Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

 
Closed TopicStart new topic
> pop ups with the addresses of url.adtrgt.com, DONT KNOW HOW TO REMOVE IT
baca1jr
post Jan 10 2009, 12:48 PM
Post #1


New Member
*

Group: Members
Posts: 4
Joined: 10-January 09
Member No.: 280,808
When I'm using Firefox or internet explorer 7 I randomly receive pop ups with the addresses url.adtrgt.com and different ip address like 70.38.98.32 try to connect but fails. Couldnt not attach file so i put it on the bottom


DDS (Ver_09-01-07.01) - NTFSx86
Run by USER at 9:32:16.25 on Sat 01/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.456 [GMT -8:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {45427237-0a00-43ad-9ca1-f78689c0a380} - c:\windows\system32\ssqOEvtq.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {31b6ac47-46d9-bd7b-c9d4-115e933ff286}: {682ff339-e511-4d9c-b7db-9d6474ca6b13} - c:\windows\system32\vfcxnh.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnnKCrp.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {A6575304-ECD0-4BD2-BCDD-F757AD1D5603} - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\Ad-Watch.exe
mRun: [7c3410a6] rundll32.exe "c:\windows\system32\vyaayhph.dll",b
StartupFolder: c:\docume~1\user\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: pmnnKCrp - pmnnKCrp.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL,avgrsstx.dll vfcxnh.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnnKCrp.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqOEvtq

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\6vindh6z.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-4 324872]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-4 27656]
R3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2008-4-29 15648]
R3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;c:\windows\system32\drivers\Awrtpd.sys [2008-4-29 12960]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-6-2 611664]
R4 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-4 298264]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-9 24652]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;c:\windows\system32\drivers\Awrtrd.sys [2008-4-29 15648]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-27 40264]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-27 57672]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-27 82248]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe --> c:\program files\spyware doctor\svcntaux.exe [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\swdsvc.exe --> c:\program files\spyware doctor\swdsvc.exe [?]

