroy log. When you scan with that now (after checking for updates), is there anything detected that's in red that cannot be fixed?

Please post a new HijackThis log, the contents of the log from Security Check (checkup.txt), the log from ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005
to forum · permalink · · 2009-05-23 08:22:27 · Reply to this


trhgbtrh4

@teksavvy.com

 Hm, I guess this computer wasn't completely clean like I thought.

Spybot isn't showing anything that can't be removed. The only things that show up again are tracking cookies (casalemedia, doubleclick, mediaplex, zedo).

The first URL for Security Check shows not found, while the second URL also shows not found, but gives me a link to a SecurityCheck.exe file. If I should download that file instead, please let me know.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:03 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
D:\AVG\AVG8\avgrsx.exe
D:\AVG\AVG8\avgemc.exe
D:\AVG\AVG8\avgnsx.exe
D:\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
D:\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
D:\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
D:\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »gfx2.hotmail.com/mail/w3/resourc···Upld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos/On···nner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Ares\chatServer.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8123 bytes

ComboFix log:

ComboFix 09-05-23.04 - GHOST 05/24/2009 15:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1382 [GMT -4:00]
Running from: c:\documents and settings\GHOST\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\GHOST\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\temp\FT62
c:\windows\system32\biyedepu.dll
c:\windows\system32\dPI19
c:\windows\system32\drivers\npf.sys
c:\windows\system32\nugebini.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yilefaju.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-22 17:20 . 2009-05-22 17:20 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-22 04:52 . 2009-05-22 04:52 -------- d-----w c:\program files\ESET
2009-05-22 04:49 . 2009-05-22 04:49 -------- d-sh--w c:\documents and settings\GHOST\IECompatCache
2009-05-22 04:49 . 2009-05-22 04:49 -------- d-sh--w c:\documents and settings\GHOST\PrivacIE
2009-05-22 04:45 . 2009-05-22 04:45 -------- d-sh--w c:\documents and settings\GHOST\IETldCache
2009-05-22 04:42 . 2009-05-22 04:42 -------- d-----w c:\windows\ie8updates
2009-05-22 04:41 . 2009-05-22 04:42 -------- dc-h--w c:\windows\ie8
2009-05-22 04:39 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-22 03:03 . 2009-05-22 03:03 152576 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-22 03:02 . 2008-04-14 00:12 18944 -c--a-w c:\windows\system32\dllcache\xrxscnui.dll
2009-05-22 03:02 . 2008-04-14 00:12 116224 -c--a-w c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-22 03:02 . 2001-08-18 02:36 23040 -c--a-w c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-22 03:02 . 2001-08-18 02:37 4608 -c--a-w c:\windows\system32\dllcache\xrxflnch.exe
2009-05-22 03:02 . 2001-08-18 02:37 27648 -c--a-w c:\windows\system32\dllcache\xrxftplt.exe
2009-05-22 03:00 . 2001-08-17 17:28 64605 -c--a-w c:\windows\system32\dllcache\vvoice.sys
2009-05-22 02:59 . 2001-08-17 16:51 58368 -c--a-w c:\windows\system32\dllcache\smiminib.sys
2009-05-22 02:57 . 2001-08-17 17:51 17280 -c--a-w c:\windows\system32\dllcache\scr111.sys
2009-05-22 02:56 . 2001-08-18 02:36 41472 -c--a-w c:\windows\system32\dllcache\qvusd.dll
2009-05-22 02:55 . 2008-04-13 18:54 22016 -c--a-w c:\windows\system32\dllcache\msircomm.sys
2009-05-22 02:54 . 2001-08-18 02:36 372824 -c--a-w c:\windows\system32\dllcache\iconf32.dll
2009-05-22 02:53 . 2001-08-17 16:12 24618 -c--a-w c:\windows\system32\dllcache\fa410nd5.sys
2009-05-22 02:52 . 2001-08-17 17:52 7680 -c--a-w c:\windows\system32\dllcache\cd20xrnt.sys
2009-05-22 02:51 . 2001-08-17 18:07 101888 -c--a-w c:\windows\system32\dllcache\adpu160m.sys
2009-05-22 02:38 . 2009-05-22 02:43 -------- d-----w C:\1b3f0d8e1e3ecd0efc101d94
2009-05-22 02:16 . 2009-05-22 02:16 -------- d-----w C:\[u]0[/u]9453ea7dd3061594a2e
2009-05-21 23:56 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-21 23:56 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 12:30 . 2009-05-21 12:30 2 ---h--w c:\windows\sto452730.dat
2009-05-20 04:57 . 2009-05-20 04:57 2 ---h--w c:\windows\sto453251.dat
2009-05-20 04:57 . 2009-05-20 04:57 2 ---h--w c:\windows\sto453224.dat
2009-05-20 02:57 . 2009-05-20 02:57 2 ---h--w c:\windows\sto453250.dat
2009-05-18 19:58 . 2008-09-05 00:22 447752 ----a-r c:\windows\system32\vp6vfw.dll
2009-05-18 19:58 . 2009-05-18 19:58 10134 ----a-r c:\documents and settings\GHOST\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-18 19:58 . 2009-05-18 19:58 -------- d-----w c:\program files\Microsoft WSE
