pop ups with the addresses of url.adtrgt.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

pop ups with the addresses of url.adtrgt.com DONT KNOW HOW TO REMOVE IT

#1 baca1jr

New Member

Group: Members
Posts: 4
Joined: 10-January 09

Posted 10 January 2009 - 12:48 PM

When I'm using Firefox or internet explorer 7 I randomly receive pop ups with the addresses url.adtrgt.com and different ip address like 70.38.98.32 try to connect but fails. Couldnt not attach file so i put it on the bottom

DDS (Ver_09-01-07.01) - NTFSx86
Run by USER at 9:32:16.25 on Sat 01/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.456 [GMT -8:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {45427237-0a00-43ad-9ca1-f78689c0a380} - c:\windows\system32\ssqOEvtq.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {31b6ac47-46d9-bd7b-c9d4-115e933ff286}: {682ff339-e511-4d9c-b7db-9d6474ca6b13} - c:\windows\system32\vfcxnh.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnnKCrp.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {A6575304-ECD0-4BD2-BCDD-F757AD1D5603} - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\Ad-Watch.exe
mRun: [7c3410a6] rundll32.exe "c:\windows\system32\vyaayhph.dll",b
StartupFolder: c:\docume~1\user\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: pmnnKCrp - pmnnKCrp.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL,avgrsstx.dll vfcxnh.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnnKCrp.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqOEvtq

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\6vindh6z.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-4 324872]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-4 27656]
R3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2008-4-29 15648]
R3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;c:\windows\system32\drivers\Awrtpd.sys [2008-4-29 12960]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-6-2 611664]
R4 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-4 298264]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-9 24652]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;c:\windows\system32\drivers\Awrtrd.sys [2008-4-29 15648]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-27 40264]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-27 57672]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-27 82248]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe --> c:\program files\spyware doctor\svcntaux.exe [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\swdsvc.exe --> c:\program files\spyware doctor\swdsvc.exe [?]

