Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Obfuskated,tdb & Adload.fn Trojan Horses


  • This topic is locked This topic is locked
6 replies to this topic

#1 atloss

atloss

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 11 April 2008 - 10:31 AM

Deckard's System Scanner v20071014.68
Run by Chuck on 2008-04-11 11:07:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-04-11 15:07:11 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-04-10 13:45:31 UTC - RP4 - Removed AdwareAlert
3: 2008-04-10 13:34:08 UTC - RP3 - Installed AdwareAlert
2: 2008-04-09 20:14:11 UTC - RP2 - new
1: 2008-04-09 20:13:40 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-11 11:08:29
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\AD-AWARE\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Application Data\nuxyxytg\bgzuzspu.exe
C:\WINDOWS\mixer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chuck\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin...px&id=64855
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] H:\downl. manager\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [e] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [13656067106501782251715330161667] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Policies\Explorer\Run: [H2TKYVajmI] C:\Documents and Settings\All Users\Application Data\nuxyxytg\bgzuzspu.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: https://www.chryslerfinancial.com (HKCU)
O15 - Trusted Zone: http://www.fivestardealers.com (HKCU)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203185335154
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203185320889
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.144.30/DGTx.CAB
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O21 - SSODL: SrvSrv - {134e783d-cd88-4328-86e6-02f767f1acf2} - C:\WINDOWS\Resources\SrvSrv.dll (file missing)
O21 - SSODL: qdnkewfa - {CA7CE109-F057-45DA-A289-E6BB91893F3D} - C:\WINDOWS\qdnkewfa.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\AD-AWARE\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


--
End of file - 7643 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 SetupNT - c:\windows\system32\setupnt.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 09:34:34 496 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2008-02-23 10:34:46 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-11 08:17:01 0 d-------- C:\Program Files\Panda Security
2008-04-10 10:10:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-10 09:34:31 0 d-------- C:\Documents and Settings\Chuck\Application Data\AdwareAlert
2008-04-09 15:36:06 0 dr-h----- C:\Documents and Settings\Chuck\Recent
2008-04-09 15:16:09 0 d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-09 13:49:54 0 d--hs---- C:\FOUND.000
2008-04-09 10:41:00 0 d-------- C:\Documents and Settings\Chuck\Application Data\TmpRecentIcons
2008-04-09 08:38:32 0 d-------- C:\Documents and Settings\All Users\Application Data\nuxyxytg
2008-04-09 08:37:02 0 dr-h----- C:\$VAULT$.AVG
2008-04-08 08:15:14 0 d-------- C:\Program Files\QuickTime
2008-04-08 08:15:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-01 11:22:01 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-01 11:08:13 0 d-------- C:\NVIDIA
2008-04-01 09:24:41 102400 --a------ C:\WINDOWS\system32\TrackerNET.dll
2008-04-01 09:24:41 217088 --a------ C:\WINDOWS\system32\libmySQL.dll
2008-04-01 08:15:43 0 d-------- C:\WINDOWS\solcache
2008-04-01 08:14:01 231936 --a------ C:\WINDOWS\system32\SNWValid.dll <Not Verified; Cendant Software; World Opponent Network>
2008-04-01 08:14:01 1022976 --a------ C:\WINDOWS\system32\SierraNW.dll <Not Verified; Cendant Software; World Opponent Network>
2008-04-01 08:14:00 0 d-------- C:\Program Files\Sierra On-Line
2008-04-01 07:47:34 0 d-------- C:\WINDOWS\nview
2008-03-31 17:00:09 12219983 -----n--- C:\avg7qt.dat
2008-03-29 20:53:54 0 d-------- C:\Documents and Settings\Debby\Application Data\Macromedia
2008-03-29 20:28:39 0 d-------- C:\Documents and Settings\Debby\Application Data\Adobe
2008-03-29 20:27:45 0 d-------- C:\Documents and Settings\Debby\Application Data\AVG7
2008-03-29 20:27:44 0 d-------- C:\Documents and Settings\Debby\Application Data\ATI
2008-03-29 20:27:25 0 d-------- C:\Documents and Settings\Debby\Application Data\Identities
2008-03-29 20:27:09 0 d--h----- C:\Documents and Settings\Debby\Templates
2008-03-29 20:27:09 0 dr------- C:\Documents and Settings\Debby\Start Menu
2008-03-29 20:27:09 0 dr-h----- C:\Documents and Settings\Debby\SendTo
2008-03-29 20:27:09 0 dr-h----- C:\Documents and Settings\Debby\Recent
2008-03-29 20:27:09 0 d--h----- C:\Documents and Settings\Debby\PrintHood
2008-03-29 20:27:09 1048576 --ah----- C:\Documents and Settings\Debby\NTUSER.DAT
2008-03-29 20:27:09 0 d--h----- C:\Documents and Settings\Debby\NetHood
2008-03-29 20:27:09 0 dr------- C:\Documents and Settings\Debby\My Documents
2008-03-29 20:27:09 0 d--h----- C:\Documents and Settings\Debby\Local Settings
2008-03-29 20:27:09 0 dr------- C:\Documents and Settings\Debby\Favorites
2008-03-29 20:27:09 0 d-------- C:\Documents and Settings\Debby\Desktop
2008-03-29 20:27:09 0 d--hs---- C:\Documents and Settings\Debby\Cookies
2008-03-29 20:27:09 0 dr-h----- C:\Documents and Settings\Debby\Application Data
2008-03-29 20:27:09 0 d---s---- C:\Documents and Settings\Debby\Application Data\Microsoft
2008-03-25 08:03:58 0 d-------- C:\Program Files\SystemRequirementsLab
2008-03-18 15:31:18 0 d-------- C:\Documents and Settings\Chuck\Application Data\DivX
2008-03-17 07:37:47 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-03-17 07:37:20 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-03-17 07:35:55 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-12 08:48:37 0 d-------- C:\Documents and Settings\Chuck\Application Data\Auslogics