2009-05-18 16:02 . 2009-05-15 20:43 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-18 16:02 . 2009-05-15 20:43 354584 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-18 16:02 . 2009-05-15 20:43 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-18 16:02 . 2009-05-15 20:43 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-18 16:02 . 2009-05-15 20:43 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-18 16:02 . 2009-05-15 20:43 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-18 16:02 . 2009-05-15 20:43 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-18 16:01 . 2009-05-15 20:42 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-18 16:01 . 2009-05-15 20:42 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-10 15:22 . 2009-05-10 15:22 -------- d-----w c:\program files\Logitech
2009-04-29 21:19 . 2009-04-29 21:19 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-04-25 15:42 . 2009-05-24 18:57 117760 ----a-w c:\documents and settings\GHOST\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 23:16 . 2008-05-22 18:55 75272 ----a-w c:\documents and settings\GHOST\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 03:04 . 2009-05-22 03:04 57344 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-28a5d86d-n\Decora-SSE.dll
2009-05-22 03:04 . 2009-05-22 03:04 24064 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-7ab017e2-n\Decora-D3D.dll
2009-05-22 03:04 . 2009-05-22 03:04 315392 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-45bb53eb-n\jogl.dll
2009-05-22 03:04 . 2009-05-22 03:04 20480 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-45bb53eb-n\jogl_awt.dll
2009-05-22 03:04 . 2009-05-22 03:04 114688 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-45bb53eb-n\jogl_cg.dll
2009-05-22 03:04 . 2009-05-22 03:04 499712 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-7f83bb7b-n\msvcp71.dll
2009-05-22 03:04 . 2009-05-22 03:04 499712 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-7f83bb7b-n\jmc.dll
2009-05-22 03:04 . 2009-05-22 03:04 348160 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-7f83bb7b-n\msvcr71.dll
2009-05-22 03:04 . 2009-05-22 03:04 20480 ----a-w c:\documents and settings\GHOST\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-520ec009-n\gluegen-rt.dll
2009-05-22 03:04 . 2009-05-22 03:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-22 03:04 . 2008-05-22 19:56 -------- d-----w c:\program files\Java
2009-05-22 02:47 . 2008-12-14 00:45 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-22 00:46 . 2008-07-16 18:09 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-22 00:45 . 2008-06-07 20:10 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-21 23:17 . 2008-05-23 02:10 -------- d-----w c:\documents and settings\GHOST\Application Data\Xfire
2009-05-20 02:09 . 2008-05-23 23:18 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-18 19:43 . 2008-05-22 06:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-18 18:43 . 2008-05-24 00:40 189496 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-18 18:20 . 2008-05-24 00:40 139984 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-15 20:43 . 2008-05-23 23:18 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-15 20:43 . 2008-05-23 23:18 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-15 20:43 . 2008-05-23 23:18 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-15 20:43 . 2008-05-23 23:18 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-13 03:27 . 2008-06-12 00:58 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-10 15:22 . 2008-05-22 23:01 -------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-04-22 04:20 . 2009-04-22 04:20 14311680 ----a-w c:\windows\system32\xlive.dll
2009-04-22 04:20 . 2009-04-22 04:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll
2009-04-19 01:43 . 2009-04-19 01:43 -------- d-----w c:\program files\Common Files\snpstd2
2009-04-19 01:22 . 2009-04-19 01:22 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-15 19:31 . 2009-04-23 00:06 1099128 ----a-w c:\documents and settings\GHOST\Application Data\Mozilla\Firefox\Profiles\1nrtpfvv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-04-15 19:31 . 2009-04-23 00:06 729088 ----a-w c:\documents and settings\GHOST\Application Data\Mozilla\Firefox\Profiles\1nrtpfvv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-04-11 04:24 . 2009-04-11 04:24 -------- d-----w c:\program files\Common Files\Digidesign
2009-03-14 06:10 . 2008-06-12 00:42 905776 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-13 22:32 . 2008-05-24 00:40 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-08 08:34 . 2007-12-07 02:01 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2007-12-12 09:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2007-12-12 09:51 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2007-12-12 09:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2007-12-12 09:51 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2007-12-12 09:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2007-05-11 04:54 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2007-12-12 09:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2007-12-12 09:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2007-12-12 09:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="d:\avg\AVG8\avgtray.exe" [2009-05-15 1947928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-01-05 40960]