=============== Created Last 30 ================

2009-01-10 09:10 <DIR> --d----- c:\program files\Trend Micro
2009-01-10 09:01 129,024 a------- c:\windows\system32\vfcxnh.dll
2009-01-10 09:01 129,024 a------- c:\windows\system32\oyocpehm.dll
2009-01-10 09:01 120 ---sh--- c:\windows\system32\hphyaayv.ini
2009-01-10 09:01 72,704 a------- c:\windows\system32\vyaayhph.dll
2009-01-09 09:03 129,024 a------- c:\windows\system32\gkaydz.dll
2009-01-09 09:03 129,024 a------- c:\windows\system32\dkdaikmi.dll
2009-01-09 08:57 120 ---sh--- c:\windows\system32\ylmklbov.ini
2009-01-09 08:57 72,704 -------- c:\windows\system32\voblkmly.dll
2009-01-07 09:10 129,024 a------- c:\windows\system32\nsnrxn.dll
2009-01-07 09:10 129,024 a------- c:\windows\system32\xghjvqwp.dll
2009-01-07 09:05 120 ---sh--- c:\windows\system32\ovvcxnqi.ini
2009-01-07 09:04 665,050 a--sh--- c:\windows\system32\qtvEOqss.ini2
2009-01-07 09:04 665,050 a--sh--- c:\windows\system32\qtvEOqss.ini
2009-01-07 09:04 302,592 a------- c:\windows\system32\ssqOEvtq.dll
2009-01-05 09:06 120 ---sh--- c:\windows\system32\jpquaoah.ini
2009-01-05 09:03 129,024 a------- c:\windows\system32\dyahsd.dll
2009-01-05 09:03 129,024 a------- c:\windows\system32\nglctfdg.dll
2009-01-03 10:55 120 ---sh--- c:\windows\system32\qapmilox.ini
2009-01-03 10:52 129,024 a------- c:\windows\system32\ycxjpp.dll
2009-01-03 10:52 129,024 a------- c:\windows\system32\aesyugpn.dll
2009-01-03 10:33 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-03 09:52 <DIR> --d----- c:\docume~1\user\applic~1\aAvgApi
2009-01-03 09:49 <DIR> --d----- c:\docume~1\user\applic~1\AVGTOOLBAR
2009-01-03 09:28 120 ---sh--- c:\windows\system32\xwdupoan.ini
2009-01-03 09:25 129,024 a------- c:\windows\system32\qedggc.dll
2009-01-03 09:25 129,024 a------- c:\windows\system32\olkgjsto.dll
2009-01-02 09:27 120 ---sh--- c:\windows\system32\gupgbnag.ini
2009-01-02 09:24 129,024 a------- c:\windows\system32\qqxess.dll
2009-01-02 09:24 129,024 a------- c:\windows\system32\bdlbpwds.dll
2008-12-31 11:27 0 a------- c:\windows\QuickInstall.INI
2008-12-31 10:07 53,248 a------- c:\windows\PalmDevC.dll
2008-12-31 10:07 <DIR> --d----- c:\program files\palmOne
2008-12-31 09:06 120 ---sh--- c:\windows\system32\vsbytsjx.ini
2008-12-31 09:03 129,024 a------- c:\windows\system32\szcwrg.dll
2008-12-31 09:03 129,024 a------- c:\windows\system32\frhwbnlh.dll
2008-12-29 17:28 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-29 12:46 727,501 a--sh--- c:\windows\system32\SrsvDfhk.ini2
2008-12-29 09:17 120 ---sh--- c:\windows\system32\kgarfxkm.ini
2008-12-29 09:11 129,024 a------- c:\windows\system32\xcmtua.dll
2008-12-29 09:11 129,024 a------- c:\windows\system32\nlyqlhhy.dll
2008-12-27 15:32 <DIR> --d----- c:\program files\Microsoft Games
2008-12-27 12:56 82,248 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-27 12:56 40,264 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-27 12:56 29,000 a------- c:\windows\system32\drivers\kcom.sys
2008-12-27 12:56 57,672 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-27 12:55 <DIR> --d----- c:\docume~1\user\applic~1\PC Tools
2008-12-27 12:55 626,688 a------- c:\windows\system32\msvcr80.dll
2008-12-27 09:37 129,024 a------- c:\windows\system32\rgrwzd.dll
2008-12-27 09:37 129,024 a------- c:\windows\system32\gbaqdmro.dll
2008-12-27 09:34 120 ---sh--- c:\windows\system32\abpsnxgs.ini
2008-12-27 09:31 727,501 a--sh--- c:\windows\system32\SrsvDfhk.ini
2008-12-27 09:25 34,816 a------- c:\windows\system32\pmnnKCrp.dll
2008-12-17 19:42 <DIR> --d----- C:\QUARANTINE
2008-12-17 16:40 1,495,552 a------- c:\windows\system32\epoPGPsdk.dll
2008-12-17 16:40 <DIR> --d----- c:\program files\common files\Cisco Systems

==================== Find3M ====================

2009-01-07 16:33 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-07 16:33 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-31 10:06 16,694 a------- c:\windows\system32\drivers\PalmUSBD.sys
2008-11-22 14:11 286,720 -------- c:\windows\Setup1.exe
2008-11-22 14:11 73,216 a------- c:\windows\ST6UNST.EXE
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-09-10 17:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 9:32:43.53 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/8/2008 2:23:46 PM
System Uptime: 1/10/2009 8:59:58 AM (1 hours ago)