-- Find3M Report ---------------------------------------------------------------

2008-03-10 08:53:36 0 d-------- C:\Documents and Settings\Chuck\Application Data\Bioshock
2008-02-29 13:46:00 0 d-------- C:\Documents and Settings\Chuck\Application Data\IGN_DLM
2008-02-29 13:08:12 774144 --a------ C:\Program Files\RngInterstitial.dll <Not Verified; RealNetworks, Inc.; RealNetworks, Inc. RngInterstitial>
2008-02-29 13:08:02 0 d-------- C:\Program Files\Real
2008-02-29 13:07:52 0 d-------- C:\Program Files\Common Files\Real
2008-02-29 12:58:22 0 d-------- C:\Documents and Settings\Chuck\Application Data\MSN6
2008-02-27 15:07:14 0 d-------- C:\Program Files\MSXML 4.0
2008-02-26 07:40:50 0 d-------- C:\Documents and Settings\Chuck\Application Data\Apple Computer
2008-02-23 10:34:42 0 d-------- C:\Program Files\Apple Software Update
2008-02-22 10:26:36 0 d-------- C:\Documents and Settings\Chuck\Application Data\Snapfish
2008-02-22 10:13:56 0 d-------- C:\Documents and Settings\Chuck\Application Data\Sun
2008-02-21 16:55:30 0 d-------- C:\Documents and Settings\Chuck\Application Data\Arcsoft
2008-02-21 16:38:36 0 d-------- C:\Documents and Settings\Chuck\Application Data\Canon
2008-02-21 16:11:48 0 d-------- C:\Program Files\Canon
2008-02-20 22:05:44 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-20 22:04:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-20 22:04:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-20 22:04:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-20 22:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-02-20 22:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-02-20 22:04:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-02-20 22:03:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-20 07:35:54 1279 --a------ C:\WINDOWS\mozver.dat
2008-02-20 07:34:36 0 d-------- C:\Program Files\Java
2008-02-20 07:34:16 0 d-------- C:\Program Files\Common Files\Java
2008-02-19 15:33:28 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-19 13:19:08 0 d-------- C:\Documents and Settings\Chuck\Application Data\ATI
2008-02-19 11:36:50 0 d-------- C:\Program Files\PCI Audio Applications
2008-02-18 12:01:58 0 d-------- C:\Program Files\Microsoft.NET
2008-02-18 11:08:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-18 11:08:14 0 d-------- C:\Documents and Settings\Chuck\Application Data\Mozilla
2008-02-18 09:21:32 0 --a------ C:\Documents and Settings\Chuck\Application Data\AVSDVDPlayer.m3u
2008-02-18 09:20:36 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-02-18 09:20:36 0 d-------- C:\Program Files\AVS4YOU
2008-02-17 10:27:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-17 10:27:22 0 d-------- C:\Documents and Settings\Chuck\Application Data\InterTrust
2008-02-17 09:58:22 0 d-------- C:\Documents and Settings\Chuck\Application Data\Macromedia
2008-02-17 09:58:22 0 d-------- C:\Documents and Settings\Chuck\Application Data\Adobe
2008-02-17 09:58:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-17 09:56:02 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-17 09:51:06 0 d-------- C:\Documents and Settings\Chuck\Application Data\WinRAR
