Virus-alert Next To Time On Taskbar

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Virus-alert Next To Time On Taskbar, Unable to remove all traces of malware

Options

Replies (1 - 14)

miekiemoes View Member Profile	Aug 5 2008, 06:55 AM Post #2
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, First of all, read and perform the instructions I have posted here: http://miekiemoes.blogspot.com/2008/05/vir...to-restore.html Then, when you're done, * Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

perrymc View Member Profile	Aug 7 2008, 02:03 PM Post #3
Member Group: Members Posts: 38 Joined: 25-May 05 Member No.: 21,321	Hi Miekiemoes Thank you for the reply. I had to get the cable modem that was matched to the computer I am working to fix. Your help has been invaluable. The registry fixes and varestorepolicies went fine. I downloaded the recovery console, used combo fix to install it then turned virus, spyware and firewall off and let Combofix do its thing. Ran a new Hijackthis. Here are both logs. Let me know if there is anything else we need to take care of. Thanks again! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:51:01 AM, on 8/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\fxssvc.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wwe.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: - {03488F0D-7152-4FB0-8149-06D714D3EFC2} - C:\WINDOWS\System32\l.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 4571 bytes ComboFix 08-08-03.03 - Owner 2008-08-07 11:31:43.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.80 [GMT -7:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\License_Manager C:\Program Files\PCHealthCenter C:\Program Files\PCHealthCenter\0.gif C:\Program Files\PCHealthCenter\2.gif C:\Program Files\PCHealthCenter\3.gif C:\Program Files\PCPrivacyCleaner C:\Program Files\VAV C:\Program Files\VAV\vav.ooo C:\Program Files\VAV\vav0.dat C:\Program Files\VAV\vav1.dat C:\WINDOWS\eovp.exe C:\WINDOWS\grswptdl.exe C:\WINDOWS\system\oeminfo.ini C:\WINDOWS\system32\ncase.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_GB ((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 ))))))))))))))))))))))))))))))) . 2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Deckard 2008-08-04 10:43 . 2008-08-04 10:43 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-04 00:25 . 2008-08-07 02:17 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-08-04 00:19 . 2008-08-06 23:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\Avg 2008-08-04 00:19 . 2008-08-04 00:19 96,520 --a------ C:\WINDOWS\SYSTEM32\drivers\avgldx86.sys 2008-08-04 00:19 . 2008-08-04 00:19 76,040 --a------ C:\WINDOWS\SYSTEM32\drivers\avgtdix.sys 2008-08-04 00:19 . 2008-08-04 00:19 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll 2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Program Files\AVG 2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-08-03 21:21 . 2008-08-03 21:21 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\SUPERAntiSpyware.com 2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-03 20:55 . 2008-08-03 20:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-03 19:33 . 2004-04-28 15:40 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\WINDOWS 2008-08-03 19:33 . 2004-04-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\InterTrust 2008-08-03 19:33 . 2008-08-05 10:17 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000 2008-08-02 11:18 . 2006-10-04 07:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\dllcache\sysmain.sdb 2008-08-02 11:18 . 2006-10-04 07:06 764,868 --------- C:\WINDOWS\SYSTEM32\dllcache\apph_sp.sdb 2008-08-02 11:18 . 2006-10-04 07:06 217,118 --------- C:\WINDOWS\SYSTEM32\dllcache\apphelp.sdb 2008-08-02 11:17 . 2008-08-02 11:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2008-08-02 11:12 . 2008-08-02 11:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles 2008-08-02 11:12 . 2008-08-02 11:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\UMDF 2008-07-25 23:03 . 2008-07-25 23:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback 2008-07-25 22:03 . 2008-07-25 22:03 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-07-21 13:29 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-04 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-07-26 05:01 --------- d-----w C:\Program Files\Common Files\Real 2008-07-13 19:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll 2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll 2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll 2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll 2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll 2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll 2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\SYSTEM32\mfc42.dll 2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll 2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll 2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll 2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll 2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\SYSTEM32\olepro32.dll 2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03488F0D-7152-4FB0-8149-06D714D3EFC2}] 2004-09-10 21:19 19116 --a------ C:\WINDOWS\System32\l.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 09:04 52736] "KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 14:56 61440] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 15:34 212992] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 17:25 143360] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 16:36 90112] "PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 14:13 81920] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 00:18 1232152] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"= 0 (0x0) "Btn_Search"= 0 (0x0) "NoBandCustomize"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlq48.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmr85.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32] C:\DOCUME~1\Owner\LOCALS~1\Temp\scksexde.exe/r [X] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰¸u0C: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰¸u0C:\Program Files HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰¸u0C:\Program Files\ISTsvc HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰üžiC: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰üžiC:\Program Files HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰üžiC:\Program Files\ISTsvc HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]úü‰üžigÝC: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]úü‰üžigÝC:\Program Files HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]úü‰üžigÝC:\Program Files\ISTsvc HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --------- 2000-08-15 17:25 28739 C:\Program Files\Microsoft Works\WkDetect.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --a------ 2005-05-31 01:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-07-25 21:57 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-04 00:19] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 00:18] R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-04 00:19] R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56] S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 00:18] S2 YNPLVOHD;YNPLVOHD;C:\WINDOWS\system32\ynplvohd.rty [] . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - BHO-{BB20260D-7705-4A27-B5FC-1A7E43D2C19B} - C:\WINDOWS\System32\hdkmnia.dll MSConfigStartUp-23089741598192517752780679391111 - C:\Program Files\XP Antivirus\xpa.exe MSConfigStartUp-A1Edqde2 - C:\WINDOWS\botvk.exe MSConfigStartUp-MoneyStartUp - C:\Program Files\Microsoft Money\System\Money Startup.exe MSConfigStartUp-tqvwtmd - C:\WINDOWS\tqvwtmd.exe MSConfigStartUp-wnqretuh - C:\WINDOWS\wnqretuh.exe MSConfigStartUp-WorkFlow - D:\Install\WorkFlow.exe MSConfigStartUp-yznwslidgtcdj - C:\WINDOWS\System32\vvpoona.exe MSConfigStartUp-istsvc - C:\WINDOWS\botvk.exe MSConfigStartUp-istsvc - C:\WINDOWS\botvk.exe MSConfigStartUp-istsvc - C:\WINDOWS\botvk.exe MSConfigStartUp-¢‰¸u0–4C - C:\WINDOWS\botvk.exe MSConfigStartUp-¢‰¸u0–4C - C:\WINDOWS\botvk.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\okqxeq5c.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wwe.com/ ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-07 11:39:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\YNPLVOHD] "ImagePath"="\??\C:\WINDOWS\system32\ynplvohd.rty" . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\fxssvc.exe C:\WINDOWS\SYSTEM32\wscntfy.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe . ************************************************************************ . Completion time: 2008-08-07 11:47:49 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-07 18:47:15 Pre-Run: 27,196,973,056 bytes free Post-Run: 27,154,358,272 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 210 --- E O F --- 2008-08-06 10:07:20

