 TDSS Trojan, Can't seem to get rid of it. |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
  Dec 24 2008, 07:48 PM
Post
#1
|
|
|
Member  Group: Members Posts: 26 Joined: 24-December 08 Member No.: 273,718  |
-- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:30:27 PM, on 12/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20696) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\713xRMTMon.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O1 - Hosts: 216.52.208.185 www.newegg.com O1 - Hosts: 216.52.208.188 secure.newegg.com O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229454768968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229454486187 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll injfrw.dll O20 - Winlogon Notify: ljJDVmmL - ljJDVmmL.dll (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: NST ToolTipFixer (TTFixerService) - NeoSmart Technologies - C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 9078 bytes |
 |
 
|
|
Dec 25 2008, 07:49 PM
Post
#2
|
|
 Surgeon General Group: HJT Team Posts: 1,521 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930 |
Hi, RedPenumbra
 Welcome. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
-----------------------------------------------------------
----------------------------------------------------------- This post has been edited by JSntgRvr: Dec 25 2008, 07:57 PM -------------------- No request for help throughout private messaging will be attended. If I have helped you, consider making a donation to help me continue the fight against Malware!  |
|
|
|
|
Dec 25 2008, 10:41 PM
Post
#3
|
|
|
Member Group: Members Posts: 26 Joined: 24-December 08 Member No.: 273,718 |
You've been a great help, and on Christmas, too!
ComboFix log: -- ComboFix 08-12-25.03 - Johanan 2008-12-25 22:19:25.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2672 [GMT -5:00] Running from: c:\documents and settings\Johanan\Desktop\ComboFix.exe . ADS - WINDOWS: deleted 24 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Johanan\Application Data\inst.exe c:\documents and settings\Johanan\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Johanan\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat c:\windows\system32\iiffFyYo.dll c:\windows\system32\pthreadGC2.dll c:\windows\system32\qoMeEXPg.dll c:\windows\system32\TDSSmtve.dat c:\windows\system32\vptcyrdt.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 ))))))))))))))))))))))))))))))) . 2008-12-22 11:43 . 2008-12-22 11:43 <DIR> d-------- c:\program files\Trend Micro 2008-12-22 11:39 . 2008-12-25 22:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-22 11:39 . 2008-12-25 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-20 21:45 . 2008-12-20 21:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy 2008-12-20 21:34 . 2008-12-20 21:34 <DIR> d-------- c:\program files\WorldOfGooDemo 2008-12-16 14:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-12-16 13:53 . 2008-12-16 13:53 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE 2008-12-16 12:55 . 2008-12-16 18:47 <DIR> d-------- c:\windows\NV18563912.TMP 2008-12-04 21:37 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-03 18:47 . 2008-12-03 18:47 <DIR> d-------- c:\program files\AviSynth 2.5 2008-12-03 18:47 . 2008-12-03 18:47 43,698 --a------ c:\windows\system32\xvid-uninstall.exe 2008-12-03 18:46 . 2008-12-03 18:46 <DIR> d-------- c:\program files\Gabest 2008-12-03 18:46 . 2008-12-03 18:47 <DIR> d-------- c:\program files\AutoGK 2008-12-03 18:14 . 2008-12-03 18:26 <DIR> d-------- c:\documents and settings\Everyone Else\Application Data\Ahead 2008-11-30 19:32 . 2008-11-30 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Codemasters 2008-11-30 19:31 . 2008-11-30 19:31 <DIR> d-------- c:\program files\OpenAL 2008-11-30 19:31 . 2008-04-28 16:53 805,400 -ra------ c:\windows\system32\tmp1D9.tmp 2008-11-30 19:31 . 2008-04-28 16:53 805,400 -ra------ c:\windows\system32\tmp1D8.tmp 2008-11-30 19:31 . 2008-11-30 19:31 444,952 --a------ c:\windows\system32\wrap_oal.dll 2008-11-30 19:31 . 2008-11-30 19:31 109,080 --a------ c:\windows\system32\OpenAL32.dll 2008-11-30 15:09 . 2008-11-30 15:15 <DIR> d-------- c:\program files\Frets on Fire 2008-11-30 15:04 . 2008-11-30 15:11 <DIR> d-------- c:\documents and settings\Johanan\Application Data\fretsonfire 2008-11-30 13:15 . 2008-11-30 16:29 <DIR> d-------- c:\program files\GTR2 2008-11-30 11:59 . 2008-11-30 11:59 <DIR> d-------- c:\program files\ffdshow 2008-11-30 11:59 . 2008-06-12 20:36 7,680 --a------ c:\windows\system32\ff_vfw.dll 2008-11-30 11:59 . 