"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 358920]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 1548296]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 2816520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-22 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\GHOST\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - d:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-6-11 2860792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-5-23 113664]
Logitech SetPoint.lnk - d:\logitech\SetPoint\SetPoint.exe [2008-5-22 805392]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-7-15 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w d:\superantispyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 18:13 49152 ----a-w c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 20:43 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless G Desktop Card Client Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless G Desktop Card Client Utility.lnk
backup=c:\windows\pss\Belkin Wireless G Desktop Card Client Utility.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"d:\\Xfire\\xfire.exe"=
"d:\\AVG\\AVG8\\avgupd.exe"=
"d:\\AVG\\AVG8\\avgemc.exe"=
"d:\\Ares\\Ares.exe"=
"d:\\Battlefield2\\BF2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Grid\\GRID.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\nexon\Combat Arms\CombatArms.exe"= d:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"d:\nexon\Combat Arms\Engine.exe"= d:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"d:\\Nexon\\Combat Arms\\NMService.exe"=
"d:\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\StarWarsBattlefront2\\GameData\\BattlefrontII.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"d:\\Battlefield2142\\BF2142.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"d:\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"d:\\Kane and Lynch\\kaneandlynch.exe"=
"d:\\Pure\\Pure.exe"=
"d:\\FarCry2\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\FarCry2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\FarCry2\\Far Cry 2\\bin\\FC2Editor.exe"=
"d:\\Dead Space\\Dead Space.exe"=
"d:\\[u]0[/u]07 -Quantum of Solace\\JB_LiveEngine_s.exe"=
"c:\\Documents and Settings\\GHOST\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"d:\\Mozilla Firefox\\firefox.exe"=
"d:\\GTAIV\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"d:\\GTAIV\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"d:\\GTAIV\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Saints Row 2\\SR2_pc.exe"=
"d:\\Burnout Paradise\\BurnoutLauncher.exe"=
"d:\\Burnout Paradise\\BurnoutConfigTool.exe"=
"d:\\Burnout Paradise\\BurnoutParadise.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\TomClancy's HAWX\\HAWX.exe"=
"d:\\Call Of Duty - WAW\\CoDWaW.exe"=
"d:\\Call Of Duty - WAW\\CoDWaWmp.exe"=
"d:\\VLC Player\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Common Files\\Logishrd\\KHAL2\\KHALMNPR.exe"=
"d:\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:18 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:18 PM 108552]
R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 avg8emc;AVG8 E-mail Scanner;d:\avg\AVG8\avgemc.exe [7/4/2008 12:17 PM 908568]
R2 avg8wd;AVG8 WatchDog;d:\avg\AVG8\avgwdsvc.exe [7/4/2008 12:17 PM 298776]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 6:50 PM 30312]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [8/5/2008 6:58 PM 29184016]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [6/7/2008 3:46 PM 303616]
S3 DJUSB;DMM Controller;c:\windows\system32\drivers\DM2.sys [6/1/2001 7:26 PM 10758]
S3 MBAMCatchMe;MBAMCatchMe;\??\c:\windows\system32\drivers\mbamcatchme.sys --> c:\windows\system32\drivers\mbamcatchme.sys [?]
S3 PLCMP532;PLCMP532 NDIS Protocol Driver;c:\windows\system32\Drivers\PLCMP532.sys --> c:\windows\system32\Drivers\PLCMP532.sys [?]
S3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\drivers\PLCND532.sys [8/8/2007 11:40 AM 26656]
S3 SASENUM;SASENUM;d:\superantispyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\GHOST\Application Data\Mozilla\Firefox\Profiles\1nrtpfvv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: d:\avg\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\GHOST\Application Data\Mozilla\Firefox\Profiles\1nrtpfvv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\GHOST\Application Data\Mozilla\Firefox\Profiles\1nrtpfvv.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: d:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\divx\DivX Web Player\npdivx32.dll
FF - plugin: d:\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-05-24 15:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-725345543-691866490-1003\Software\SecuROM\License information*]
"datasecu"=hex:18,f0,3f,fa,d3,bd,37,26,32,b5,57,94,95,cd,b4,61,62,2a,98,0f,ce,
83,51,75,e8,36,00,dc,9e,f8,e9,be,9c,cd,c2,0c,1a,d6,59,7e,a1,67,7c,b4,6a,a9,\
"rkeysecu"=hex:c6,86,bc,a9,69,07,42,42,5b,31,fd,9b,ee,e1,ef,04
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
d:\superantispyware\SASWINLO.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2400)
d:\program files\Stardock\ObjectDock\DockShellHook.dll
d:\logitech\SetPoint\GameHook.dll
d:\logitech\SetPoint\lgscroll.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
d:\avg\AVG8\avgrsx.exe
d:\avg\AVG8\avgnsx.exe
d:\avg\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDRSS.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-05-24 15:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 19:30