=============== Created Last 30 ================

2009-01-10 09:10 <DIR> --d----- c:\program files\Trend Micro
2009-01-10 09:01 129,024 a------- c:\windows\system32\vfcxnh.dll
2009-01-10 09:01 129,024 a------- c:\windows\system32\oyocpehm.dll
2009-01-10 09:01 120 ---sh--- c:\windows\system32\hphyaayv.ini
2009-01-10 09:01 72,704 a------- c:\windows\system32\vyaayhph.dll
2009-01-09 09:03 129,024 a------- c:\windows\system32\gkaydz.dll
2009-01-09 09:03 129,024 a------- c:\windows\system32\dkdaikmi.dll
2009-01-09 08:57 120 ---sh--- c:\windows\system32\ylmklbov.ini
2009-01-09 08:57 72,704 -------- c:\windows\system32\voblkmly.dll
2009-01-07 09:10 129,024 a------- c:\windows\system32\nsnrxn.dll
2009-01-07 09:10 129,024 a------- c:\windows\system32\xghjvqwp.dll
2009-01-07 09:05 120 ---sh--- c:\windows\system32\ovvcxnqi.ini
2009-01-07 09:04 665,050 a--sh--- c:\windows\system32\qtvEOqss.ini2
2009-01-07 09:04 665,050 a--sh--- c:\windows\system32\qtvEOqss.ini
2009-01-07 09:04 302,592 a------- c:\windows\system32\ssqOEvtq.dll
2009-01-05 09:06 120 ---sh--- c:\windows\system32\jpquaoah.ini
2009-01-05 09:03 129,024 a------- c:\windows\system32\dyahsd.dll
2009-01-05 09:03 129,024 a------- c:\windows\system32\nglctfdg.dll
2009-01-03 10:55 120 ---sh--- c:\windows\system32\qapmilox.ini
2009-01-03 10:52 129,024 a------- c:\windows\system32\ycxjpp.dll
2009-01-03 10:52 129,024 a------- c:\windows\system32\aesyugpn.dll
2009-01-03 10:33 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-03 09:52 <DIR> --d----- c:\docume~1\user\applic~1\aAvgApi
2009-01-03 09:49 <DIR> --d----- c:\docume~1\user\applic~1\AVGTOOLBAR
2009-01-03 09:28 120 ---sh--- c:\windows\system32\xwdupoan.ini
2009-01-03 09:25 129,024 a------- c:\windows\system32\qedggc.dll
2009-01-03 09:25 129,024 a------- c:\windows\system32\olkgjsto.dll
2009-01-02 09:27 120 ---sh--- c:\windows\system32\gupgbnag.ini
2009-01-02 09:24 129,024 a------- c:\windows\system32\qqxess.dll
2009-01-02 09:24 129,024 a------- c:\windows\system32\bdlbpwds.dll
2008-12-31 11:27 0 a------- c:\windows\QuickInstall.INI
2008-12-31 10:07 53,248 a------- c:\windows\PalmDevC.dll
2008-12-31 10:07 <DIR> --d----- c:\program files\palmOne
2008-12-31 09:06 120 ---sh--- c:\windows\system32\vsbytsjx.ini
2008-12-31 09:03 129,024 a------- c:\windows\system32\szcwrg.dll
2008-12-31 09:03 129,024 a------- c:\windows\system32\frhwbnlh.dll
2008-12-29 17:28 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-29 12:46 727,501 a--sh--- c:\windows\system32\SrsvDfhk.ini2
2008-12-29 09:17 120 ---sh--- c:\windows\system32\kgarfxkm.ini
2008-12-29 09:11 129,024 a------- c:\windows\system32\xcmtua.dll
2008-12-29 09:11 129,024 a------- c:\windows\system32\nlyqlhhy.dll
2008-12-27 15:32 <DIR> --d----- c:\program files\Microsoft Games
2008-12-27 12:56 82,248 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-27 12:56 40,264 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-27 12:56 29,000 a------- c:\windows\system32\drivers\kcom.sys
2008-12-27 12:56 57,672 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-27 12:55 <DIR> --d----- c:\docume~1\user\applic~1\PC Tools
2008-12-27 12:55 626,688 a------- c:\windows\system32\msvcr80.dll
2008-12-27 09:37 129,024 a------- c:\windows\system32\rgrwzd.dll
2008-12-27 09:37 129,024 a------- c:\windows\system32\gbaqdmro.dll
2008-12-27 09:34 120 ---sh--- c:\windows\system32\abpsnxgs.ini
2008-12-27 09:31 727,501 a--sh--- c:\windows\system32\SrsvDfhk.ini
2008-12-27 09:25 34,816 a------- c:\windows\system32\pmnnKCrp.dll
2008-12-17 19:42 <DIR> --d----- C:\QUARANTINE
2008-12-17 16:40 1,495,552 a------- c:\windows\system32\epoPGPsdk.dll
2008-12-17 16:40 <DIR> --d----- c:\program files\common files\Cisco Systems

==================== Find3M ====================

2009-01-07 16:33 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-07 16:33 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-31 10:06 16,694 a------- c:\windows\system32\drivers\PalmUSBD.sys
2008-11-22 14:11 286,720 -------- c:\windows\Setup1.exe
2008-11-22 14:11 73,216 a------- c:\windows\ST6UNST.EXE
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-09-10 17:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 9:32:43.53 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/8/2008 2:23:46 PM
System Uptime: 1/10/2009 8:59:58 AM (1 hours ago)