2007-07-10 18:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-24 03:02 --------- d-----w c:\program files\Warcraft III 2008-12-22 15:08 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-12-21 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity 2008-12-21 18:25 --------- d-----w c:\documents and settings\Johanan\Application Data\uTorrent 2008-12-21 18:24 --------- d-----w c:\program files\uTorrent 2008-12-17 00:34 --------- d-----w c:\program files\Java 2008-12-16 18:42 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-16 18:42 --------- d-----w c:\program files\Rockstar Games 2008-12-16 17:56 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-16 17:56 --------- d-----w c:\program files\AGEIA Technologies 2008-12-15 02:33 --------- d-----w c:\program files\Diablo II 2008-12-10 01:18 --------- d-----w c:\documents and settings\Johanan\Application Data\LimeWire 2008-12-08 00:06 --------- d-----w c:\program files\SpeedFan 2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-11-28 03:24 --------- d-----w c:\program files\Starcraft 2008-11-28 03:24 --------- d-----w c:\program files\EA GAMES 2008-11-28 02:05 --------- d-----w c:\program files\Steam 2008-11-24 02:29 --------- d-----w c:\program files\Left4Dead 2008-11-23 19:41 --------- d-----w c:\documents and settings\Johanan\Application Data\Malwarebytes 2008-11-23 19:40 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-23 04:34 --------- d-----w c:\program files\ordrumbox 2008-11-21 16:18 --------- d-----w c:\documents and settings\Johanan\Application Data\Hamachi 2008-11-21 15:34 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn 2008-11-15 23:06 --------- d-----w c:\program files\Veoh Networks 2008-11-15 22:47 --------- d-----w c:\program files\DivX 2008-11-13 19:12 --------- d-----w c:\documents and settings\Everyone Else\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files 2008-11-12 18:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE 2008-11-12 16:32 --------- d-----w c:\documents and settings\Everyone Else\Application Data\uTorrent 2008-11-12 16:30 --------- d-----w c:\documents and settings\Everyone Else\Application Data\alot 2008-11-12 00:44 --------- d-----w c:\program files\Silkroad 2008-11-11 15:48 18,048 ----a-w c:\documents and settings\Everyone Else\Application Data\GDIPFONTCACHEV1.DAT 2008-11-04 02:44 --------- d-----w c:\documents and settings\Johanan\Application Data\vlc 2008-11-01 14:31 --------- d-----w c:\program files\MSBuild 2008-11-01 14:31 --------- d-----w c:\program files\Bethesda Softworks 2008-11-01 14:31 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3 2008-11-01 14:28 --------- d-----w c:\program files\Reference Assemblies 2008-10-30 22:00 107,888 ----a-w c:\windows\system32\CmdLineExt.dll 2008-10-30 21:57 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-10-30 21:57 22,328 ----a-w c:\documents and settings\Johanan\Application Data\PnkBstrK.sys 2008-10-30 21:56 66,872 ----a-w c:\windows\system32\PnkBstrA.exe 2008-10-30 21:56 2,250,024 ----a-w c:\windows\system32\pbsvc.exe 2008-10-30 21:56 107,832 ----a-w c:\windows\system32\PnkBstrB.exe 2008-10-30 21:54 --------- d-----w c:\program files\Ubisoft 2008-10-28 09:17 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-27 17:09 --------- d-----w c:\documents and settings\Johanan\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files 2008-10-27 15:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll 2008-10-27 15:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll 2008-10-27 15:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll 2008-10-27 15:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll 2008-10-22 10:29 14,303,392 ----a-w c:\windows\system32\xlive.dll 2008-10-22 10:29 13,643,936 ----a-w c:\windows\system32\xlivefnt.dll 2008-10-17 01:35 87,352 ----a-w c:\windows\system32\LMIinit.dll 2008-10-17 01:35 83,288 ----a-w c:\windows\system32\LMIRfsClientNP.dll 2008-10-17 01:35 28,984 ----a-w c:\windows\system32\LMIport.dll 2008-10-17 01:35 23,736 ----a-w c:\windows\system32\lmimirr.dll 2008-10-17 01:35 10,040 ----a-w c:\windows\system32\lmimirr2.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-13 14:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-10-10 09:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll 2008-10-10 09:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll 2008-10-10 09:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll 2008-10-07 18:33 286,720 ----a-w c:\windows\system32\nvnt4cpl.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll 2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll 2008-10-07 14:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe 2008-10-07 14:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe 2008-10-07 14:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll 2008-10-06 23:42 47,360 ----a-w c:\documents and settings\Johanan\Application Data\pcouffin.sys 2008-03-19 23:37 17,656 ----a-w c:\documents and settings\Johanan\Application Data\GDIPFONTCACHEV1.DAT 2008-01-14 03:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008011320080114\index.dat . ------- Sigcheck ------- 2008-10-18 19:50 360704 1157d0d6ba036fb9537d4cd81375b12c c:\windows\system32\dllcache\TCPIP.SYS 2008-10-18 19:50 360704 1157d0d6ba036fb9537d4cd81375b12c c:\windows\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-16 306088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "U.S. Robotics Wireless Manager UI"="c:\windows\system32\WLTRAY" [X] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448] "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096] "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640] "Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344] "TV Card Remote Control Device Monitor"="c:\windows\713xRMTMon.exe" [2007-06-28 352256] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "RTHDCPL"="RTHDCPL.EXE" [2007-10-24 c:\windows\RTHDCPL.