Pre-Run: 6,800,150,528 bytes free
Post-Run: 7,068,229,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

332 --- E O F --- 2009-05-22 02:48
to forum · permalink · 2009-05-24 16:29:47 · Reply to this


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
quote:
The first URL for Security Check shows not found, while the second URL also shows not found, but gives me a link to a SecurityCheck.exe file.
The author changed the links to exe files rather than zip files, so the correct links should be:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- In the drop down box labeled Files of type change the type to Text file.
- Save the file to your desktop.
- Copy and paste that information in your next post.

Please post a new HijackThis log, the log from Security Check (checkup.txt), the log from Kaspersky's online scanner, and note any errors encountered.

--
Proud ASAP member since 2005
to forum · permalink · · 2009-05-24 21:32:35 · Reply to this


trhgbtrh4

@teksavvy.com

 Posting the log of Security Check while I wait the 2+ hours it'll take to scan with Kaspersky again...

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
ESETOnlineScannerv3
WindowsLiveOneCaresafetyscanner
AVGFree8.5
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
[color=red]Spybot SDHelper is disabled![/color]
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)

Scan took 18 seconds.
`````````End of Log```````````
to forum · permalink · 2009-05-24 22:16:38 · Reply to this


trhgbtrh4

@teksavvy.com

 Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 25, 2009 03:17:40
Records in database: 2237504
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 175809
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:12:13

No malware has been detected. The scan area is clean.

The selected area was scanned.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:47 AM, on 5/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
D:\AVG\AVG8\avgemc.exe
D:\AVG\AVG8\avgrsx.exe
D:\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
D:\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
D:\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
D:\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »gfx2.hotmail.com/mail/w3/resourc···Upld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - »download.eset.com/special/eos/On···nner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Ares\chatServer.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8282 bytes
to forum · permalink · 2009-05-25 01:18:46 · Reply to this


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA

 Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Create a Restore Point (XP ONLY)
•Go to Start > Programs > Accessories > System Tools > System Restore
•Select Create a Restore Point and then Next.
•In the box for "Restore point description", enter a descriptive name and press Create
•When the "Restore Point Created" window appears, click Close

Run Disk Cleanup
•Go to Start > Run and type the below line:
cleanmgr
•Click OK
•If you have more than one drive, select the drive Windows is installed on
•Click OK
•When Disk Cleanup opens, select the More Options tab
•In the System Restore section (bottom of window), click Cleanup
•In the confirmation window that opens, click Yes[

Now click on the Disk Cleanup tab and select the following items:
•Downloaded Program Files
•Temporary Internet Files
•Recycle Bin
•Temporary Files
Click OK
in the confirmation window, select Yes (Disk Cleanup will close).

I recommend installing a software firewall. I didn't see one in your HijackThis log (the XP firewall isn't sufficient protection, it only checks incoming data). Two free firewalls are Sunbelt Personal Firewall available from »www.sunbeltsoftware.com/Home-Hom···Firewall, and Zone Alarm available from »www.zonealarm.com/security/en-us···wall.htm. There is a tutorial on understanding firewalls at »www.bleepingcomputer.com/forums/···l60.html and and a tutorial from Markus Jansson on setting up ZoneAlarm at »www.markusjansson.net/eza.html. If you install ZoneAlarm (an excellent firewall), I recommend NOT installing the new optional feature Spy Blocker, as it's run by the questionable search engine Ask.com, and doesn't actually block any spyware. You can read more about Ask.com here.
There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at »www.mvps.org/winhelp2002/hosts.htm.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at »www.javacoolsoftware.com/products.html.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at »www.spywareinfoforum.com/index.p···ic=60955

Does your problem appear resolved?
--
Proud ASAP member since 2005
to forum · permalink · · 2009-05-25 08:27:44 · Reply to this

sMURF

join:2007-02-27
Toronto, ON

reply to trhgbtrh4
Note to mods: I'm the OP.

Hey Joker,

Everything appears to be fine now. I've tried explaining to the computer's owner that P2P programs are notorious for the spread of malware, but I suppose he just can't help himself sometimes. It's not the first time he's been infected, and I'm sure it won't be the last.

When I first received the computer from him, he told me that all his fonts were in bold, which is similar to this thread: »HJT LOG: Desktop icons changed, text italicised

I'm not sure if it was caused by the malware or not, but apparently the Tahoma.ttf file in C:\Windows\Fonts got corrupted, and I guess Windows was trying to use the closest match to it, which was Tahomabd.tff (bold).

To fix it, I went into Desktop Properties > Appearance > Advanced and changed the font for every item in the list that used Tahoma to something else ("System" for example) and applied the changes. I then deleted the Tahoma font file in C:\Windows\Fonts and quickly copied over a new Tahoma.ttf file (if it's not copied over fast enough, Windows seems to recreate the corrupted file again). After that I simply changed all the "System" fonts back to Tahoma.

Hopefully that can help you in the other thread, since it seems to have worked for me.

Thanks for your help Joker.
to forum · permalink · · 2009-05-29 21:05:47 · Reply to this


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
quote:
Everything appears to be fine now.
Excellent!

quote:
When I first received the computer from him, he told me that all his fonts were in bold, which is similar to this thread: »HJT LOG: Desktop icons changed, text italicised
I noticed that. Thanks for pointing it out.

quote:
Thanks for your help Joker.
I'm glad to have been able to help.
--
Proud ASAP member since 2005
to forum · permalink · · 2009-05-30 18:01:27 · Reply to this
-
Forums » Up and Running » Security » Security Cleanup Can't access internet »
« HJT- How to remove "adware-relevant knowledge" malware?  

Tuesday, 10-Nov 13:51:57 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [90] Verizon Keeps Swinging At AT&T
· [86] VoIP Over 3G Still Not Working For iPhone
· [86] Moto Sold About 100,000 Droids
· [42] Government Will Release Some Telco Wiretap Lobbying Documents
· [34] Bill Would Force ISPs To Block Financial Scams
· [24] Mediacom Hints At 50, 100 Mbps Speeds
· [17] Clearwire To Get Another $1.5 Billion
· [15] Sprint Announces Job Cuts
· [13] Google Offers Free Holiday Airport Wi-Fi
· [12] Monday Evening Links
Most people now reading
· Google Has Acquired Gizmo5 [VOIP Tech Chat]
· House inspector failed to find major gas leak [Home Repair & Improvement]
· A fishy CRTC tarriff filed by bell? [TekSavvy]
· How in the world am I going to get into college? [General Questions]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Replace entry door [Home Repair & Improvement]
· [ PVP] 3.2 DK PvP D/W Spec... [World of Warcraft]
· Windows 7 boot manager editing questions [Microsoft Help]
· Wood floor opinion... [Home Repair & Improvement]