miekiemoes View Member Profile	Aug 7 2008, 02:25 PM Post #4
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, We're not finished yet... I also see that there are some entries you have disabled via msconfig including some malware related entries which contains strange characters. Using a regfix with these strange characters in it won't work. In such cases, I always delete the entire startupregkey and rebuild it again with the legitimate ones, but for that I need a full export of the startupreg here. And in your case, I see you have only a few legitimate entries in your msconfig > startup and as a matter of fact, they are not really needed to start up with Windows anyway, so they may stay disabled and can actually be deleted. The only legitimate one that you may enable in the future again will be Teatimer, but we'll delete it anyway as well since Spybot S&D will come with a new update soon, so you'll have to reinstall it anyway again. * Open notepad - don't use any other texteditor than notepad or the script will fail. Copy/paste the text in the quotebox below into notepad: QUOTE Collect::[8] C:\WINDOWS\System32\l.dll C:\WINDOWS\system32\ynplvohd.rty Driver:: YNPLVOHD Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlq48.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmr85.sys] Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. * it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip * another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix. * Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK. If the window didn't open, just submit the [8]-Submit_Date_Time.zip file here After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog. This post has been edited by miekiemoes: Aug 7 2008, 02:25 PM -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

perrymc View Member Profile	Aug 7 2008, 07:22 PM Post #5
Member Group: Members Posts: 38 Joined: 25-May 05 Member No.: 21,321	Thanks Miekemoes I understand what you want me to do but the following took place before I saw your post and I want to wait on your response: So based on your observations, even though the startup items were disabled, they could have caused the following? I started to reset the home page for IExplorer and for Firefox to his favorite www.WWE.com. IE went just fine. When I opened Firefox and set the home page to WWE, it came up saying that the flash player needed updating. Ok, no problem as I do this for him periodically. I exited Firefox and typed www.adobe.com/products/flashplayer into IE7 and installed the most recent (from ....115 to ....124 I think). Again no problem I thought. both versions of flashplayer for IE7 and firefox were listed with the same vsn number, yet when I exited IE7 and went back into firefox, it was still calling for a player update, so this time I typed in the adobe address in the firefox address bar and selected to download the firefox version directly from the Adobe web site. This time it acted like a brand new install and wanted me to accept the terms. I closed the dialogue box without responding and exited adobe and firefox. Guess what! I now have PCPrivacyCleaner, VirusRemover, Vista Antivirus 2008 and XP Antivirus 2008 ICONS on the desktop again. Not sure what else might have been changed. I also immediately turned off the modem pending further action. Where to go from here? This time I will sit on my hands until the all clear is sounded. Thank you. Thank you.