Motherboard: Dell Inc. | | 0KP561
Processor: Intel® Pentium® Dual CPU E2140 @ 1.60GHz | CPU | 1595/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 56.107 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP117: 12/29/2008 5:22:42 PM - Installed Google Earth Pro
RP118: 12/29/2008 5:22:43 PM - Installed Nitro PDF Professional.
RP119: 12/29/2008 5:22:43 PM - Printer Driver FAX4 Driver Installed
RP120: 12/29/2008 5:22:44 PM - Removed Google Earth Pro
RP121: 12/29/2008 5:22:46 PM - TrueCrypt installation
RP122: 12/29/2008 5:22:47 PM - System Checkpoint
RP123: 12/29/2008 5:22:49 PM - Installed Ad-Aware
RP124: 12/29/2008 5:22:49 PM - Removed Ad-Aware
RP125: 12/29/2008 5:22:50 PM - Software Distribution Service 3.0
RP126: 12/29/2008 5:22:52 PM - System Checkpoint
RP127: 12/29/2008 5:22:53 PM - Avg8 Update
RP128: 12/29/2008 5:22:53 PM - Avg8 Update
RP129: 12/29/2008 5:22:53 PM - Installed KODAK Gallery Upload Software.
RP130: 12/29/2008 5:22:54 PM - Software Distribution Service 3.0
RP131: 12/29/2008 5:22:55 PM - Avg8 Update
RP132: 12/29/2008 5:22:55 PM - Avg8 Update
RP133: 12/29/2008 5:22:56 PM - System Checkpoint
RP134: 12/29/2008 5:22:57 PM - System Checkpoint
RP135: 12/29/2008 5:22:58 PM - System Checkpoint
RP136: 12/29/2008 5:22:58 PM - Avg8 Update
RP137: 12/29/2008 5:22:59 PM - Avg8 Update
RP138: 12/29/2008 5:22:59 PM - System Checkpoint
RP139: 12/29/2008 5:23:00 PM - System Checkpoint
RP140: 12/29/2008 5:23:00 PM - Avg8 Update
RP141: 12/29/2008 5:23:00 PM - System Checkpoint
RP142: 12/29/2008 5:23:00 PM - Software Distribution Service 3.0
RP143: 12/29/2008 5:23:00 PM - System Checkpoint
RP144: 12/29/2008 5:23:01 PM - System Checkpoint
RP145: 12/29/2008 5:23:01 PM - Software Distribution Service 3.0
RP146: 12/29/2008 5:23:01 PM - System Checkpoint
RP147: 12/29/2008 5:23:01 PM - Installed Ad-Aware
RP148: 12/29/2008 5:23:02 PM - Removed Microsoft Silverlight
RP149: 12/29/2008 5:23:02 PM - TrueCrypt uninstallation
RP150: 12/29/2008 5:23:02 PM - System Checkpoint
RP151: 12/29/2008 5:23:02 PM - Avg8 Update
RP152: 12/29/2008 5:23:02 PM - System Checkpoint
RP153: 12/29/2008 5:23:02 PM - System Checkpoint
RP154: 12/29/2008 5:23:03 PM - System Checkpoint
RP155: 12/29/2008 5:23:03 PM - System Checkpoint
RP156: 12/29/2008 5:23:03 PM - System Checkpoint
RP157: 12/29/2008 5:23:04 PM - Configured Microsoft Office Professional Plus 2007
RP158: 12/29/2008 5:23:04 PM - Removed SweetIM for Messenger 2.5
RP159: 12/29/2008 5:23:04 PM - System Checkpoint
RP160: 12/29/2008 5:23:04 PM - Software Distribution Service 3.0
RP161: 12/29/2008 5:23:05 PM - Installed DirectX 9.0
RP162: 12/29/2008 5:23:05 PM - System Checkpoint
RP163: 12/29/2008 5:23:05 PM - Installed TBS WMP Plug-in
RP164: 12/29/2008 5:23:06 PM - Installed McAfee VirusScan Enterprise
RP165: 12/29/2008 5:23:06 PM - Removed McAfee VirusScan Enterprise
RP166: 12/29/2008 5:23:06 PM - Software Distribution Service 3.0
RP167: 12/29/2008 5:23:06 PM - System Checkpoint
RP168: 12/29/2008 5:23:06 PM - System Checkpoint
RP169: 12/29/2008 5:23:06 PM - System Checkpoint
RP170: 12/29/2008 5:23:06 PM - Last known good configuration
RP171: 12/29/2008 5:23:06 PM - Configured TBS WMP Plug-in
RP172: 12/29/2008 5:23:08 PM - Last known good configuration
RP173: 12/29/2008 5:23:08 PM - Removed FSC Rater Component
RP174: 12/29/2008 5:23:09 PM - Installed FSC Rater Component
RP175: 12/29/2008 5:23:15 PM - Last known good configuration
RP176: 12/31/2008 10:07:09 AM - Installed palmOne
RP177: 1/3/2009 9:49:09 AM - Configured AVG Free 8.0
RP178: 1/3/2009 10:31:27 AM - Avg8 Update
RP179: 1/3/2009 10:33:09 AM - Avg8 Update
RP180: 1/5/2009 11:17:18 AM - Removed KODAK Gallery Upload Software.
RP181: 1/7/2009 3:33:48 PM - System Checkpoint
RP182: 1/7/2009 4:31:20 PM - Avg8 Update
RP183: 1/7/2009 4:33:25 PM - Avg8 Update
RP184: 1/8/2009 9:17:16 AM - Removed Pocket Controller-Enterprise
RP185: 1/9/2009 2:44:17 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Bonjour
Broadcom ASF Management Applications
Broadcom Gigabit Integrated Controller
Broadcom Management Programs
Brother MFL-Pro Suite
CCleaner (remove only)
Comprise
Counter-Strike 1.6
Folder Lock
FSC Rater CA Workstation
FSC Rater Component
FSCToInfinityWeb
HawkSoft Components
HijackThis 2.0.2
Intel® Graphics Media Accelerator Driver
iTunes
Java™ SE Runtime Environment 6 Update 1
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nitro PDF Professional
North Coast Life
One Step Bridges CA
OneStep
palmOne
PaperPort
QuickTime
RealPlayer
ScrewDrivers Client v4
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Softech MVR Bridge - FSC Rater
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.1
Viewpoint Media Player
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

