BleepingComputer.com: Help! First time with all this.. I'm infected

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Help! First time with all this.. I'm infected Not sure how to remove it

#1 User is offline   Scheme2009 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 09-January 09

Posted 09 January 2009 - 05:01 PM

I am getting popups from <http://sagipsul.com> and <http://my.internetgiftpromotions.com> and random ones with what seem to be IP addresses like.... <http://77.93.75.150/dot.gif/?ver=112&cmp=profiling4&uid=F21114D2DDDA11DDB998166350CFFFFF&guid=1D86E5D8E9F34AB6820B97BC5420F0F7&affid=166350&rid=zdez&m=irq4&revid=9879&lid=clients1.google.com%2Fcomplete%2Fsearch%3Fhl=en%26gl=us%26q=c&uqs=2&s=0&c1=2&c2=0&uid_track=1f71667d-d04a-4a18-862e-468ee7938961&br=firefox>

Also this morning prior to doing the following scanning i had a SCRSS.DLL in my startup and such...

I've run CCleaner - Malwareremover - AVG - Trendmicro- and Spydoctor

Help.. it was at the point where whenever i'd open my IE it would clsoe immediately and when i would type any msg on AIM it'd close immediately... some of the scanning i've done has helped that out as that doesnt seem to be working but am gettin annoying popups which I can usually get rid of...

here's my log


DDS (Ver_09-01-07.01) - NTFSx86
Run by SAL at 16:54:07.07 on Fri 01/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1791.1264 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Documents and Settings\SAL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://gmail.com/
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: c:\windows\system32\rakmdlkd83indfgnbu.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\rakmdlkd83indfgnbu.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cogad] "c:\documents and settings\sal\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
LSP: c:\windows\system32\imon.dll
Trusted Zone: aol.com\free
TCP: {7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2} = 24.29.103.15,24.29.103.16
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: oykppo.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\rakmdlkd83indfgnbu.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\rakmdlkd83indfgnbu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sal\applic~1\mozilla\firefox\profiles\u09gxoft.sal\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - gmail.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-2-10 15872]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-10-13 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 26824]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-26 15424]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-10-13 33792]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328]
R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784]
R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2006-8-18 35107]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-8 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 76040]
S1 IpIock2;IpIock2;\??\c:\windows\system32\drivers\uagfdisk.sys --> c:\windows\system32\drivers\uagfdisk.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-5-25 74752]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-1-6 17149]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-10-20 41288]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-10-20 62280]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-10-20 79688]
S3 MPD16USB;AKAIpro MPD16 Driver;c:\windows\system32\drivers\MPD16USB.sys [2005-11-20 19712]
S3 RDID1045;Roland FANTOM-X;c:\windows\system32\drivers\RDWM1045.SYS [2005-7-11 59642]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys --> c:\windows\system32\drivers\wg121nd5.sys [?]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 AdLib FMR;AdLib FMR;c:\progra~1\adlib\adlibe~1\AdLibFMR.exe [2006-12-14 266240]
S4 Neepderasaa;Neepderasaa; [x]
S4 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2008-12-26 552064]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-10-20 742216]
S4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\swdsvc.exe [2007-10-20 1415496]
S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit11\ArcNameService.exe [2007-10-8 157000]