Motherboard: Dell Inc. | | 0KP561
Processor: Intel® Pentium® Dual CPU E2140 @ 1.60GHz | CPU | 1595/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 56.107 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP117: 12/29/2008 5:22:42 PM - Installed Google Earth Pro
RP118: 12/29/2008 5:22:43 PM - Installed Nitro PDF Professional.
RP119: 12/29/2008 5:22:43 PM - Printer Driver FAX4 Driver Installed
RP120: 12/29/2008 5:22:44 PM - Removed Google Earth Pro
RP121: 12/29/2008 5:22:46 PM - TrueCrypt installation
RP122: 12/29/2008 5:22:47 PM - System Checkpoint
RP123: 12/29/2008 5:22:49 PM - Installed Ad-Aware
RP124: 12/29/2008 5:22:49 PM - Removed Ad-Aware
RP125: 12/29/2008 5:22:50 PM - Software Distribution Service 3.0
RP126: 12/29/2008 5:22:52 PM - System Checkpoint
RP127: 12/29/2008 5:22:53 PM - Avg8 Update
RP128: 12/29/2008 5:22:53 PM - Avg8 Update
RP129: 12/29/2008 5:22:53 PM - Installed KODAK Gallery Upload Software.
RP130: 12/29/2008 5:22:54 PM - Software Distribution Service 3.0
RP131: 12/29/2008 5:22:55 PM - Avg8 Update
RP132: 12/29/2008 5:22:55 PM - Avg8 Update
RP133: 12/29/2008 5:22:56 PM - System Checkpoint
RP134: 12/29/2008 5:22:57 PM - System Checkpoint
RP135: 12/29/2008 5:22:58 PM - System Checkpoint
RP136: 12/29/2008 5:22:58 PM - Avg8 Update
RP137: 12/29/2008 5:22:59 PM - Avg8 Update
RP138: 12/29/2008 5:22:59 PM - System Checkpoint
RP139: 12/29/2008 5:23:00 PM - System Checkpoint
RP140: 12/29/2008 5:23:00 PM - Avg8 Update
RP141: 12/29/2008 5:23:00 PM - System Checkpoint
RP142: 12/29/2008 5:23:00 PM - Software Distribution Service 3.0
RP143: 12/29/2008 5:23:00 PM - System Checkpoint
RP144: 12/29/2008 5:23:01 PM - System Checkpoint
RP145: 12/29/2008 5:23:01 PM - Software Distribution Service 3.0
RP146: 12/29/2008 5:23:01 PM - System Checkpoint
RP147: 12/29/2008 5:23:01 PM - Installed Ad-Aware
RP148: 12/29/2008 5:23:02 PM - Removed Microsoft Silverlight
RP149: 12/29/2008 5:23:02 PM - TrueCrypt uninstallation
RP150: 12/29/2008 5:23:02 PM - System Checkpoint
RP151: 12/29/2008 5:23:02 PM - Avg8 Update
RP152: 12/29/2008 5:23:02 PM - System Checkpoint
RP153: 12/29/2008 5:23:02 PM - System Checkpoint
RP154: 12/29/2008 5:23:03 PM - System Checkpoint
RP155: 12/29/2008 5:23:03 PM - System Checkpoint
RP156: 12/29/2008 5:23:03 PM - System Checkpoint
RP157: 12/29/2008 5:23:04 PM - Configured Microsoft Office Professional Plus 2007
RP158: 12/29/2008 5:23:04 PM - Removed SweetIM for Messenger 2.5
RP159: 12/29/2008 5:23:04 PM - System Checkpoint
RP160: 12/29/2008 5:23:04 PM - Software Distribution Service 3.0
RP161: 12/29/2008 5:23:05 PM - Installed DirectX 9.0
RP162: 12/29/2008 5:23:05 PM - System Checkpoint
RP163: 12/29/2008 5:23:05 PM - Installed TBS WMP Plug-in
RP164: 12/29/2008 5:23:06 PM - Installed McAfee VirusScan Enterprise
RP165: 12/29/2008 5:23:06 PM - Removed McAfee VirusScan Enterprise
RP166: 12/29/2008 5:23:06 PM - Software Distribution Service 3.0
RP167: 12/29/2008 5:23:06 PM - System Checkpoint
RP168: 12/29/2008 5:23:06 PM - System Checkpoint
RP169: 12/29/2008 5:23:06 PM - System Checkpoint
RP170: 12/29/2008 5:23:06 PM - Last known good configuration
RP171: 12/29/2008 5:23:06 PM - Configured TBS WMP Plug-in
RP172: 12/29/2008 5:23:08 PM - Last known good configuration
RP173: 12/29/2008 5:23:08 PM - Removed FSC Rater Component
RP174: 12/29/2008 5:23:09 PM - Installed FSC Rater Component
RP175: 12/29/2008 5:23:15 PM - Last known good configuration
RP176: 12/31/2008 10:07:09 AM - Installed palmOne
RP177: 1/3/2009 9:49:09 AM - Configured AVG Free 8.0
RP178: 1/3/2009 10:31:27 AM - Avg8 Update
RP179: 1/3/2009 10:33:09 AM - Avg8 Update
RP180: 1/5/2009 11:17:18 AM - Removed KODAK Gallery Upload Software.
RP181: 1/7/2009 3:33:48 PM - System Checkpoint
RP182: 1/7/2009 4:31:20 PM - Avg8 Update
RP183: 1/7/2009 4:33:25 PM - Avg8 Update
RP184: 1/8/2009 9:17:16 AM - Removed Pocket Controller-Enterprise
RP185: 1/9/2009 2:44:17 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Bonjour
Broadcom ASF Management Applications
Broadcom Gigabit Integrated Controller
Broadcom Management Programs
Brother MFL-Pro Suite
CCleaner (remove only)
Comprise
Counter-Strike 1.6
Folder Lock
FSC Rater CA Workstation
FSC Rater Component
FSCToInfinityWeb
HawkSoft Components
HijackThis 2.0.2
Intel® Graphics Media Accelerator Driver
iTunes
Java™ SE Runtime Environment 6 Update 1
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nitro PDF Professional
North Coast Life
One Step Bridges CA
OneStep
palmOne
PaperPort
QuickTime
RealPlayer
ScrewDrivers Client v4
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Softech MVR Bridge - FSC Rater
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.1
Viewpoint Media Player
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

