Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde And Lop


  • This topic is locked This topic is locked
12 replies to this topic

#1 LaurenC

LaurenC

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 28 February 2008 - 09:27 PM

Hello. My daughter asked for my help with her computer. It has a virus and her Internet Explorer was "hijacked." I think I have fixed the hijacked browser, but I believe there is still a virus. I appreciate your help. I did not write everything down the first day I worked on the problem, but here is what I did to the best of my memory:

Ran Ad-Aware 2007 and removed whatever it found.
AVG Free Anti-Virus. It found Virtumonde, Win32.Dialer.Trojan, and Virus Found: Lop.

I then ran these programs:

Ccleaner
ATF Cleaner
AVG Anti-Spyware
Vundofix.exe

I changed the file Hijackthis.exe to HJT.exe

I found your website and did the following:

Ran Ad-Aware 2007. It found nothing. I rebooted, ran it again, still found nothing.

Ran Spybot Search and Destroy, it found nothing.

Ran Housecall 6.6. It found TROJ_VUNDO.ANT (4 infections) and SPYWARE_KEYL_ACTIVEKEY
After I chose "Clean Now" the TROJ_VUNDO.ANT still showed as having 4 infections.

Ran Panda Anti-Virus. It found Virtumonde and Atwola. It did not appear to have a choice to clean these up without paying.

Ran BitDefender. It disinfected several files except for one: "Delete failed: C:\windows\system32\khfdddb.dll. Disinfection Failed"

(during this time AVG Free Anti-Virus was popping up Threats and I was moving them to the vault)

Ran AVG Free. 4 threats found (Virus found: Lop). I moved them to the vault.

Turned off system restore.

Ran MacAfee Stinger

Here is my Hijack This Log (I changed the filename Hijackthis.exe to HJT.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:59 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\HijackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O8 - Extra context menu item: 用维棠(ViDown)下载视频 - C:\PROGRA~1\VIDOWN~1\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra 'Tools' menuitem: &Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161480641328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: zip - {38d04754-60d8-49f6-af87-f5c2a4ba6069} - C:\WINDOWS\Installer\{38d04754-60d8-49f6-af87-f5c2a4ba6069}\zip.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7105 bytes


Thank you in advance for your help with my daugter's computer.

Lauren

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:42 PM

Posted 29 February 2008 - 04:22 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 LaurenC

LaurenC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 29 February 2008 - 09:47 PM

Hi,

I ran ComboFix (it hung 2x and I had to reboot, but 3rd time it worked).

Below are the ComboFix Log and Hijack This Log.

Thank you,
Lauren

ComboFix 08-03-01 - HP_Owner 2008-02-29 21:34:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.691 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\gxfoubkq.ini
C:\WINDOWS\system32\khfdddb.dll
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\qaggqnpx.ini
C:\WINDOWS\system32\qiphsdbc.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\ntload


((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-29 19:07 . 2004-08-04 06:00 388,608 --a------ C:\CF19946.exe
2008-02-27 21:15 . 2008-02-28 00:50 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-27 19:38 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\olsnuvbrdrgv.sys
2008-02-27 19:27 . 2008-02-27 22:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-27 19:27 . 2008-02-27 21:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-27 19:27 . 2008-02-27 21:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-27 19:27 . 2008-02-27 21:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-27 16:00 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-27 15:56 . 2008-02-27 21:16 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\HouseCall 6.6
2008-02-26 23:34 . 2008-02-27 21:38 <DIR> d-------- C:\Program Files\AVG Anti-Spyware 7.5
2008-02-26 23:34 . 2008-02-26 23:34 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2008-02-26 23:34 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 10:09 . 2008-02-26 10:09 <DIR> d-------- C:\Program Files\CCleaner
2008-02-24 23:22 . 2005-01-03 18:41 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-24 23:22 . 2005-01-03 19:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-24 23:22 . 2005-01-03 18:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-24 23:22 . 2005-01-03 18:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-02-22 18:40 . 2008-02-27 19:20 <DIR> d-------- C:\VundoFix Backups
2008-02-19 23:52 . 2008-02-27 21:37 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2008-02-19 23:52 . 2008-02-19 23:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 19:56 . 2008-02-19 19:56 94 --a------ C:\WINDOWS\wininit.ini
2008-02-19 17:41 . 2008-02-19 17:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-17 16:03 . 2008-02-17 16:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-17 16:03 . 2008-02-17 16:03 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 05:53 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-02-28 02:54 --------- d-----w C:\Program Files\Spybot
2008-02-28 02:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-28 02:12 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-27 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-27 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-26 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 21:18 3,644 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2008-02-20 20:35 --------- d-----w C:\Program Files\Symantec
2008-02-20 04:52 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2008-02-20 04:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 00:19 --------- d-----w C:\Program Files\Mp3 Convert
2008-02-14 21:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 20:07 --------- d-----w C:\Program Files\Ventrilo
2008-01-27 06:53 --------- d-----w C:\Program Files\-Fanfiction-
2008-01-26 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-17 21:03 --------- d-----w C:\Program Files\Black Isle
2008-01-13 17:13 --------- d-----w C:\Program Files\World of Warcraft
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-10-20 17:59 409,682 --sh--w C:\WINDOWS\system32\mlkkj.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 20:07 7110656]
"!AVG Anti-Spyware"="C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-27 13:03 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-27 13:02 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {38d04754-60d8-49f6-af87-f5c2a4ba6069} - C:\WINDOWS\Installer\{38d04754-60d8-49f6-af87-f5c2a4ba6069}\zip.dll [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c7f87e7]
C:\WINDOWS\system32\xpnqggaq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 12:06 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-07-20 12:22 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-07-28 20:34 2551808 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-02-27 13:03 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-08-13 15:17 58488 c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-18 02:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-10-06 12:13 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 13:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 13:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 11:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-10-06 12:11 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-04-17 22:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 16:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-06-04 22:38 286720 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 15:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 16:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
C:\Program Files\MalwareAlarm\MalwareAlarm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDisp32]
C:\WINDOWS\system32\drvvab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive]
C:\WINDOWS\system32\drvcoz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2004-08-17 17:36 132248 c:\Program Files\Norton AntiVirus\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-07-20 20:07 7110656 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-07-20 20:07 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-07-20 20:07 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-10-06 12:10 94208 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 11:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-01-03 18:40 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 15:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 03:31 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\winupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\tsitra1000106.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-28 19:40 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-08-05 12:23 218240 c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-01-03 18:11 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-27 18:29 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F8-87-74-48-ZN}]
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\thinksnet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"iPodService"=3 (0x3)
"SymWSC"=2 (0x2)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Games\\Sacred Underworld\\sacred.exe"=
"C:\\Games\\Sacred\\Sacred.exe"=
"C:\\Games\\Sacred Underworld\\gameserver.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Games\\Baldurs Gate II\\BGMain.exe"=
"C:\\Games\\Neverwinter Nights Diamond\\nwmain.exe"=
"C:\\Games\\Neverwinter Nights Diamond\\nwserver.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Games\\Warcraft III\\Frozen Throne.exe"=
"C:\\Games\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:WarCraft III Battle.net
"4000:TCP"= 4000:TCP:Diablo II Lord Of Destruction

R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2006-10-21 23:00]
S3 dsreader;MaxDrive Driver (dsreader.sys);C:\WINDOWS\system32\Drivers\dsreader.sys [2001-01-02 23:53]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-10-19 15:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2006-12-21 03:30:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-03-01 02:38:45 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-28 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 21:39:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-02-29 21:41:21 - machine was rebooted [HP_Owner]
ComboFix-quarantined-files.txt 2008-03-01 02:41:18
.
2008-02-20 00:36:04 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:30 PM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O8 - Extra context menu item: 用维棠(ViDown)下载视频 - C:\PROGRA~1\VIDOWN~1\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra 'Tools' menuitem: &Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161480641328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: zip - {38d04754-60d8-49f6-af87-f5c2a4ba6069} - C:\WINDOWS\Installer\{38d04754-60d8-49f6-af87-f5c2a4ba6069}\zip.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6371 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:42 PM

Posted 01 March 2008 - 01:24 AM

Hi,

Do you still have Symantec/Norton installed? Because I see some related services disabled via msconfig. The same goes for AVG... You disabled it there via msconfig as well, but they are running anyway. Keep in mind, if you disable your Antivirus, it won't be able to protect you from malware, that's why you always need to enable it.

Also, not sure if Norton is still installed here, because you need to uninstall it since you already have AVG running - this since more than 1 antivirus are not compatible, even though you disabled one.
Anyway, we'll also delete the msconfig entries related with Norton.

And.... Did you set this in your Windows Security Center to disable the notifications if your Antivirus is not running and to disable the notification related with Windows update? Please let me know in your next reply as well.
I also see that you have disabled the wuauserv service, related with Windows updates? Are you aware of this? Please let me know as well.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll <== not required
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O21 - SSODL: zip - {38d04754-60d8-49f6-af87-f5c2a4ba6069} - C:\WINDOWS\Installer\{38d04754-60d8-49f6-af87-f5c2a4ba6069}\zip.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\system32\mlkkj.bak2
Folder::
C:\VundoFix Backups
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c7f87e7]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDisp32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F8-87-74-48-ZN}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=-
"SAVScan"=-
"SymWSC"=-
"NPFMntor"=-
"navapsvc"=-
"ccSetMgr"=-
"ccPwdSvc"=-
"ccProxy"=-
"ccEvtMgr"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\CF19946.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

And, navigate to next file:

C:\WINDOWS\wininit.ini

Rightclick it and open it in notepad. Copy and paste the contents of that file in your next reply as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 LaurenC

LaurenC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 01 March 2008 - 03:54 PM

Hi,

About Norton AV vs. AVG, I think Norton came free for one year with the computer and after that, my daughter deleted it, or tried to. I don't see Norton as an option to delete in Add/Remove Programs. Please let me know what I should do to remove it.

I would like to use AVG Free instead. I tried to update the AVG definitions but AVG said I would need to reinstall it as it was damaged. Should I reinstall it now? I ran msconfig and re-checked one thing that I thought was associated with AVG Free. Please let me know what else I should do.

I changed the Windows Security Center to allow notifications.

Below are the logs and other information you requested.

As always, thank you for your help.

Lauren

ComboFix 08-03-01 - HP_Owner 2008-03-01 15:30:01.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.671 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-29 19:07 . 2004-08-04 06:00 388,608 --a------ C:\CF19946.exe
2008-02-27 21:15 . 2008-02-28 00:50 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-27 19:38 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\olsnuvbrdrgv.sys
2008-02-27 19:27 . 2008-02-27 22:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-27 19:27 . 2008-02-27 21:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-27 19:27 . 2008-02-27 21:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-27 19:27 . 2008-02-27 21:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-27 16:00 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-27 15:56 . 2008-02-27 21:16 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\HouseCall 6.6
2008-02-26 23:34 . 2008-02-27 21:38 <DIR> d-------- C:\Program Files\AVG Anti-Spyware 7.5
2008-02-26 23:34 . 2008-02-26 23:34 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2008-02-26 23:34 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 10:09 . 2008-02-26 10:09 <DIR> d-------- C:\Program Files\CCleaner
2008-02-24 23:22 . 2005-01-03 18:41 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-24 23:22 . 2005-01-03 19:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-24 23:22 . 2005-01-03 18:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-24 23:22 . 2005-01-03 18:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-02-22 18:40 . 2008-02-27 19:20 <DIR> d-------- C:\VundoFix Backups
2008-02-19 23:52 . 2008-02-27 21:37 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2008-02-19 23:52 . 2008-02-19 23:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 19:56 . 2008-02-19 19:56 94 --a------ C:\WINDOWS\wininit.ini
2008-02-19 17:41 . 2008-02-19 17:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-17 16:03 . 2008-02-17 16:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-17 16:03 . 2008-02-17 16:03 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 05:53 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-02-28 02:54 --------- d-----w C:\Program Files\Spybot
2008-02-28 02:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-28 02:12 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-27 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-27 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-26 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 21:18 3,644 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2008-02-20 20:35 --------- d-----w C:\Program Files\Symantec
2008-02-20 04:52 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Lavasoft
2008-02-20 04:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 00:19 --------- d-----w C:\Program Files\Mp3 Convert
2008-02-14 21:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 20:07 --------- d-----w C:\Program Files\Ventrilo
2008-01-27 06:53 --------- d-----w C:\Program Files\-Fanfiction-
2008-01-26 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-20 19:27 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-17 21:03 --------- d-----w C:\Program Files\Black Isle
2008-01-13 17:13 --------- d-----w C:\Program Files\World of Warcraft
2008-01-11 18:15 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 14:37 3,059,200 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-10-07 20:52 43,269 ----a-w C:\WINDOWS\Fonts\moonstar.zip
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-10-20 17:59 409,682 --sh--w C:\WINDOWS\system32\mlkkj.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 20:07 7110656]
"!AVG Anti-Spyware"="C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-27 13:03 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-27 13:02 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c7f87e7]
C:\WINDOWS\system32\xpnqggaq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 12:06 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-07-20 12:22 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-07-28 20:34 2551808 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-08-13 15:17 58488 c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-18 02:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-10-06 12:13 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 13:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 13:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 11:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-10-06 12:11 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-04-17 22:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 16:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-06-04 22:38 286720 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 15:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 16:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
C:\Program Files\MalwareAlarm\MalwareAlarm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDisp32]
C:\WINDOWS\system32\drvvab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive]
C:\WINDOWS\system32\drvcoz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2004-08-17 17:36 132248 c:\Program Files\Norton AntiVirus\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-07-20 20:07 7110656 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-07-20 20:07 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-07-20 20:07 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-10-06 12:10 94208 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 11:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-01-03 18:40 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 15:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 03:31 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\winupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\tsitra1000106.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-28 19:40 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-08-05 12:23 218240 c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-01-03 18:11 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-27 18:29 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F8-87-74-48-ZN}]
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\thinksnet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"iPodService"=3 (0x3)
"SymWSC"=2 (0x2)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Games\\Sacred Underworld\\sacred.exe"=
"C:\\Games\\Sacred\\Sacred.exe"=
"C:\\Games\\Sacred Underworld\\gameserver.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Games\\Baldurs Gate II\\BGMain.exe"=
"C:\\Games\\Neverwinter Nights Diamond\\nwmain.exe"=
"C:\\Games\\Neverwinter Nights Diamond\\nwserver.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Games\\Warcraft III\\Frozen Throne.exe"=
"C:\\Games\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:WarCraft III Battle.net
"4000:TCP"= 4000:TCP:Diablo II Lord Of Destruction

R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2006-10-21 23:00]
S3 dsreader;MaxDrive Driver (dsreader.sys);C:\WINDOWS\system32\Drivers\dsreader.sys [2001-01-02 23:53]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-10-19 15:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2006-12-21 03:30:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-03-01 20:11:15 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-28 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 15:32:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 15:33:23
ComboFix-quarantined-files.txt 2008-03-01 20:33:21
ComboFix2.txt 2008-03-01 02:41:21
.
2008-02-20 00:36:04 --- E O F ---





Virus Total Results of C:\CF19946.exe:

File has already been analysed:
MD5: eeb024f2c81f0d55936fb825d21a91d6
Date: 02.27.2008 05:15:58 (CET) [>3D]
Results: 0/32
Permalink: analisis/dfa25d727cf9f4669334fa8ab1369026



Wininit.ini:

[rename]
c:\tempjunk9385.tmp=C:\WINDOWS\b122.exe_tobedeleted_old
nul=c:\tempjunk9385.tmp




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:10 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HijackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O8 - Extra context menu item: 用维棠(ViDown)下载视频 - C:\PROGRA~1\VIDOWN~1\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra 'Tools' menuitem: &Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161480641328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5509 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:42 PM

Posted 02 March 2008 - 04:12 AM

Hi,

For some reason, the CFScript didn't work, so let's deal with this in another way...

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^TA_Start.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c7f87e7]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDisp32]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F8-87-74-48-ZN}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=-
"SAVScan"=-
"SymWSC"=-
"NPFMntor"=-
"navapsvc"=-
"ccSetMgr"=-
"ccPwdSvc"=-
"ccProxy"=-
"ccEvtMgr"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Open notepad and copy and paste next present in the quotebox in it:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\Fonts\moonstar.zip
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\wininit.ini
C:\WINDOWS\pss\TA_Start.lnkStartup) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
>>log.txt (
ECHO.
ECHO Deleting folders)
FOR %%I in (
"C:\VundoFix Backups"
"C:\Program Files\Common Files\Symantec Shared"
"C:\Program Files\Norton AntiVirus") DO (
IF EXIST %%I (
RD /S /Q %%I
IF EXIST %%I (
ECHO %%I not deleted>>log.txt
) ELSE (
ECHO %%I deleted>>log.txt)
) ELSE (
ECHO %%I not found>>log.txt))
START NOTEPAD.EXE log.txt

Save this as remove.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.
(In case you are unsure how to create a bat file, take a look here with screenshots.)

Also, Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\CF19946.exe

Select it and click ok:
Then click the Send File button below.

I think Norton came free for one year with the computer and after that, my daughter deleted it, or tried to. I don't see Norton as an option to delete in Add/Remove Programs. Please let me know what I should do to remove it.

After performing above instructions, the references to Norton you disabled in the registry should be removed.

Yes, reinstall AVG Antivirus. Also, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
After you have done this, post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:42 PM

Posted 02 March 2008 - 05:54 PM

Thank you for the file - it's related with Combofix, so it's OK :blink:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then post a new HijackThislog in your next reply after installing your Antivirus and updating Sun Java :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 LaurenC

LaurenC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 02 March 2008 - 06:27 PM

I created reg.fix and ran it

I created remove.bat, here is the text:
Deleting files
C:\WINDOWS\Fonts\moonstar.zip not found
C:\WINDOWS\system32\mlkkj.bak2 not found
C:\WINDOWS\wininit.ini not found
C:\WINDOWS\pss\TA_Start.lnkStartup not found

Deleting folders
"C:\VundoFix Backups" not found
"C:\Program Files\Common Files\Symantec Shared" not found
"C:\Program Files\Norton AntiVirus" not found


Submitted the file, and ran combofix /u as you requested.

Removed old java, installed new java

Repaired AVG free.

Here is hijack this log.

Thanks so much,
Lauren


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:51 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O8 - Extra context menu item: 用维棠(ViDown)下载视频 - C:\PROGRA~1\VIDOWN~1\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra 'Tools' menuitem: &Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161480641328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 5473 bytes

#9 LaurenC

LaurenC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 02 March 2008 - 06:29 PM

In case this is important, before I could remove/install the Java, I had to do the following:

Start, Run MSIEXEC /UNREGISTER
Start, Run MSIEXEC/REGSERVER

I think this is a Windows issue, not a virus, but I am including it in case it is important.

Thanks,
Lauren

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:42 PM

Posted 03 March 2008 - 03:04 AM

Hi,

I guess you ran the remove.bat two times - but that's OK. :thumbsup:

In case this is important, before I could remove/install the Java, I had to do the following:

Start, Run MSIEXEC /UNREGISTER
Start, Run MSIEXEC/REGSERVER

Looks like there was an issue with your Windows installer there. Good to hear you solved it. Strange but true, the Windows installer becomes corrupted in some cases where Norton was uninstalled.

Anyway, just some leftovers you have to fix in HijackThis related with Norton, so check and fix next entries in HijackThis:

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

Make sure your Internet Explorer is closed when you fix above entries.
It actually should say (file missing) next to these entries already, because most probably this HijackThislog was from before the remove.bat

Then let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 LaurenC

LaurenC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 05 March 2008 - 03:11 PM

I used Hijack This to fix the 2 items you listed above.

I haven't received any "Threat Detected" messages lately. Does this mean Lop and Virtumond are gone?

I would like to thank you very much for spending your time to help those of us who don't know how to fix things like this on our own. It is nice to know there are people out there willing to be so nice.

Lauren


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:41 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\HijackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O8 - Extra context menu item: 用维棠(ViDown)下载视频 - C:\PROGRA~1\VIDOWN~1\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra 'Tools' menuitem: &Refresher - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Documents and Settings\HP_Owner\Desktop\Gaia Refresher\Refresher (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161480641328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6738 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:42 PM

Posted 05 March 2008 - 03:55 PM

Hi,

Yes, it should be gone now.

Just check and fix next entry in HijackThis:

O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab

No need to repost a new HijackThislog since I know this entry will be gone after you have checked and fixed it.

One little note though.. I see you have installed AIM+AIM Toolbar in a meanwhile. This one also installs Viewpoint.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
Viewpoint mediaplayer is a plugin used for displaying proprietary graphical content, is installed with the AIM client software and sends information about the user back to its developer. If you don't need the Viewpoint plugin, I suggest you uninstall them:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Edited by miekiemoes, 05 March 2008 - 03:55 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:42 PM

Posted 09 March 2008 - 08:33 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users