miekiemoes View Member Profile	Aug 8 2008, 12:52 PM Post #6
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, Please do not set the startpage to www.WWE.com again, because it's infected with this fake message to update the flashplayer. If you indeed click it, you'll get infected. So, please perform the steps with Combofix first. It shall display the log aterwards and then I can see what other malware installed in between, so we can tackle it afterwards as well. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

perrymc View Member Profile	Aug 9 2008, 09:54 AM Post #7
Member Group: Members Posts: 38 Joined: 25-May 05 Member No.: 21,321	Good Day! Before I drag CFScript onto Combofix, will I be able to save or rebuild the following startup entries? 1. This computer is an older HP Pavilion 7915 with one of the specialty keyboards and its functionality may be affected by the removal of HPSYSDRV, KBD, PS2 and possibly HKCMD. I would like to either keep or be able to rebuild these although I think disabling or removing HKCMD will probably be ok. Pretty sure he won't be performing tasks that require it. 2. I am very concerned about removing RECGUARD. On HP computers, Recguard prevents the deletion or corruption of the WinXP Recovery Partition. Without it enabled, it is possible to completely knock out the partition which may require sending the PC back to HP for a re-image. On my way to work, look forward to your post later

miekiemoes View Member Profile	Aug 9 2008, 02:23 PM Post #8
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, The script doesn't remove any startup entries which are currently enabled. Only the ones which you have disabled via msconfig previously (and which are not required to run anyway). These are the entries that the script is going to remove: QUOTE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32] C:\DOCUME~1\Owner\LOCALS~1\Temp\scksexde.exe/r [X] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰¸u0C: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰¸u0C:\Program Files HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰¸u0C:\Program Files\ISTsvc HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰üžiC: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰üžiC:\Program Files HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0Ô@ÔÁß]úü‰üžiC:\Program Files\ISTsvc HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]úü‰üžigÝC: HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]úü‰üžigÝC:\Program Files HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0ÔÁß]úü‰üžigÝC:\Program Files\ISTsvc HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\¢‰¸u0–4C [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --------- 2000-08-15 17:25 28739 C:\Program Files\Microsoft Works\WkDetect.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --a------ 2005-05-31 01:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-07-25 21:57 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

perrymc View Member Profile	Aug 9 2008, 08:06 PM Post #9
Member Group: Members Posts: 38 Joined: 25-May 05 Member No.: 21,321	Miekiemoes Sorry I misunderstood your previous post. Thanks for the clarification. Drug cfscript to combofix and copied and pasted the link for the zip file to be sent (successfully). Reran HijackThis. Here are the combofix and Hijackthis logs for when you have time. Thank you. ComboFix 08-08-03.03 - Owner 2008-08-09 17:30:29.2 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\Desktop\PCPrivacyCleaner.lnk C:\Documents and Settings\Owner\Desktop\Vista Antivirus 2008.lnk C:\Documents and Settings\Owner\Desktop\XP Antivirus 2008.lnk C:\WINDOWS\System32\l.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_YNPLVOHD -------\Service_YNPLVOHD ((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 ))))))))))))))))))))))))))))))) . 2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Deckard 2008-08-04 10:43 . 2008-08-04 10:43 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-04 00:25 . 2008-08-07 02:17 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-08-04 00:19 . 2008-08-07 12:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\Avg 2008-08-04 00:19 . 2008-08-04 00:19 96,520 --a------ C:\WINDOWS\SYSTEM32\drivers\avgldx86.sys 2008-08-04 00:19 . 2008-08-04 00:19 76,040 --a------ C:\WINDOWS\SYSTEM32\drivers\avgtdix.sys 2008-08-04 00:19 . 2008-08-04 00:19 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll 2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Program Files\AVG 2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-08-03 21:21 . 2008-08-03 21:21 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\SUPERAntiSpyware.com 2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2008-08-03 20:56 . 2008-08-03 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-03 20:55 . 2008-08-03 20:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-03 19:33 . 2004-04-28 15:40 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\WINDOWS 2008-08-03 19:33 . 2004-04-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000\Application Data\InterTrust 2008-08-03 19:33 . 2008-08-05 10:17 <DIR> d-------- C:\Documents and Settings\Administrator.CLASHT.000 2008-08-02 11:18 . 2006-10-04 07:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\dllcache\sysmain.sdb 2008-08-02 11:18 . 2006-10-04 07:06 764,868 --------- C:\WINDOWS\SYSTEM32\dllcache\apph_sp.sdb 2008-08-02 11:18 . 2006-10-04 07:06 217,118 --------- C:\WINDOWS\SYSTEM32\dllcache\apphelp.sdb 2008-08-02 11:17 . 2008-08-02 11:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2008-08-02 11:12 . 2008-08-02 11:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles 2008-08-02 11:12 . 2008-08-02 11:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\UMDF 2008-07-25 23:03 . 2008-07-25 23:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Talkback 2008-07-25 22:03 . 2008-07-25 22:03 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-07-21 13:29 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-04 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-07-26 05:01 --------- d-----w C:\Program Files\Common Files\Real 2008-07-13 19:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll 2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll 2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll 2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll 2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\SYSTEM32\mfc42.dll 2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll 2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll 2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll 2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll 2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\SYSTEM32\olepro32.dll 2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe . ((((((((((((((((((((((((((((( snapshot@2008-08-07_11.45.57.46 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashUtil9f.exe - 2007-12-20 23:23:22 74,649 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_activeX.exe + 2008-08-07 19:34:25 74,649 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_activeX.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 09:04 52736] "KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 14:56 61440] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 15:34 212992] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 17:25 143360] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 16:36 90112] "PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 14:13 81920] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 00:18 1232152] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"= 0 (0x0) "Btn_Search"= 0 (0x0) "NoBandCustomize"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-04 00:19] R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 00:18] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 00:18] R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-04 00:19] R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56] . Contents of the 'Scheduled Tasks' folder . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-09 17:38:44 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\fxssvc.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe . ************************************************************************ . Completion time: 2008-08-09 17:47:34 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-10 00:46:56 ComboFix2.txt 2008-08-07 18:47:53 Pre-Run: 27,094,630,400 bytes free Post-Run: 27,094,138,880 bytes free 141 --- E O F --- 2008-08-06 10:07:20 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:56:20 PM, on 8/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\fxssvc.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\explorer.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wwe.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 4450 bytes