2008-02-17 09:34:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 09:24:50 0 d-------- C:\Documents and Settings\Chuck\Application Data\Ahead
2008-02-17 09:21:42 0 d-------- C:\Program Files\Nero
2008-02-17 09:21:42 0 d-------- C:\Program Files\Common Files\Ahead
2008-02-17 09:18:50 0 d-------- C:\Program Files\Yahoo!
2008-02-16 14:56:00 0 d-------- C:\Documents and Settings\Chuck\Application Data\Help
2008-02-16 14:13:56 0 d-------- C:\Documents and Settings\Chuck\Application Data\AVG7
2008-02-16 13:57:04 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft Plus! for Windows 95>
2008-02-16 13:57:04 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft Plus! for Windows 95>
2008-02-16 13:56:26 0 d-------- C:\Program Files\C-Media
2008-02-16 13:51:48 0 d-------- C:\Program Files\VIA Technologies, Inc
2008-02-16 11:28:48 0 d-------- C:\Documents and Settings\Chuck\Application Data\Identities
2008-02-16 11:22:46 0 d-------- C:\Program Files\microsoft frontpage
2008-02-16 11:22:34 0 -rahs---- C:\MSDOS.SYS
2008-02-16 11:22:34 0 -rahs---- C:\IO.SYS
2008-02-16 11:22:34 0 --a------ C:\CONFIG.SYS
2008-02-16 11:22:34 0 --a------ C:\AUTOEXEC.BAT
2008-02-16 11:20:38 0 d-------- C:\Program Files\Movie Maker
2008-02-16 11:20:04 0 d-------- C:\Program Files\Common Files\MSSoap
2008-02-16 11:19:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-16 11:18:48 0 d--h----- C:\Program Files\WindowsUpdate
2008-02-16 11:18:32 0 d-------- C:\Program Files\MSN Gaming Zone
2008-02-16 11:18:24 0 d-------- C:\Program Files\Windows NT
2008-02-16 11:08:32 0 d-------- C:\Program Files\Common Files\ODBC
2008-02-16 11:08:28 0 d-------- C:\Program Files\Common Files
2008-02-16 11:08:28 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-02-16 11:08:10 62 --ahs---- C:\Documents and Settings\Chuck\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"C-Media Mixer"="Mixer.exe" [04/29/2002 04:23 AM C:\WINDOWS\mixer.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/12/2008 06:36 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"igndlm.exe"="H:\downl. manager\Download Manager\DLM.exe" [03/05/2007 05:57 PM]
"e"="C:\Program Files\XP Antivirus\xpa.exe" []
"13656067106501782251715330161667"="C:\Program Files\XP Antivirus\xpa.exe" []
"AntiSpyware"="C:\Program Files\AntiSpywareApp\Antispyware.exe" []
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"H2TKYVajmI"=C:\Documents and Settings\All Users\Application Data\nuxyxytg\bgzuzspu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvSrv"= {134e783d-cd88-4328-86e6-02f767f1acf2} - C:\WINDOWS\Resources\SrvSrv.dll [ ]
"qdnkewfa"= {CA7CE109-F057-45DA-A289-E6BB91893F3D} - C:\WINDOWS\qdnkewfa.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Chuck^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk]
path=C:\Documents and Settings\Chuck\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk
backup=C:\WINDOWS\pss\Greetings Workshop Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{988fa316-dc7e-11dc-bb72-806d6172696f}]
AutoRun\command- F:\CURAuto.exe