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-01-14 805392] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="c:\\WINDOWS\\system32\\logonuiX.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 2007-09-23 10:10 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll,avgrsstx.dll injfrw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scheduler for OEM.lnk] backup=c:\windows\pss\Scheduler for OEM.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"= "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"= "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Hamachi\\hamachi.exe"= "c:\\Program Files\\Diablo II\\Loader 1.11b.exe"= "c:\\Program Files\\Steam\\steamapps\\the_cancer\\source sdk base\\hl2.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Steam\\steamapps\\the_cancer\\half-life\\hl.exe"= "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"= "c:\\Program Files\\Liquid Entertainment\\War of the Ring™\\Rings.exe"= "c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"= "c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"= "c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"= "c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"= "c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"= "c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"= "c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"= "c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12243:TCP"= 12243:TCP:uTorrent Port "12243:UDP"= 12243:UDP:uTorrent Port R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-22 97928] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-22 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-22 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-09-22 76040] R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-21 47640] S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [] S2 713xTVCard;SAA7130 TV Card;c:\windows\system32\DRIVERS\SAA713x.sys [2008-02-14 279552] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [] S2 TTFixerService;NST ToolTipFixer;"c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe" [2007-06-27 10240] S2 WDMTVTuner;Universal WDM TV Tuner;c:\windows\system32\drivers\WDMTuner.sys [2008-02-14 25984] S4 LMIRfsClientNP;LMIRfsClientNP; [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\Setup.exe . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-12-26 c:\windows\Tasks\epattlyr.job - c:\windows\system32\rundll32.exe [2004-08-03 18:56] . - - - - ORPHANS REMOVED - - - - HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe HKLM-Run-RegistryMechanic - (no file) Notify-ljJDVmmL - ljJDVmmL.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.daemonsearch.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Johanan\Application Data\Mozilla\Firefox\Profiles\4hvepxft.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - component: c:\documents and settings\Johanan\Application Data\Mozilla\Firefox\Profiles\4hvepxft.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Johanan\Application Data\Mozilla\Firefox\Profiles\4hvepxft.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll FF - plugin: c:\documents and settings\Johanan\Application Data\Mozilla\Firefox\Profiles\4hvepxft.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-25 22:24:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run TV Card Remote Control Device Monitor = c:\windows\713xRMTMon.exe???TC?f??????????????????A~??G~???|??????A~A?A~8+g???????????f???????????A~(?f?,?@?????V?????f???????A~??f?????????V???????????x?A~??f???????A~V???????M?A~?????????????c?fV???????????P???<???????P???,?@?????U?C~L????D\uL???*8]u??A???? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\windows\system32\LMIinit.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\windows\system32\wscntfy.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe c:\program files\Lexmark X1100 Series\lxbkbmon.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe c:\windows\system32\wltray.exe c:\program files\Microsoft IntelliType Pro\dpupdchk.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\program files\iPod\bin\iPodService.exe c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe c:\program files\AVG\AVG8\avgrsx.exe . ************************************************************************** . Completion time: 2008-12-25 22:32:04 - machine was rebooted [Johanan] ComboFix-quarantined-files.txt 2008-12-26 03:32:02 Pre-Run: 43,811,069,952 bytes free Post-Run: 44,197,539,840 bytes free 327 -- HijackThis log: -- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:34:48 PM, on 12/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20696) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\WINDOWS\713xRMTMon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\WINDOWS\explorer.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229454768968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229454486187 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll injfrw.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: NST ToolTipFixer (TTFixerService) - NeoSmart Technologies - C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 8100 bytes Thanks again, and Merry Christmas! |
|
|
|
|
Dec 26 2008, 12:39 PM
Post
#4
|
|
|
Surgeon General Group: HJT Team Posts: 1,521 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930 |
Hi, RedPenumbra
CODE File:: c:\windows\NV18563912.TMP c:\windows\system32\tmp1D9.tmp c:\windows\system32\tmp1D8.tmp c:\windows\Tasks\epattlyr.job Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"='wbsys.dll,avgrsstx.dll" Driver:: BootScreen LMIRfsClientNP  Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log. Please do an online scan with Kaspersky WebScanner Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
-------------------- No request for help throughout private messaging will be attended. If I have helped you, consider making a donation to help me continue the fight against Malware! |
|
|
|
|
Dec 27 2008, 04:09 PM
Post
#5
|
|
|
Member Group: Members Posts: 26 Joined: 24-December 08 Member No.: 273,718 |
ComboFix log:
-- ComboFix 08-12-26.03 - Johanan 2008-12-27 12:05:18.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2812 [GMT -5:00] Running from: c:\documents and settings\Johanan\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Johanan\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\NV18563912.TMP c:\windows\system32\tmp1D8.tmp c:\windows\system32\tmp1D9.tmp c:\windows\Tasks\epattlyr.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\tmp1D8.tmp c:\windows\system32\tmp1D9.tmp c:\windows\Tasks\epattlyr.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BOOTSCREEN -------\Legacy_LMIRFSCLIENTNP -------\Service_BootScreen -------\Service_LMIRfsClientNP ((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 ))))))))))))))))))))))))))))))) . 2008-12-22 11:43 . 2008-12-22 11:43 <DIR> d-------- c:\program files\Trend Micro 2008-12-22 11:39 . 2008-12-25 22:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-22 11:39 . 2008-12-25 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-20 21:45 . 2008-12-20 21:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy 2008-12-20 21:34 . 2008-12-20 21:34 <DIR> d-------- c:\program files\WorldOfGooDemo 2008-12-16 14:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-12-16 13:53 . 2008-12-16 13:53 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE 2008-12-16 12:55 . 2008-12-16 18:47 <DIR> d-------- c:\windows\NV18563912.TMP 2008-12-04 21:37 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-03 18:47 . 2008-12-03 18:47 <DIR> d-------- c:\program files\AviSynth 2.5 2008-12-03 18:47 . 2008-12-03 18:47 43,698 --a------ c:\windows\system32\xvid-uninstall.exe 2008-12-03 18:46 . 2008-12-03 18:46 <DIR> d-------- c:\program files\Gabest 2008-12-03 18:46 . 2008-12-03 18:47 <DIR> d-------- c:\program files\AutoGK 2008-12-03 18:14 . 2008-12-03 18:26 <DIR> d-------- c:\documents and settings\Everyone Else\Application Data\Ahead 2008-11-30 19:32 . 2008-11-30 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Codemasters 2008-11-30 19:31 . 2008-11-30 19:31 <DIR> d-------- c:\program files\OpenAL 2008-11-30 19:31 . 2008-11-30 19:31 444,952 --a------ c:\windows\system32\wrap_oal.dll 2008-11-30 19:31 . 2008-11-30 19:31 109,080 --a------ c:\windows\system32\OpenAL32.dll 2008-11-30 15:09 . 2008-11-30 15:15 <DIR> d-------- c:\program files\Frets on Fire 2008-11-30 15:04 . 2008-11-30 15:11 <DIR> d-------- c:\documents and settings\Johanan\Application Data\fretsonfire 2008-11-30 13:15 . 2008-11-30 16:29 <DIR> d-------- c:\program files\GTR2 2008-11-30 11:59 . 2008-11-30 11:59 <DIR> d-------- c:\program files\ffdshow 2008-11-30 11:59 . 2008-06-12 20:36 7,680 --a------ c:\windows\system32\ff_vfw.dll 2008-11-30 11:59 . 2007-07-10 18:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-24 03:02 --------- d-----w c:\program files\Warcraft III 2008-12-22 15:08 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-12-21 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity 2008-12-21 18:25 --------- d-----w c:\documents and settings\Johanan\Application Data\uTorrent 2008-12-21 18:24 --------- d-----w c:\program files\uTorrent 2008-12-17 00:34 --------- d-----w c:\program files\Java 2008-12-16 18:42 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-16 18:42 --------- d-----w c:\program files\Rockstar Games 2008-12-16 17:56 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-16 17:56 --------- d-----w c:\program files\AGEIA Technologies 2008-12-15 02:33 --------- d-----w c:\program files\Diablo II 2008-12-10 01:18 --------- d-----w c:\documents and settings\Johanan\Application Data\LimeWire 2008-12-08 00:06 --------- d-----w c:\program files\SpeedFan 2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-11-28 03:24 --------- d-----w c:\program files\Starcraft 2008-11-28 03:24 --------- d-----w c:\program files\EA GAMES 2008-11-28 02:05 --------- d-----w c:\program files\Steam 2008-11-24 02:29 --------- d-----w c:\program files\Left4Dead 2008-11-23 19:41 --------- d-----w c:\documents and settings\Johanan\Application Data\Malwarebytes 2008-11-23 19:40 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-23 04:34 --------- d-----w c:\program files\ordrumbox 2008-11-21 16:18 --------- d-----w c:\documents and settings\Johanan\Application Data\Hamachi 2008-11-21 15:34 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn 2008-11-15 23:06 --------- d-----w c:\program files\Veoh Networks 2008-11-15 22:47 --------- d-----w c:\program files\DivX 2008-11-13 19:12 --------- d-----w c:\documents and settings\Everyone Else\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files 2008-11-12 19:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys 2008-11-12 16:32 --------- d-----w c:\documents and settings\Everyone Else\Application Data\uTorrent 2008-11-12 16:30 --------- d-----w c:\documents and settings\Everyone Else\Application Data\alot 2008-11-12 00:44 --------- d-----w c:\program files\Silkroad 2008-11-11 15:48 18,048 ----a-w c:\documents and settings\Everyone Else\Application Data\GDIPFONTCACHEV1.DAT 2008-11-04 02:44 --------- d-----w c:\documents and settings\Johanan\Application Data\vlc 2008-11-01 14:31 --------- d-----w c:\program files\MSBuild 2008-11-01 14:31 --------- d-----w c:\program files\Bethesda Softworks 2008-11-01 14:31 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3 2008-11-01 14:28 --------- d-----w c:\program files\Reference Assemblies 2008-10-30 21:57 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-10-30 21:57 22,328 ----a-w c:\documents and settings\Johanan\Application Data\PnkBstrK.sys 2008-10-30 21:54 --------- d-----w c:\program files\Ubisoft 2008-10-28 09:17 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-27 17:09 --------- d-----w c:\documents and settings\Johanan\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files 2008-10-06 23:42 47,360 ----a-w c:\documents and settings\Johanan\Application Data\pcouffin.sys 2008-03-19 23:37 17,656 ----a-w c:\documents and settings\Johanan\Application Data\GDIPFONTCACHEV1.DAT 2008-01-14 03:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008011320080114\index.dat . ------- Sigcheck ------- 2008-10-18 19:50 360704 1157d0d6ba036fb9537d4cd81375b12c c:\windows\system32\dllcache\TCPIP.SYS 2008-10-18 19:50 360704 1157d0d6ba036fb9537d4cd81375b12c c:\windows\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((( snapshot@2008-12-25_22.31.40.95 ))))))))))))))))))))))))))))))))))))))))) . + 2008-12-27 17:12:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_600.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-16 306088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "U.S. Robotics Wireless Manager UI"="c:\windows\system32\WLTRAY" [X] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448] "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096] "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640] "Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344] "TV Card Remote Control Device Monitor"="c:\windows\713xRMTMon.exe" [2007-06-28 352256] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "RTHDCPL"="RTHDCPL.EXE" [2007-10-24 c:\windows\RTHDCPL.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-01-14 805392] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="c:\\WINDOWS\\system32\\logonuiX.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 2007-09-23 10:10 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll,avgrsstx.dll injfrw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scheduler for OEM.lnk] backup=c:\windows\pss\Scheduler for OEM.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"= "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"= "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Hamachi\\hamachi.exe"= "c:\\Program Files\\Diablo II\\Loader 1.11b.exe"= "c:\\Program Files\\Steam\\steamapps\\the_cancer\\source sdk base\\hl2.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Steam\\steamapps\\the_cancer\\half-life\\hl.exe"= "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"= "c:\\Program Files\\Liquid Entertainment\\War of the Ring™\\Rings.exe"= "c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"= "c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"= "c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"= "c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"= "c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"= "c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"= "c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"= "c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"= "c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12243:TCP"= 12243:TCP:uTorrent Port "12243:UDP"= 12243:UDP:uTorrent Port R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-22 97928] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-22 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-22 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-09-22 76040] R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-21 47640] R2 TTFixerService;NST ToolTipFixer;"c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe" [2007-06-27 10240] S2 713xTVCard;SAA7130 TV Card;c:\windows\system32\DRIVERS\SAA713x.sys [2008-02-14 279552] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [] S2 WDMTVTuner;Universal WDM TV Tuner;c:\windows\system32\drivers\WDMTuner.sys [2008-02-14 25984] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\Setup.exe . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.daemonsearch.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Johanan\Application Data\Mozilla\Firefox\Profiles\4hvepxft.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - component: c:\documents and settings\Johanan\Application Data\Mozilla\Firefox\Profiles\4hvepxft.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Johanan\Application Data\Mozilla\Firefox\Profiles\4hvepxft.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll FF - plugin: c:\documents and settings\Johanan\Application Data\Mozilla\Firefox\Profiles\4hvepxft.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-27 12:13:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run TV Card Remote Control Device Monitor = c:\windows\713xRMTMon.exe???TC?f??????????????????A~??G~???|??????A~A?A~??f?,?????????g???????????A~ xg?,?@?????V?????g???????A~??g?????????V???????????x?A~??g???????A~V???????M?A~?????????????c?fV???????????P???<???????P???,?@?????U?C~L????D\uL???*8]u??A???? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\windows\system32\LMIinit.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\windows\system32\rundll32.exe c:\program files\Lexmark X1100 Series\lxbkbmon.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe c:\windows\system32\wltray.exe c:\windows\system32\rundll32.exe c:\program files\Microsoft IntelliType Pro\dpupdchk.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\program files\iPod\bin\iPodService.exe c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe . ************************************************************************** . Completion time: 2008-12-27 12:20:49 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-27 17:20:47 ComboFix2.txt 2008-12-26 03:32:05 Pre-Run: 44,224,589,824 bytes free Post-Run: 44,163,510,272 bytes free 282 -- HijackThis log: -- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:57:45 PM, on 12/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20696) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\WINDOWS\713xRMTMon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\java.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229454768968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229454486187 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll injfrw.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: NST ToolTipFixer (TTFixerService) - NeoSmart Technologies - C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 8152 bytes -- Kaspersky Online log: -- -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, December 27, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, December 27, 2008 13:28:06 Records in database: 1520697 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ Scan statistics: Files scanned: 123438 Threat name: 3 Infected objects: 4 Suspicious objects: 0 Duration of the scan: 03:11:21 File name / Threat name / Threats count C:\Program Files\HTV\HTV.006 Infected: not-a-virus:Monitor.Win32.Ardamax.hi 1 C:\Program Files\HTV\HTV.007 Infected: not-a-virus:Monitor.Win32.Ardamax.o 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\iiffFyYo.dll.vir Infected: Trojan.Win32.Monderb.aaiq 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\qoMeEXPg.dll.vir Infected: Trojan.Win32.Monderb.aaiq 1 The selected area was scanned. -- By the way, the shown Ardamax entries are from a keylogger I purposely installed a few months back to monitor my computer and aren't related to the current problem. I would still like to get rid of it, though, as Add/Remove Programs seems to not have gotten the job done. Thanks again for all of your help! |
|
|
|
|
Dec 27 2008, 05:08 PM
Post
#6
|
|
|
Surgeon General Group: HJT Team Posts: 1,521 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930 |
QUOTE REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="avgrsstx.dll" Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present): C:\Program Files\HTV\HTV.006 C:\Program Files\HTV\HTV.007 How is the computer doing? -------------------- No request for help throughout private messaging will be attended. If I have helped you, consider making a donation to help me continue the fight against Malware! |
|
|
|
|
Dec 27 2008, 06:45 PM
Post
#7
|
|
|
Member Group: Members Posts: 26 Joined: 24-December 08 Member No.: 273,718 |
Everything seems fine except for some random Google redirects. They only occur about 25% of the time. They're going through goougly.com, and neither Malwarebytes nor Spybot S&D picked up on them.