miekiemoes View Member Profile	Aug 10 2008, 01:38 AM Post #10
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, QUOTE Guess what! I now have PCPrivacyCleaner, VirusRemover, Vista Antivirus 2008 and XP Antivirus 2008 ICONS on the desktop again. Combofix already took care of this as well * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wwe.com/ <== checking this will restore the startpage to the default startpage (msn), but you can change that afterwards again. As long as you don't set it to wwe.com again since this site appears to be vulnerable currently. I didn't check it yet if it has been resolved. O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) * Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! Then, * Go to start > run and copy and paste next command in the field: ComboFix /u Make sure there's a space between Combofix and / Then hit enter. This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again. Let me know in your next reply how things are now. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

perrymc View Member Profile	Aug 10 2008, 10:38 AM Post #11
Member Group: Members Posts: 38 Joined: 25-May 05 Member No.: 21,321	Lookin' Great! Thanks! Ran HijackThis then uninstalled combo fix. Still have one desktop icon "VirusRemover2008" but the path for it at C:\Program Files\VirusRemover2008\VRM2008.exe is gone. I should be able to just delete the icon. Is there a source I can check to verify when the site vulnerability for WWE.com has been resolved? The computer owner's primary use of the computer revolves around this web site (the only other thing I have to do is keep his brother off the computer -- he visits the xxx sites where half my problems arise). I have a whole lotta questions but I know this isn't the forum. I have looked through the tutorials and would like to learn more about detailed spyware removal. Can you point me to a starting point? Take care, your help has been much appreciated.

miekiemoes View Member Profile	Aug 10 2008, 11:06 AM Post #12
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi; Yes, delete that icon. I see wwe.com is OK now. Whoever the computer owner is, make sure he reads my Prevention page with lots of info and tips how to prevent this in the future. And if you want to improve speed/system performance after malware removal, take a look here. Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. To learn more about a detailed malware removal, you can ask the forum admin (Grinler) if there's still a place in the training school here. If not, then register at Spywareinfo and post in thread to get access to the bootcamp there. I'm active there as well. :-) Happy Surfing again! This post has been edited by miekiemoes: Aug 10 2008, 11:07 AM -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

perrymc View Member Profile	Aug 10 2008, 06:21 PM Post #13
Member Group: Members Posts: 38 Joined: 25-May 05 Member No.: 21,321	One last thank you and I will definitely check out the references you posted for me. See Y'all next time

miekiemoes View Member Profile	Aug 11 2008, 01:45 AM Post #14
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408	You're most welcome -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

miekiemoes View Member Profile	Aug 14 2008, 04:45 PM Post #15
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408	Since this issue appears resolved ... this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides