Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Fake Warnings Of Trojans, Spyware, And Viruses


  • This topic is locked This topic is locked
4 replies to this topic

#1 iramos

iramos

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 15 November 2007 - 02:23 PM

I keep getting constant warnings of trojans or viruses in my computer. Then it opens many web pages offering all sorts of software to fix my "problem". Scanned with Avast and AVG.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:35 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Irmarie\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0d93c2d8-a7e6-46a3-a01b-b06a985a3cc3} - C:\WINDOWS\system32\glwvove.dll
O2 - BHO: {75b8f811-0c21-a4c8-a054-98884fc1ca33} - {33ac1cf4-8889-450a-8c4a-12c0118f8b57} - C:\WINDOWS\system32\xasaliav.dll (file missing)
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\awtrrst.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {80929DCF-AC48-45D9-91A1-430D7F3D3076} - C:\Program Files\Messenger\mexobafimC:\WINDOWS\system32\h2\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kbvdjgqs.dll (file missing)
O2 - BHO: (no name) - {EE7F5020-0D30-4D0A-8354-975426797FF2} - C:\Program Files\Messenger\mexobafimC:\DOCUME~1\Irmarie\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {F84A5AD5-5524-446C-92E6-BC3A70108B10} - C:\WINDOWS\system32\vtstq.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kbvdjgqs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp?r=al&cf=sp
O15 - Trusted Zone: *.taxsoftware.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: awtrrst - awtrrst.dll (file missing)
O20 - Winlogon Notify: kbvdjgqs - kbvdjgqs.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 8169 bytes

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:16 PM

Posted 15 November 2007 - 03:21 PM

Hello iramos,

Welcome to Bleeping Computer :thumbsup:

First you should know that you're actually doing more harm than good by running 2 Anti Virus programs. (AVG and Avast!) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable the other one, and use it as an on demand only scan occasionally.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {0d93c2d8-a7e6-46a3-a01b-b06a985a3cc3} - C:\WINDOWS\system32\glwvove.dll
O2 - BHO: {75b8f811-0c21-a4c8-a054-98884fc1ca33} - {33ac1cf4-8889-450a-8c4a-12c0118f8b57} - C:\WINDOWS\system32\xasaliav.dll (file missing)
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\awtrrst.dll (file missing)
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll (file missing)
O2 - BHO: (no name) - {80929DCF-AC48-45D9-91A1-430D7F3D3076} - C:\Program Files\Messenger\mexobafimC:\WINDOWS\system32\h2\jumper83122.exe.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kbvdjgqs.dll (file missing)
O2 - BHO: (no name) - {EE7F5020-0D30-4D0A-8354-975426797FF2} - C:\Program Files\Messenger\mexobafimC:\DOCUME~1\Irmarie\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {F84A5AD5-5524-446C-92E6-BC3A70108B10} - C:\WINDOWS\system32\vtstq.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kbvdjgqs.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: awtrrst - awtrrst.dll (file missing)
O20 - Winlogon Notify: kbvdjgqs - kbvdjgqs.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

Edited by teacup61, 15 November 2007 - 03:22 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 iramos

iramos
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 15 November 2007 - 05:37 PM

Thanks tea, I think that did it. Here is the report. By the way what do you recommend I keep Avast! or AVG?
Here are the logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:08 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Irmarie\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp?r=al&cf=sp
O15 - Trusted Zone: *.taxsoftware.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6390 bytes

ComboFix 07-11-08.3 - Irmarie 2007-11-15 15:19:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.391 [GMT -7:00]
Running from: C:\Documents and Settings\Irmarie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\irmarie\favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\f1
C:\WINDOWS\system32\h2
C:\WINDOWS\system32\kbvdjgqs.dllbox
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\m1
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 15:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-15 14:39 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2007-11-15 14:39 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-11-15 14:39 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-11-15 14:39 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2007-11-15 14:39 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2007-11-15 14:39 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2007-11-15 14:39 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-11-15 14:38 <DIR> d-------- C:\Program Files\Sygate
2007-11-15 13:57 <DIR> d-------- C:\Documents and Settings\Irmarie\.housecall6.6
2007-11-15 12:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-15 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 12:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 10:52 <DIR> d-------- C:\Program Files\CCleaner
2007-11-14 23:35 1,908 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-14 23:34 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-14 23:34 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-14 23:34 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-14 23:34 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-14 23:34 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-13 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-13 18:11 449,097 --ahs---- C:\WINDOWS\SYSTEM32\qtstv.ini2
2007-11-13 18:06 339 --a------ C:\WINDOWS\17PHolmes1000106.exe
2007-11-13 18:06 334 --a------ C:\WINDOWS\17PHolmes77.exe
2007-11-13 18:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\rMa02yy
2007-11-13 18:05 <DIR> d-------- C:\temp\abW9
2007-11-13 17:38 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-11 12:47 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-11-11 12:47 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-11-11 12:47 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-11-11 12:47 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-11-11 12:47 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-11-11 12:47 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-11-11 12:46 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-11 12:46 815,480 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-10-15 18:34 <DIR> d----c--- C:\{8001BA8A-0000-0000-834A-3ECFF82696F2}
2007-10-15 09:42 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 00:51 --------- d-----w C:\Documents and Settings\Irmarie\Application Data\Canon
2007-11-09 17:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 17:36 --------- d-----w C:\Program Files\Macromedia
2007-11-09 17:36 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-03 05:49 --------- d-----w C:\Program Files\Coupons
2007-10-26 02:35 --------- d-----w C:\Documents and Settings\Irmarie\Application Data\Move Networks
2007-10-15 05:35 --------- d-----w C:\Documents and Settings\Irmarie\Application Data\Uniblue
2007-10-15 02:16 --------- d-----w C:\Program Files\Palm
2007-10-13 22:01 --------- d-----w C:\Program Files\DivX
2007-10-05 05:01 --------- d-----w C:\Documents and Settings\Irmarie\Application Data\Tutor.com
2007-09-25 16:31 --------- d-----w C:\Program Files\Microsoft Money Plus
2007-09-25 16:11 --------- d-----w C:\Documents and Settings\Irmarie\Application Data\Intuit
2007-09-25 16:10 --------- d-----w C:\Program Files\Intuit
2007-09-25 16:10 --------- d-----w C:\Program Files\Common Files\supportsoft
2007-09-25 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2007-09-25 15:53 --------- d-----w C:\Program Files\Common Files\Intuit
2007-09-25 15:52 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-09-25 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\COMMON FILES
2007-09-25 15:03 --------- d-----w C:\Program Files\Microsoft Money
2007-09-21 04:31 --------- d-----w C:\Program Files\PayWindow Payroll
2007-09-21 04:31 --------- d-----w C:\Documents and Settings\Irmarie\Application Data\paywin
2007-09-19 16:03 --------- d-----w C:\Program Files\Dell
2007-09-17 19:54 --------- d-----w C:\Program Files\Microsoft Calculator Plus
2007-09-15 21:48 --------- d-----w C:\Program Files\Common Files\Scanner
2007-09-15 21:47 --------- d-----w C:\Documents and Settings\Irmarie\Application Data\Netscape
2007-09-15 19:31 --------- d-----w C:\Program Files\Google
2007-09-15 19:25 --------- d-----w C:\Program Files\Jasc Software Inc
2007-09-15 06:47 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-15 05:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-15 04:50 --------- d-----w C:\Documents and Settings\Irmarie\Application Data\AdobeUM
2007-09-15 04:38 --------- d-----w C:\Program Files\Windows Defender
2004-04-04 05:18 44,896 -c--a-w C:\Documents and Settings\Irmarie\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-30 07:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-23 02:12]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 08:20]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2005-05-31 00:04]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MoneyBackgoundBanking"="C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2007-07-25 08:15]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Irmarie\Start Menu\Programs\Startup\
Launch Microsoft Office Outlook.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2006-11-23 20:56:04]
Mozilla Firefox.lnk - C:\Program Files\Mozilla Firefox\firefox.exe [2007-11-11 13:23:42]

S3 Nef216o;Nef216o;C:\WINDOWS\System32\drivers\RIO8DRV.SYS

.
Contents of the 'Scheduled Tasks' folder
"2005-06-18 15:59:42 C:\WINDOWS\Tasks\EarthLink TotalAccess.job"
- C:\PROGRA~1\EARTHL~2\TaskPanl.exe
"2007-11-15 21:44:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-12 16:54:41 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
"2007-11-14 19:02:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-15 19:02:03 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 15:24:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 15:26:06 - machine was rebooted
.
--- E O F ---

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:16 PM

Posted 15 November 2007 - 06:14 PM

Hello,

Both are really good. :thumbsup: Personally I use Avast!, but I've not ever had a problem with AVG either.

Thanks tea, I think that did it.

You're most welcome, and incredibly I think that did it too. :blink: It usually isn't that easy to get rid of. This stuff is really nasty these days, but I think we got it all in one go! :wacko:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

You've got some good protection in place, so I'll spare you my usual schpiel. :)

Some good reading here: http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:16 PM

Posted 02 December 2007 - 02:33 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users