1/3/2009 10:49:27 AM, error: Dhcp [1002] - The IP address lease 10.0.0.102 for the Network Card with network address 001D09102E90 has been denied by the DHCP server 10.0.0.100 (The DHCP Server sent a DHCPNACK message).
1/5/2009 11:16:18 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/13/2009 11:15:08 AM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -518398 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time-a.nist.gov (ntp.m|0x1|10.0.0.102:123->129.6.15.28:123) is working properly.
1/7/2009 5:49:49 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/7/2009 5:50:05 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/10/2009 9:02:25 AM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.

==== End Of File ===========================

#2 fenzodahl512

Forum Addict

Group: Members
Posts: 6,738
Joined: 04-December 07

Posted 14 January 2009 - 04:12 AM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image

Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 baca1jr

New Member

Group: Members
Posts: 4
Joined: 10-January 09

Posted 14 January 2009 - 12:42 PM

ComboFix 09-01-13.04 - USER 2009-01-14 9:32:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.563 [GMT -8:00]
Running from: c:\documents and settings\USER\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\USER\Application Data\NI.GSCNS
c:\documents and settings\USER\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\USER\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\USER\Application Data\SpeedRunner
C:\install.exe
c:\temp\FT62
c:\windows\system32\abpsnxgs.ini
c:\windows\system32\aesyugpn.dll
c:\windows\system32\bdlbpwds.dll
c:\windows\system32\dPI19
c:\windows\system32\dyahsd.dll
c:\windows\system32\frhwbnlh.dll
c:\windows\system32\gbaqdmro.dll
c:\windows\system32\gupgbnag.ini
c:\windows\system32\hphyaayv.ini
c:\windows\system32\jpquaoah.ini
c:\windows\system32\kgarfxkm.ini
c:\windows\system32\mwtpifrr.ini
c:\windows\system32\nglctfdg.dll
c:\windows\system32\nlyqlhhy.dll
c:\windows\system32\olkgjsto.dll
c:\windows\system32\ovvcxnqi.ini
c:\windows\system32\qapmilox.ini
c:\windows\system32\qedggc.dll
c:\windows\system32\qqxess.dll
c:\windows\system32\qtvEOqss.ini
c:\windows\system32\qtvEOqss.ini2
c:\windows\system32\rgrwzd.dll
c:\windows\system32\SrsvDfhk.ini
c:\windows\system32\SrsvDfhk.ini2
c:\windows\system32\szcwrg.dll
c:\windows\system32\vsbytsjx.ini
c:\windows\system32\xcmtua.dll
c:\windows\system32\xwdupoan.ini
c:\windows\system32\ycxjpp.dll
c:\windows\system32\ylmklbov.ini

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG

((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-12 09:00 . 2009-01-12 09:00 <DIR> d-------- c:\documents and settings\USER\WINDOWS
2009-01-10 09:10 . 2009-01-10 09:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-03 10:33 . 2009-01-07 16:33 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-03 09:52 . 2009-01-03 09:52 <DIR> d-------- c:\documents and settings\USER\Application Data\aAvgApi
2009-01-03 09:49 . 2009-01-03 09:54 <DIR> d-------- c:\documents and settings\USER\Application Data\AVGTOOLBAR
2008-12-31 11:27 . 2008-12-31 11:27 0 --a------ c:\windows\QuickInstall.INI
2008-12-31 10:12 . 2008-12-31 10:12 <DIR> d-------- c:\documents and settings\USER\Application Data\Leadertech
2008-12-31 10:08 . 2008-12-31 10:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\HotSync
2008-12-31 10:07 . 2008-12-31 11:30 <DIR> d-------- c:\program files\palmOne
2008-12-31 10:07 . 2008-12-31 10:06 53,248 --a------ c:\windows\PalmDevC.dll
2008-12-31 10:06 . 2008-12-31 10:06 <DIR> d-------- c:\documents and settings\USER\Application Data\HotSync
2008-12-29 17:28 . 2008-12-29 17:28 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-27 12:56 . 2007-08-14 17:02 82,248 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-27 12:56 . 2007-08-14 17:02 57,672 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-27 12:56 . 2007-08-14 17:02 40,264 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-27 12:56 . 2007-08-14 17:02 29,000 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-27 12:55 . 2008-12-27 12:55 <DIR> d-------- c:\documents and settings\USER\Application Data\PC Tools