-- End of Deckard's System Scanner: finished at 2008-04-11 11:09:18 ------------Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2000+
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 1023.48 MiB / 701.16 MiB
Pagefile Memory (total/avail): 2465.9 MiB / 2135.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.25 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 9.91 GiB total, 4.11 GiB free.
D: is Fixed (FAT32) - 4.92 GiB total, 4.12 GiB free.
E: is CDROM (CDFS)
F: is CDROM (CDFS)
G: is Fixed (NTFS) - 37.34 GiB total, 36.74 GiB free.
H: is Fixed (NTFS) - 37.18 GiB total, 33.23 GiB free.

\\.\PHYSICALDRIVE0 - IBM-DJNA-352030 - 19.01 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 9.92 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 4.93 GiB - D:

\\.\PHYSICALDRIVE1 - WL80GPA272. - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 37.34 GiB - G:
\PARTITION1 - Extended w/Extended Int 13 - 37.18 GiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\System32\\mmc.exe"="C:\\WINDOWS\\System32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"="C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe:*:Enabled:Acrobat Reader 5.0"
"H:\\DOOM\\Doom3.exe"="H:\\DOOM\\Doom3.exe:*:Enabled:DOOM 3"
"H:\\HALO\\halo.exe"="H:\\HALO\\halo.exe:*:Enabled:Halo"
"H:\\DOOM\\Doom 3\\DOOM3Ded.exe"="H:\\DOOM\\Doom 3\\DOOM3Ded.exe:*:Enabled:DOOM3Ded"
"H:\\DOOM\\DOOM3DED.exe"="H:\\DOOM\\DOOM3DED.exe:*:Enabled:DOOM 3"
"H:\\HALF LIFE\\PingTool\\PingTool.exe"="H:\\HALF LIFE\\PingTool\\PingTool.exe:*:Enabled:PingTool"
"H:\\HALF LIFE\\hlds.exe"="H:\\HALF LIFE\\hlds.exe:*:Enabled:hlds"
"H:\\HALF LIFE\\hltv.exe"="H:\\HALF LIFE\\hltv.exe:*:Enabled:hltv"
"H:\\HALF LIFE\\hl.exe"="H:\\HALF LIFE\\hl.exe:*:Enabled:Half-Life Launcher"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Chuck\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHUCK-CMQF35MQ9
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chuck
LOGONSERVER=\\CHUCK-CMQF35MQ9
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Chuck\LOCALS~1\Temp
TMP=C:\DOCUME~1\Chuck\LOCALS~1\Temp
USERDOMAIN=CHUCK-CMQF35MQ9
USERNAME=Chuck
USERPROFILE=C:\Documents and Settings\Chuck
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Chuck (admin)
Debby (new local, admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3951 / Warning
Event Submitted/Written: 04/10/2008 10:49:28 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type3950 / Warning
Event Submitted/Written: 04/10/2008 10:49:28 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{E3BB246F-B61A-499F-972B-42ADA38CBFFE}', feature 'AntiSpywareApplication' failed during request for component '{F9B2BC3F-4736-4F3B-AF91-6569DECB171C}'

Event Record #/Type3949 / Warning
Event Submitted/Written: 04/10/2008 10:49:28 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{E3BB246F-B61A-499F-972B-42ADA38CBFFE}', feature 'AntiSpywareApplication', component '{DE18D658-E490-438C-8F9E-0B02B06216BD}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AntiSpyware' does not exist.

Event Record #/Type3941 / Error
Event Submitted/Written: 04/10/2008 07:36:58 AM
Event ID/Source: 1 / nview_info
Event Description:
NVIEW : Explorer: WAIT_TIMEOUT, while waiting for a read to clear - resetting read event

Event Record #/Type3933 / Error
Event Submitted/Written: 04/09/2008 06:26:54 PM
Event ID/Source: 1 / nview_info
Event Description:
NVIEW : rundll32: Mutex Recovery Code - app released the mutex - back to normal operation.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4072 / Error
Event Submitted/Written: 04/11/2008 10:01:21 AM
Event ID/Source: 23 / Print
Event Description:
Printer Lexmark Z600 Color Jetprinter failed to initialize because a suitable Lexmark Z600 Color Jetprinter driver could not be found.

Event Record #/Type4056 / Error
Event Submitted/Written: 04/11/2008 10:00:44 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
antispyware

Event Record #/Type4051 / Error
Event Submitted/Written: 04/11/2008 08:14:52 AM
Event ID/Source: 23 / Print
Event Description:
Printer Lexmark Z600 Color Jetprinter failed to initialize because a suitable Lexmark Z600 Color Jetprinter driver could not be found.

Event Record #/Type4034 / Error
Event Submitted/Written: 04/11/2008 08:14:36 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
antispyware

Event Record #/Type4030 / Error
Event Submitted/Written: 04/11/2008 08:09:32 AM
Event ID/Source: 23 / Print
Event Description:
Printer Lexmark Z600 Color Jetprinter failed to initialize because a suitable Lexmark Z600 Color Jetprinter driver could not be found.



-- End of Deckard's System Scanner: finished at 2008-04-11 11:09:18 ------------

I keep getting popup Threat found windows from my AVG 7.5 anti virus program as well as some background radio program. I heal the threat BUT the next time I restart my computer i get a different file attacked by the Obfuskated virus. I performed the XP antivirus removal steps as suggested on this site But I am still getting the AVG popups!!

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:50 AM

Posted 14 April 2008 - 07:57 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 15 April 2008 - 05:26 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:43 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\AD-AWARE\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
H:\life\steam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin...px&id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] H:\downl. manager\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [e] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [13656067106501782251715330161667] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
O4 - HKCU\..\Run: [Steam] "h:\life\steam.exe" -silent
O4 - HKLM\..\Policies\Explorer\Run: [H2TKYVajmI] C:\Documents and Settings\All Users\Application Data\nuxyxytg\bgzuzspu.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.fivestardealers.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203185335154
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203185320889
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.144.30/DGTx.CAB
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O21 - SSODL: SrvSrv - {134e783d-cd88-4328-86e6-02f767f1acf2} - C:\WINDOWS\Resources\SrvSrv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\AD-AWARE\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7027 bytesMalwarebytes' Anti-Malware 1.11
Database version: 627

Scan type: Quick Scan
Objects scanned: 42807
Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qdnkewfa (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Chuck\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chuck\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chuck\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Chuck\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chuck\Application Data\AdwareAlert\Log\2008 Apr 10 - 09_34_31 AM_828.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chuck\Application Data\AdwareAlert\Log\2008 Apr 10 - 09_44_55 AM_109.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chuck\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Here are the most recent logs. Thanks
Chuck

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:50 AM

Posted 15 April 2008 - 06:14 AM

Hi Chuck,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKCU\..\Run: [e] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [13656067106501782251715330161667] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
O4 - HKLM\..\Policies\Explorer\Run: [H2TKYVajmI] C:\Documents and Settings\All Users\Application Data\nuxyxytg\bgzuzspu.exe
O15 - Trusted Zone: http://www.fivestardealers.com
<== check this if you didn't add it to your Trusted zone.
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.144.30/DGTx.CAB
O21 - SSODL: SrvSrv - {134e783d-cd88-4328-86e6-02f767f1acf2} - C:\WINDOWS\Resources\SrvSrv.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, navigate to and delete the following folders if still present:

C:\Program Files\XP Antivirus
C:\Program Files\AntiSpywareApp
C:\Documents and Settings\All Users\Application Data\nuxyxytg

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 15 April 2008 - 02:05 PM

Everything seems to be working OK. Thanks so much for your help. They should take the people who do these things and tie them down over a fire ant hill! Thanks again

Chuck

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:50 AM

Posted 15 April 2008 - 02:08 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:50 AM

Posted 17 April 2008 - 11:16 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users