|
|
|
|
|
Dec 27 2008, 07:11 PM
Post
#8
|
|
|
Surgeon General Group: HJT Team Posts: 1,521 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930 |
Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
-------------------- No request for help throughout private messaging will be attended. If I have helped you, consider making a donation to help me continue the fight against Malware! |
|
|
|
|
Dec 27 2008, 07:13 PM
Post
#9
|
|
|
Member Group: Members Posts: 26 Joined: 24-December 08 Member No.: 273,718 |
GooredFix v1.6 by jpshortstuff
Log created at 19:12 on 27/12/2008 running Option #1 Firefox version 3.0.5 (en-US) =====Suspect Goored Entries===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{857A169A-22D8-4266-8EAB-39B0C1CE566C}"="C:\Documents and Settings\Johanan\Local Settings\Application Data\{857A169A-22D8-4266-8EAB-39B0C1CE566C}" =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{857A169A-22D8-4266-8EAB-39B0C1CE566C}"="C:\Documents and Settings\Johanan\Local Settings\Application Data\{857A169A-22D8-4266-8EAB-39B0C1CE566C}" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "paypalfirefoxplugin@orbiscom"="C:\Program Files\PayPal\PayPal Plug-In" |
|
|
|
|
Dec 27 2008, 07:43 PM
Post
#10
|
|
|
Surgeon General Group: HJT Team Posts: 1,521 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930 |
Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
-------------------- No request for help throughout private messaging will be attended. If I have helped you, consider making a donation to help me continue the fight against Malware! |
|
|
|
|
Dec 27 2008, 07:47 PM
Post
#11
|
|
|
Member Group: Members Posts: 26 Joined: 24-December 08 Member No.: 273,718 |
GooredFix v1.6 by jpshortstuff
Log created at 19:44 on 27/12/2008 running Option #2 Firefox version 3.0.5 (en-US) =====Goored Deletions===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{857A169A-22D8-4266-8EAB-39B0C1CE566C}"="C:\Documents and Settings\Johanan\Local Settings\Application Data\{857A169A-22D8-4266-8EAB-39B0C1CE566C}" ->Backing up value... Done. ->Deleting value... Done. C:\Documents and Settings\Johanan\Local Settings\Application Data\{857A169A-22D8-4266-8EAB-39B0C1CE566C} ->Backing up folder... Done. ->Emptying folder... Done. ->Deleting folder... Done. =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "paypalfirefoxplugin@orbiscom"="C:\Program Files\PayPal\PayPal Plug-In" -- As far as I can tell, the redirects have stopped, and it also seems that I can navigate through pages faster. Looks like everything's clean! Thanks for all of your help! |
|
|
|
|
Dec 27 2008, 07:51 PM
Post
#12
|
|
|
Surgeon General Group: HJT Team Posts: 1,521 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930 |
Hi, RedPenumbra.
Congratulations.  Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK.. Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools. Follow these steps to uninstall Combofix and tools used in the removal of malware
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
Best wishes! 
-------------------- No request for help throughout private messaging will be attended. If I have helped you, consider making a donation to help me continue the fight against Malware! |
|
|
|
|
Dec 27 2008, 08:22 PM
Post
#13
|
|
|
Member Group: Members Posts: 26 Joined: 24-December 08 Member No.: 273,718 |
Followed your advise and everything's working great! Thanks again for helping me through the holidays.
I was seriously considering a reformat, but you saved me a LOT of time and aggravation.Oh, and an early Happy New Year! |
|
|
|
|
Dec 30 2008, 02:03 AM
Post
#14
|
|
|
Surgeon General Group: HJT Team Posts: 1,521 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930 |
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. -------------------- No request for help throughout private messaging will be attended. If I have helped you, consider making a donation to help me continue the fight against Malware! |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th February 2010 - 09:55 AM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.