2008-12-27 12:55 . 2005-09-23 07:29 626,688 --a------ c:\windows\system32\msvcr80.dll
2008-12-17 19:42 . 2008-12-27 08:57 <DIR> d-------- C:\QUARANTINE
2008-12-17 16:40 . 2008-12-17 16:40 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-12-17 16:40 . 2008-12-18 15:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-17 16:40 . 2006-12-19 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 19:39 --------- d-----w c:\program files\North Coast Life
2009-01-08 17:22 --------- d-----w c:\program files\Folder Lock
2009-01-08 17:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-08 00:33 324,872 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-08 00:33 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-04 00:22 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-31 20:42 --------- d-----w c:\documents and settings\USER\Application Data\1.0.0.0
2008-12-31 18:06 16,694 ----a-w c:\windows\system32\drivers\PalmUSBD.sys
2008-12-30 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-27 21:15 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-10 23:32 --------- d-----w c:\program files\Common
2008-12-10 21:39 --------- d-----w c:\program files\Counter-Strike 1.6
2008-12-09 22:16 --------- d-----w c:\documents and settings\USER\Application Data\DiskAid
2008-12-09 20:47 --------- d-----w c:\documents and settings\USER\Application Data\Yahoo!
2008-12-09 00:38 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-03 16:58 --------- d-----w c:\program files\Yahoo!
2008-12-02 17:08 --------- d-----w c:\documents and settings\USER\Application Data\Twain
2008-11-25 17:20 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-22 22:11 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-22 22:11 286,720 ------w c:\windows\Setup1.exe
2008-11-22 17:22 --------- d-----w c:\program files\Lavasoft
2008-11-22 17:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-29 17:41 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-29 17:41 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-29 17:41 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-09-11 01:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-05 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-05 137752]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1601304]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-06-04 210208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-07 16:33 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^USER^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\USER\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-05-22 09:36 2468200 c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 12:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-08 22:02 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-13 13:43 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-04 324872]
R4 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 79168]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-04 298264]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-09 24652]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe --> c:\program files\Spyware Doctor\svcntaux.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c143654c-5d03-11dd-bdd8-001d09102e90}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e43dbed6-7f67-11dd-bdf0-001d09102e90}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\nlkrfcij.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{383C74EA-157A-4AB3-8DDB-CB89F18BB26C} - c:\windows\system32\ssqOEvtq.dll
BHO-{63e7045e-b890-4378-967e-71e7c571e770} - c:\windows\system32\jsjnpf.dll
BHO-{A6575304-ECD0-4BD2-BCDD-F757AD1D5603} - (no file)
HKLM-Run-7c3410a6 - c:\windows\system32\vyaayhph.dll
Notify-pmnnKCrp - pmnnKCrp.dll