1/3/2009 10:49:27 AM, error: Dhcp [1002] - The IP address lease 10.0.0.102 for the Network Card with network address 001D09102E90 has been denied by the DHCP server 10.0.0.100 (The DHCP Server sent a DHCPNACK message).
1/5/2009 11:16:18 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/13/2009 11:15:08 AM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -518398 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time-a.nist.gov (ntp.m|0x1|10.0.0.102:123->129.6.15.28:123) is working properly.
1/7/2009 5:49:49 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/7/2009 5:50:05 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/10/2009 9:02:25 AM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.

==== End Of File ===========================
Go to the top of the page
 
+Quote Post
fenzodahl512
post Jan 14 2009, 04:12 AM
Post #2


Forum Addict
******

Group: HJT Team
Posts: 4,859
Joined: 4-December 07
Member No.: 174,482
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  7. Double click on combo-Fix.exe & follow the prompts.
  8. When finished, it will produce a report for you.
  9. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


--------------------
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
If you wish to donate for my cause, feel free to hit the button
Currently away until further date.. Indonesia Tour (Java Island) 22 June - 2 July
Go to the top of the page
 
+Quote Post
baca1jr
post Jan 14 2009, 12:42 PM
Post #3


New Member
*

Group: Members
Posts: 4
Joined: 10-January 09
Member No.: 280,808
ComboFix 09-01-13.04 - USER 2009-01-14 9:32:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.563 [GMT -8:00]
Running from: c:\documents and settings\USER\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\USER\Application Data\NI.GSCNS
c:\documents and settings\USER\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\USER\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\USER\Application Data\SpeedRunner
C:\install.exe
c:\temp\FT62
c:\windows\system32\abpsnxgs.ini
c:\windows\system32\aesyugpn.dll
c:\windows\system32\bdlbpwds.dll
c:\windows\system32\dPI19
c:\windows\system32\dyahsd.dll
c:\windows\system32\frhwbnlh.dll
c:\windows\system32\gbaqdmro.dll
c:\windows\system32\gupgbnag.ini
c:\windows\system32\hphyaayv.ini
c:\windows\system32\jpquaoah.ini
c:\windows\system32\kgarfxkm.ini
c:\windows\system32\mwtpifrr.ini
c:\windows\system32\nglctfdg.dll
c:\windows\system32\nlyqlhhy.dll
c:\windows\system32\olkgjsto.dll
c:\windows\system32\ovvcxnqi.ini
c:\windows\system32\qapmilox.ini
c:\windows\system32\qedggc.dll
c:\windows\system32\qqxess.dll
c:\windows\system32\qtvEOqss.ini
c:\windows\system32\qtvEOqss.ini2
c:\windows\system32\rgrwzd.dll
c:\windows\system32\SrsvDfhk.ini
c:\windows\system32\SrsvDfhk.ini2
c:\windows\system32\szcwrg.dll
c:\windows\system32\vsbytsjx.ini
c:\windows\system32\xcmtua.dll
c:\windows\system32\xwdupoan.ini
c:\windows\system32\ycxjpp.dll
c:\windows\system32\ylmklbov.ini

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-12 09:00 . 2009-01-12 09:00 <DIR> d-------- c:\documents and settings\USER\WINDOWS
2009-01-10 09:10 . 2009-01-10 09:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-03 10:33 . 2009-01-07 16:33 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-03 09:52 . 2009-01-03 09:52 <DIR> d-------- c:\documents and settings\USER\Application Data\aAvgApi
2009-01-03 09:49 . 2009-01-03 09:54 <DIR> d-------- c:\documents and settings\USER\Application Data\AVGTOOLBAR
2008-12-31 11:27 . 2008-12-31 11:27 0 --a------ c:\windows\QuickInstall.INI
2008-12-31 10:12 . 2008-12-31 10:12 <DIR> d-------- c:\documents and settings\USER\Application Data\Leadertech
2008-12-31 10:08 . 2008-12-31 10:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\HotSync
2008-12-31 10:07 . 2008-12-31 11:30 <DIR> d-------- c:\program files\palmOne
2008-12-31 10:07 . 2008-12-31 10:06 53,248 --a------ c:\windows\PalmDevC.dll
2008-12-31 10:06 . 2008-12-31 10:06 <DIR> d-------- c:\documents and settings\USER\Application Data\HotSync
2008-12-29 17:28 . 2008-12-29 17:28 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-27 12:56 . 2007-08-14 17:02 82,248 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-27 12:56 . 2007-08-14 17:02 57,672 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-27 12:56 . 2007-08-14 17:02 40,264 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-27 12:56 . 2007-08-14 17:02 29,000 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-27 12:55 . 2008-12-27 12:55 <DIR> d-------- c:\documents and settings\USER\Application Data\PC Tools
2008-12-27 12:55 . 2005-09-23 07:29 626,688 --a------ c:\windows\system32\msvcr80.dll
2008-12-17 19:42 . 2008-12-27 08:57 <DIR> d-------- C:\QUARANTINE
2008-12-17 16:40 . 2008-12-17 16:40 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-12-17 16:40 . 2008-12-18 15:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-17 16:40 . 2006-12-19 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 19:39 --------- d-----w c:\program files\North Coast Life
2009-01-08 17:22 --------- d-----w c:\program files\Folder Lock
2009-01-08 17:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-08 00:33 324,872 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-08 00:33 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-04 00:22 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-31 20:42 --------- d-----w c:\documents and settings\USER\Application Data\1.0.0.0
2008-12-31 18:06 16,694 ----a-w c:\windows\system32\drivers\PalmUSBD.sys
2008-12-30 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-27 21:15 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-10 23:32 --------- d-----w c:\program files\Common
2008-12-10 21:39 --------- d-----w c:\program files\Counter-Strike 1.6
2008-12-09 22:16 --------- d-----w c:\documents and settings\USER\Application Data\DiskAid
2008-12-09 20:47 --------- d-----w c:\documents and settings\USER\Application Data\Yahoo!
2008-12-09 00:38 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-03 16:58 --------- d-----w c:\program files\Yahoo!
2008-12-02 17:08 --------- d-----w c:\documents and settings\USER\Application Data\Twain
2008-11-25 17:20 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-22 22:11 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-22 22:11 286,720 ------w c:\windows\Setup1.exe
2008-11-22 17:22 --------- d-----w c:\program files\Lavasoft
2008-11-22 17:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-29 17:41 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-29 17:41 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-29 17:41 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-09-11 01:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-05 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-05 137752]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1601304]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-06-04 210208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-07 16:33 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^USER^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\USER\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-05-22 09:36 2468200 c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 12:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-08 22:02 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-13 13:43 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-04 324872]
R4 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 79168]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-04 298264]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-09 24652]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe --> c:\program files\Spyware Doctor\svcntaux.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c143654c-5d03-11dd-bdd8-001d09102e90}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e43dbed6-7f67-11dd-bdf0-001d09102e90}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\nlkrfcij.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{383C74EA-157A-4AB3-8DDB-CB89F18BB26C} - c:\windows\system32\ssqOEvtq.dll
BHO-{63e7045e-b890-4378-967e-71e7c571e770} - c:\windows\system32\jsjnpf.dll
BHO-{A6575304-ECD0-4BD2-BCDD-F757AD1D5603} - (no file)
HKLM-Run-7c3410a6 - c:\windows\system32\vyaayhph.dll
Notify-pmnnKCrp - pmnnKCrp.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\6vindh6z.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 09:35:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-01-14 9:37:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 17:37:04

Pre-Run: 61,659,418,624 bytes free
Post-Run: 61,602,668,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

233 --- E O F --- 2008-12-19 01:58:06

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:15 AM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7252 bytes
Go to the top of the page
 
+Quote Post
fenzodahl512
post Jan 15 2009, 01:43 AM
Post #4


Forum Addict
******

Group: HJT Team
Posts: 4,859
Joined: 4-December 07
Member No.: 174,482
Please show hidden files and folders


Find these files/folders and delete them manually..

c:\documents and settings\USER\Application Data\Twain
c:\windows\Tasks\nlkrfcij.job


Please uninstall Viewpoint from the computer



Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.





Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic



Post me these logs in your next reply..

1. Malwarebytes'
2. ESET Online
3. Tell me, how's the computer now? smile.gif


--------------------
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
If you wish to donate for my cause, feel free to hit the button
Currently away until further date.. Indonesia Tour (Java Island) 22 June - 2 July
Go to the top of the page
 
+Quote Post
baca1jr
post Jan 15 2009, 01:26 PM
Post #5


New Member
*

Group: Members
Posts: 4
Joined: 10-January 09
Member No.: 280,808
MY COMPUTER IS RUNNING 100% BETTER AND NO POP UPS THANKS A LOT NOW I KNOW WHO TO GO TO IF I HAVE ANY PROBLEMS.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3769 (20090115)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=85bc1a1c4092e441a1462d40c5279805
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-15 06:21:07
# local_time=2009-01-15 10:21:07 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=169151
# found=2
# scan_time=1855
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000


Malwarebytes' Anti-Malware 1.33
Database version: 1656
Windows 5.1.2600 Service Pack 3

1/15/2009 9:45:50 AM
mbam-log-2009-01-15 (09-45-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 103918
Time elapsed: 36 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Go to the top of the page
 
+Quote Post
fenzodahl512
post Jan 16 2009, 12:28 AM
Post #6


Forum Addict
******

Group: HJT Team
Posts: 4,859
Joined: 4-December 07
Member No.: 174,482
Awesome!!.. Lets do some cleanup.. smile.gif


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes




Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread smile.gif



Have a safe and happy computing day!


Regards
fenzodahl512


--------------------
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
If you wish to donate for my cause, feel free to hit the button
Currently away until further date.. Indonesia Tour (Java Island) 22 June - 2 July
Go to the top of the page
 
+Quote Post
baca1jr
post Jan 16 2009, 12:58 PM
Post #7


New Member
*

Group: Members
Posts: 4
Joined: 10-January 09
Member No.: 280,808
MY COMPUTER IS RUNNING WAY BETTER ITS FASTER AND NO POP UPS WHAT SO EVER thumbup2.gif AND THANK YOU fenzodahl512 FOR UR HELP thumbup.gif
Go to the top of the page
 
+Quote Post
fenzodahl512
post Jan 16 2009, 01:28 PM
Post #8


Forum Addict
******

Group: HJT Team
Posts: 4,859
Joined: 4-December 07
Member No.: 174,482
You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512


--------------------
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
If you wish to donate for my cause, feel free to hit the button
Currently away until further date.. Indonesia Tour (Java Island) 22 June - 2 July
Go to the top of the page
 
+Quote Post
« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »
 

Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 4th July 2009 - 10:16 PM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List   |   Virus Removal Guides
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Malware Removal Guides Archive

© 2003-2009 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2009  IPS, Inc.