=============== Created Last 30 ================

2009-01-08 22:13 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-08 22:05 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-08 22:05 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-08 22:05 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-08 22:05 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-08 22:04 <DIR> --d----- c:\program files\AVG
2009-01-08 22:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-08 20:52 <DIR> --d----- c:\program files\AIM
2009-01-08 18:30 <DIR> --d----- c:\docume~1\sal\applic~1\cogad
2009-01-08 18:27 139,264 a------- c:\windows\system32\oykppo.dll
2009-01-08 18:27 139,264 a------- c:\windows\system32\hwdnqfpw.dll
2009-01-07 18:12 4,958,588 a------- c:\windows\{00000000-00000000-00000005-00001102-00000008-40021102}.CDF
2009-01-07 18:11 11,564 a------- c:\windows\system32\DVCState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:11 924 a------- c:\windows\system32\BMXCtrlState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:11 924 a------- c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:11 64 a------- c:\windows\system32\BMXStateBkp-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:11 64 a------- c:\windows\system32\BMXState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:10 86,016 a------- c:\windows\system32\cttele.dll
2009-01-07 18:09 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-01-07 18:09 10,240 a------- c:\windows\CTDCRES.DLL
2009-01-07 18:09 2,560 a------- c:\windows\CTXFIRES.DLL
2009-01-05 22:05 1,764,864 a------- c:\windows\system32\Lexicon PSP42.dll
2009-01-05 22:05 <DIR> --d----- c:\program files\PSP 608 MultiDelay
2009-01-05 22:05 8,396,800 a------- c:\windows\system32\PSP 608.dll
2009-01-05 22:03 <DIR> --d----- c:\program files\PSP VintageWarmer 1.6.5
2009-01-05 22:03 6,533,120 a------- c:\windows\system32\PSP VintageWarmer.dll
2009-01-05 22:03 2,568,192 a------- c:\windows\system32\PSP VintageMeter.dll
2009-01-05 22:03 <DIR> --d----- c:\windows\PSP StereoPack
2009-01-05 22:03 <DIR> --d----- c:\program files\PSP StereoPack 1.8
2009-01-05 22:02 2,990,592 a------- c:\windows\system32\PSP 84.dll
2009-01-05 22:02 <DIR> --d----- c:\program files\PSP
2009-01-05 22:02 <DIR> --d----- c:\program files\PSP Nitro
2009-01-05 22:01 <DIR> --d----- c:\program files\PSPaudioware.com
2009-01-05 22:01 475,136 a------- c:\windows\system32\PSP MixBass.dll
2009-01-05 22:01 856,064 a------- c:\windows\system32\PSP MixTreble.dll
2009-01-05 22:01 708,608 a------- c:\windows\system32\PSP MixPressor.dll
2009-01-05 22:01 643,072 a------- c:\windows\system32\PSP MixSaturator.dll
2009-01-05 22:01 <DIR> --d----- c:\program files\PSP MixPack 1.8
2009-01-05 22:00 286,720 a------- c:\windows\iun506.exe
2009-01-05 22:00 <DIR> --d----- c:\program files\PSP MasterQ 1.0
2009-01-05 21:59 <DIR> --d----- c:\windows\PSP MasterComp
2009-01-05 21:59 <DIR> --d----- c:\program files\PSP MasterComp 1.0.0
2009-01-05 18:38 <DIR> --d----- c:\program files\Psicraft
2009-01-05 18:38 <DIR> --d----- c:\docume~1\sal\applic~1\Psicraft
2008-12-28 21:19 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-12-26 23:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2008-12-26 23:07 298,104 a------- c:\windows\system32\imon.dll
2008-12-26 23:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2008-12-26 23:06 <DIR> --d----- c:\program files\ESET
2008-12-21 09:58 <DIR> --d----- c:\docume~1\sal\applic~1\Malwarebytes
2008-12-21 09:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-21 09:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 09:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-21 09:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-20 15:24 <DIR> --d----- c:\documents and settings\sal\.housecall6.6
2008-12-19 21:40 129,784 a------- c:\windows\system32\pxafs.dll
2008-12-19 21:40 120,056 a------- c:\windows\system32\pxcpyi64.exe
2008-12-19 21:40 118,520 a------- c:\windows\system32\pxinsi64.exe
2008-12-19 21:40 9,464 a------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-19 21:40 9,336 a------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-19 21:39 <DIR> --d----- c:\program files\DivX

==================== Find3M ====================

2009-01-07 18:09 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-01-05 22:05 659,456 a------- c:\windows\iun6002.exe
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 43,528 a------- c:\windows\system32\drivers\pxhelp20.sys
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 05:37 659,456 a------- c:\windows\system32\wininet.dll
2007-07-08 08:23 87,608 a------- c:\docume~1\sal\applic~1\inst.exe
2007-07-08 08:23 47,360 a------- c:\docume~1\sal\applic~1\pcouffin.sys
2006-08-05 20:52 81,920 a------- c:\docume~1\sal\applic~1\ezpinst.exe
2014-06-13 14:36 1,537 a--sh--- c:\windows\page files\maxmeg.sys

============= FINISH: 16:54:53.59 ===============

Attached File(s)


This post has been edited by Orange Blossom: 09 January 2009 - 06:59 PM
Reason for edit: Deactivate links. ~ OB

#2 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,056
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 22 January 2009 - 10:15 PM

Hello Scheme2009,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 User is offline   Scheme2009 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 09-January 09

Posted 23 January 2009 - 04:41 PM

Not gettin same popups as then but system is still a bit sluggish ... would appreciate u overlooking it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:22 PM, on 1/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\SAL\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116973915758
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2}: NameServer = 24.29.103.15,24.29.103.16
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: oykppo.dll,avgrsstx.dll
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 3708 bytes

#4 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,056
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 23 January 2009 - 06:41 PM

Hello,

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we knew in 2006; read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now, if you did not install it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\SAL\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following folder(s) (if they exist):

C:\Program Files\Viewpoint
C:\Documents and Settings\SAL\Application Data\cogad

Reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Let me know also how it's running now, please. :thumbsup:

Thanks,
tea

This post has been edited by teacup61: 23 January 2009 - 06:42 PM

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 User is offline   Scheme2009 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 09-January 09

Posted 23 January 2009 - 09:00 PM

Here's the MBAM Log

Malwarebytes' Anti-Malware 1.33
Database version: 1685
Windows 5.1.2600 Service Pack 2

1/23/2009 8:58:37 PM
mbam-log-2009-01-23 (20-58-37).txt

Scan type: Quick Scan
Objects scanned: 56673
Time elapsed: 14 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Heres HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:33 PM, on 1/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116973915758
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2}: NameServer = 24.29.103.15,24.29.103.16
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: oykppo.dll,avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 2948 bytes


Seems to be running better? Not exactly sure cause I havent been doin much yet

let me know if you spot anything...

Yea... just as I was typing this I got a sound outa no where.. usually the default beep or "orchestra hit" (sorry im a music producer.. thats how i'd describe it) ... the same windows sound that usally is like when a window is open and u click behind it and it wont let u ... so it makes that beep

i've been gettin them periodically

#6 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,056
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 23 January 2009 - 11:03 PM

HHmmmmm....in that case I think we should use something a lot stronger. :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 User is offline   Scheme2009 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 09-January 09

Posted 24 January 2009 - 08:45 AM

Combo Fix Log:

ComboFix 09-01-21.04 - SAL 2009-01-24 8:30:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1791.1226 [GMT -5:00]
Running from: c:\documents and settings\SAL\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\SAL\Application Data\inst.exe
c:\documents and settings\SAL\Local Settings\Temporary Internet Files\fbk.sts
C:\Documents
C:\smp.bat
c:\windows\system32\open.ico
c:\windows\system32\tb.dr
c:\windows\Tasks\tbqpmvwu.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_seneka
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-23 16:40 . 2009-01-23 16:40 <DIR> d-------- c:\program files\Trend Micro
2009-01-09 17:03 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2009-01-08 22:13 . 2009-01-09 00:16 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-08 22:05 . 2009-01-23 16:33 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-08 22:05 . 2009-01-08 22:05 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-08 22:05 . 2009-01-08 22:05 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-08 22:05 . 2009-01-08 22:05 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-08 22:04 . 2009-01-08 22:04 <DIR> d-------- c:\program files\AVG
2009-01-08 22:04 . 2009-01-08 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-08 20:54 . 2009-01-08 20:54 <DIR> d-------- c:\documents and settings\SAL\Application Data\Aim
2009-01-08 20:52 . 2009-01-15 22:44 <DIR> d-------- c:\program files\AIM
2009-01-07 18:12 . 2009-01-07 18:12 4,958,588 --a------ c:\windows\{00000000-00000000-00000005-00001102-00000008-40021102}.CDF
2009-01-07 18:11 . 2009-01-24 08:34 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:11 . 2009-01-24 08:34 1,104 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:11 . 2009-01-24 08:34 1,104 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:11 . 2009-01-24 08:34 64 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:11 . 2009-01-24 08:34 64 --a------ c:\windows\system32\BMXState-{00000000-00000000-00000005-00001102-00000008-40021102}.rfx
2009-01-07 18:10 . 2006-11-14 15:28 86,016 --a------ c:\windows\system32\cttele.dll
2009-01-07 18:09 . 2009-01-07 18:09 114,688 --a------ c:\windows\system32\OpenAL32.dll
2009-01-07 18:09 . 2008-03-20 15:34 10,240 --a------ c:\windows\CTDCRES.DLL
2009-01-07 18:09 . 2008-03-20 15:35 2,560 --a------ c:\windows\CTXFIRES.DLL
2009-01-05 22:05 . 2009-01-05 22:05 <DIR> d-------- c:\program files\PSP 608 MultiDelay
2009-01-05 22:05 . 2009-01-05 22:05 8,396,800 --a------ c:\windows\system32\PSP 608.dll
2009-01-05 22:05 . 2009-01-05 22:05 1,764,864 --a------ c:\windows\system32\Lexicon PSP42.dll
2009-01-05 22:03 . 2009-01-05 22:03 <DIR> d-------- c:\windows\PSP StereoPack
2009-01-05 22:03 . 2009-01-05 22:05 <DIR> d-------- c:\program files\PSP VintageWarmer 1.6.5
2009-01-05 22:03 . 2009-01-05 22:03 <DIR> d-------- c:\program files\PSP StereoPack 1.8
2009-01-05 22:03 . 2009-01-05 22:03 6,533,120 --a------ c:\windows\system32\PSP VintageWarmer.dll
2009-01-05 22:03 . 2009-01-05 22:03 2,568,192 --a------ c:\windows\system32\PSP VintageMeter.dll
2009-01-05 22:02 . 2009-01-05 22:02 <DIR> d-------- c:\program files\PSP Nitro
2009-01-05 22:02 . 2009-01-05 22:02 <DIR> d-------- c:\program files\PSP
2009-01-05 22:02 . 2009-01-05 22:02 2,990,592 --a------ c:\windows\system32\PSP 84.dll
2009-01-05 22:01 . 2009-01-05 22:01 <DIR> d-------- c:\program files\PSPaudioware.com
2009-01-05 22:01 . 2009-01-05 22:01 <DIR> d-------- c:\program files\PSP MixPack 1.8
2009-01-05 22:01 . 2004-08-05 00:34 856,064 --a------ c:\windows\system32\PSP MixTreble.dll
2009-01-05 22:01 . 2004-08-05 00:34 708,608 --a------ c:\windows\system32\PSP MixPressor.dll
2009-01-05 22:01 . 2004-08-05 00:34 643,072 --a------ c:\windows\system32\PSP MixSaturator.dll
2009-01-05 22:01 . 2004-08-05 00:34 475,136 --a------ c:\windows\system32\PSP MixBass.dll
2009-01-05 22:00 . 2009-01-05 22:00 <DIR> d-------- c:\program files\PSP MasterQ 1.0
2009-01-05 22:00 . 2009-01-05 22:00 286,720 --a------ c:\windows\iun506.exe
2009-01-05 21:59 . 2009-01-05 21:59 <DIR> d-------- c:\windows\PSP MasterComp
2009-01-05 21:59 . 2009-01-05 22:00 <DIR> d-------- c:\program files\PSP MasterComp 1.0.0
2009-01-05 18:38 . 2009-01-05 18:38 <DIR> d-------- c:\program files\Psicraft
2009-01-05 18:38 . 2009-01-05 18:38 <DIR> d-------- c:\documents and settings\SAL\Application Data\Psicraft
2008-12-28 21:21 . 2008-12-28 21:22 <DIR> d-------- c:\program files\QuickTime
2008-12-28 21:20 . 2008-12-28 21:20 <DIR> d-------- c:\program files\Apple Software Update
2008-12-28 21:19 . 2008-12-28 21:19 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-28 21:19 . 2008-12-28 21:40 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-28 21:19 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-26 23:07 . 2008-12-26 23:06 512,096 --a------ c:\windows\system32\drivers\amon.sys
2008-12-26 23:07 . 2008-12-26 23:06 298,104 --a------ c:\windows\system32\imon.dll
2008-12-26 23:07 . 2008-12-26 23:06 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2008-12-26 23:06 . 2008-12-27 10:30 <DIR> d-------- c:\program files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 01:42 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-24 01:31 --------- d-----w c:\documents and settings\SAL\Application Data\Viewpoint
2009-01-24 01:31 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-17 01:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-09 04:27 --------- d-----w c:\program files\DVDFab Gold 3
2009-01-08 01:37 --------- d-----w c:\documents and settings\SAL\Application Data\Digidesign
2009-01-06 03:05 659,456 ----a-w c:\windows\iun6002.exe
2009-01-06 03:05 --------- d-----w c:\program files\PSPaudioware
2008-12-29 02:40 --------- d-----w c:\program files\iPod
2008-12-29 02:32 --------- d-----w c:\documents and settings\SAL\Application Data\Apple Computer
2008-12-29 02:22 --------- d-----w c:\program files\Bonjour
2008-12-29 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-27 16:51 --------- d-----w c:\program files\CCleaner
2008-12-23 03:05 --------- d-----w c:\program files\Starcraft
2008-12-21 14:58 --------- d-----w c:\documents and settings\SAL\Application Data\Malwarebytes
2008-12-21 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 18:25 --------- d-----w c:\program files\Visicom Media
2008-12-20 02:47 --------- d-----w c:\documents and settings\SAL\Application Data\DivX
2008-12-20 02:40 --------- d-----w c:\program files\DivX
2008-12-05 02:14 --------- d-----w c:\program files\M-Audio USB Keyboard Device
2007-07-08 13:23 47,360 ----a-w c:\documents and settings\SAL\Application Data\pcouffin.sys
2006-08-06 01:52 81,920 ----a-w c:\documents and settings\SAL\Application Data\ezpinst.exe
2009-01-13 12:06 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-13 12:06 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-13 12:06 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-13 12:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-13 12:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-08 1261336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"= Digi32.dll
"SENTINEL"= snti386.dll
"midi2"= RDDV1045.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^SAL^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\SAL\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-03 11:28 67160 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
--a------ 2003-05-12 14:02 270336 c:\program files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2005-04-12 01:28 49152 c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-22 23:00 385024 c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBKEYBOARD]
--a------ 2004-05-26 21:37 392704 c:\program files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE]
--a------ 2001-11-09 01:47 356352 c:\program files\NASDAK\OmniMouse Driver\4.06\Mouse32A.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 2009-01-14 16:11 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
--a------ 2008-12-26 23:06 949376 c:\program files\ESET\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2001-12-31 11:04 3756032 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
-ra------ 2001-12-31 11:04 46080 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SClock Plus]
--a------ 2006-11-13 23:52 143360 c:\program files\Shelltoys\SClock Plus\sclock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
--a------ 2007-10-02 15:27 1065288 c:\program files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 02:36 36975 c:\program files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoraiPodConverter]
--a------ 2005-11-11 13:32 483328 c:\program files\VideoraiPodConverter\VideoraiPodConverter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-03-10 12:45 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
--a------ 2008-03-20 15:22 50688 c:\windows\system32\ctasio.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2008-03-20 15:35 23040 c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2008-03-20 15:35 23552 c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2001-12-31 11:04 831488 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2008-03-20 15:19 31232 c:\windows\system32\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"Lsdiorw"=2 (0x2)
"LexBceS"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"C-DillaCdaC11BA"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"AdLib FMR"=2 (0x2)
"MBAMService"=2 (0x2)
"Stuffit Archive Name Service"=2 (0x2)
"GEARSecurity"=2 (0x2)
"DigiRefresh"=2 (0x2)
"aawservice"=2 (0x2)
"NOD32krn"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Winternals\\Remote Recover\\RemoteRecover.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-02-10 15872]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-10-13 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-08 97928]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-26 15424]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-10-13 33792]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-03-20 98328]
R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2006-08-18 35107]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-08 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-08 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-08 76040]
S1 IpIock2;IpIock2;\??\c:\windows\system32\drivers\uagfdisk.sys --> c:\windows\system32\drivers\uagfdisk.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-03-20 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-03-20 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-03-20 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-03-20 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-03-20 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-03-20 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-03-20 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-03-20 259096]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-03-20 259096]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-03-20 134168]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-03-20 134168]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-03-20 309784]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-03-20 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-03-20 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-03-20 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-03-20 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-03-20 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-03-20 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-03-20 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-03-20 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-03-20 534040]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-05-25 74752]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-01-06 17149]
S3 MPD16USB;AKAIpro MPD16 Driver;c:\windows\system32\drivers\MPD16USB.sys [2005-11-20 19712]
S3 RDID1045;Roland FANTOM-X;c:\windows\system32\drivers\RDWM1045.SYS [2005-07-11 59642]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-10-20 742216]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\DRIVERS\wg121nd5.sys --> c:\windows\system32\DRIVERS\wg121nd5.sys [?]
S4 AdLib FMR;AdLib FMR;c:\progra~1\AdLib\ADLIBE~1\AdLibFMR.exe [2006-12-14 266240]
S4 Neepderasaa;Neepderasaa; [x]
S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-10-08 157000]
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (HOME-WY767KTWW0-SAL).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-0004091192915023mcinstcleanup - c:\docume~1\SAL\LOCALS~1\Temp\000409~1.EXE
MSConfigStartUp-2ca98d5a - c:\windows\system32\ltnfvalq.dll
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-Awola6 - c:\documents and settings\SAL\Application Data\Awola6\Awola6.exe
MSConfigStartUp-Cleanup - c:\docume~1\SAL\LOCALS~1\Temp\2006125151440_mcappins.exe
MSConfigStartUp-CTDVDDET - c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
MSConfigStartUp-CTSysVol - c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
MSConfigStartUp-DSS - c:\windows\EditHostFTP.exe
MSConfigStartUp-Explorer - c:\windows\system32\Explorer.exe
MSConfigStartUp-Icon - c:\windows\system32\drivers\Icon.EXE
MSConfigStartUp-iqri - c:\progra~1\COMMON~1\iqri\iqrim.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\LogMeInSystray.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-McRegWiz - c:\progra~1\mcafee.com\agent\mcregwiz.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-Microsoft Windows Adapter 5.1 - c:\documents and settings\SAL\Application Data\uxwpa.exe
MSConfigStartUp-msci - c:\docume~1\SAL\LOCALS~1\Temp\2006125151440_mcinfo.exe
MSConfigStartUp-MSKAGENTEXE - c:\program files\McAfee\MSK\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-outlook - c:\program files\outlook\outlook.exe
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE
MSConfigStartUp-RemoteCenter - c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE
MSConfigStartUp-SBDrvDet - c:\program files\Creative\SB Drive Det\SBDrvDet.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
MSConfigStartUp-STDSB - c:\windows\system32\drivers\STDSB.EXE
MSConfigStartUp-tezrtsjhfr84iusjfo84f - c:\docume~1\SAL\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-UpdReg - c:\windows\UpdReg.EXE
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe
MSConfigStartUp-WatchDog - c:\program files\mobile PhoneTools\WatchDog.exe
MSConfigStartUp-Microsoft Update - enule.exe
MSConfigStartUp-SoundMan - SOUNDMAN.EXE
MSConfigStartUp-winlog - winlog.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\imon.dll
Trusted Zone: aol.com\free
TCP: {7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2} = 24.29.103.15,24.29.103.16
FF - ProfilePath - c:\documents and settings\SAL\Application Data\Mozilla\Firefox\Profiles\u09gxoft.Sal\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 08:36:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ř•€|˙˙˙˙•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\RDDV1045.DLL
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-01-24 8:43:31 - machine was rebooted [SAL]
ComboFix-quarantined-files.txt 2009-01-24 13:43:28

Pre-Run: 44,842,033,152 bytes free
Post-Run: 46,693,232,640 bytes free

366 --- E O F --- 2008-12-18 04:09:55


HJT: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:00 AM, on 1/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116973915758
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8ADE24-E8C9-4E8A-882B-EDEB03EB2FE2}: NameServer = 24.29.103.15,24.29.103.16
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 3018 bytes

#8 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,056
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 24 January 2009 - 04:51 PM

Hello,

Well I see why you were still having problems. :thumbsup: On top of everything else you had a rootkit. How is it running now please?

The ComboFix report shows you have 2 AntiVirus programs running, but I don't see the Nod32 in the HijackThis log. Did you disable it, or...........?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 User is offline   Scheme2009 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 09-January 09

Posted 24 January 2009 - 05:02 PM

i havent heard any beeps or anything..

whats a rootkit?

And iwas puzzled by the msg about 2 antiviruses things as well.. as NOD32 wasnt open in any of my processes... toolbars.. etc....

AVG was open and i closed it..

i think i may be good now... everything else looks nice?

#10 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,056
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 24 January 2009 - 05:23 PM

Hi,

A rootkit is an infection that installs with stealth, which means it's hard to see, and usually hard to deal with manually. It wreaks havoc, brings friends to play ( :) ), and causes general misery for the user (you). Some are worse than others, and this was a pretty nasty one. Looks like it had been partially dealt with already, probably by your AntiVirus.

Some cleanup to do now.......

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_11.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

As far as the messages go for the AntiVirus (s), just be sure to only run one at a time. Less is more in this case. :thumbsup:

Post back, please, and let me know how all that went. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 User is offline   teacup61 

  • Bleepin' Texan in Ohio!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,056
  • Joined: 05-April 06
  • Gender:Female
  • Location:New Bremen, Ohio

Posted 07 February 2009 - 11:11 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users