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\6vindh6z.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 09:35:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-01-14 9:37:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 17:37:04

Pre-Run: 61,659,418,624 bytes free
Post-Run: 61,602,668,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

233 --- E O F --- 2008-12-19 01:58:06

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:15 AM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7252 bytes

#4 fenzodahl512

Forum Addict

Group: Members
Posts: 6,738
Joined: 04-December 07

Posted 15 January 2009 - 01:43 AM

Please show hidden files and folders

Find these files/folders and delete them manually..

c:\documents and settings\USER\Application Data\Twain
c:\windows\Tasks\nlkrfcij.job

Please uninstall Viewpoint from the computer

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Post me these logs in your next reply..

1. Malwarebytes'
2. ESET Online
3. Tell me, how's the computer now? :thumbsup:

Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#5 baca1jr

New Member

Group: Members
Posts: 4
Joined: 10-January 09

Posted 15 January 2009 - 01:26 PM

MY COMPUTER IS RUNNING 100% BETTER AND NO POP UPS THANKS A LOT NOW I KNOW WHO TO GO TO IF I HAVE ANY PROBLEMS.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3769 (20090115)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=85bc1a1c4092e441a1462d40c5279805
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-15 06:21:07
# local_time=2009-01-15 10:21:07 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=169151
# found=2
# scan_time=1855
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000

Malwarebytes' Anti-Malware 1.33
Database version: 1656
Windows 5.1.2600 Service Pack 3

1/15/2009 9:45:50 AM
mbam-log-2009-01-15 (09-45-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 103918
Time elapsed: 36 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 fenzodahl512

Forum Addict

Group: Members
Posts: 6,738
Joined: 04-December 07

Posted 16 January 2009 - 12:28 AM

Awesome!!.. Lets do some cleanup.. :thumbsup:

Please download OTCleanIt and save it to Desktop.

Make sure you have internet connection..
Double-click OTCleanIt.exe
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes

Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread

Have a safe and happy computing day!

Regards
fenzodahl512

Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#7 baca1jr

New Member

Group: Members
Posts: 4
Joined: 10-January 09

Posted 16 January 2009 - 12:58 PM

MY COMPUTER IS RUNNING WAY BETTER ITS FASTER AND NO POP UPS WHAT SO EVER

AND THANK YOU fenzodahl512 FOR UR HELP :thumbsup:

#8 fenzodahl512

Forum Addict

Group: Members
Posts: 6,738
Joined: 04-December 07

Posted 16 January 2009 - 01:28 PM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive