Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde I Think


  • This topic is locked This topic is locked
6 replies to this topic

#1 satur9

satur9

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 27 June 2008 - 01:29 PM

I've had a nasty trojan for about a week now, first it wouldn't even let me go into safe mode and windows would take forever to load if it all. I ran spybot s+d and it found virtumonde so not sure if this is it still. I think I got rid of most of it now i'm just getting popups from bitefight.us registrydefender.com initial-search.com fxclub.com ect...




Deckard's System Scanner v20071014.68
Run by Phil on 2008-06-27 11:08:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-27 18:08:48 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-27 11:11:26
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcserv.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\WService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\drivers\WtSrv.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Phil\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - (no file)
O2 - BHO: {65a191a9-eadf-61eb-05f4-0b07d5715473} - {3745175d-70b0-4f50-be16-fdae9a191a56} - C:\WINDOWS\system32\avnuvlij.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {5F11D5D5-3FB2-4ADD-84AD-D69BC9A5D312} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: (no name) - {B0B54E67-901D-45BD-B61C-0DC13640ED42} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMaf3a6097] Rundll32.exe "C:\WINDOWS\system32\wmmxqggt.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} () -
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - AppInit_DLLs: sockspy.dll,avgrsstx.dll
O20 - Winlogon Notify: pmnkliHw - C:\WINDOWS\system32\pmnkliHw.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device - Unknown owner - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\wdsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\drivers\WtSrv.exe


--
End of file - 7495 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 TClass2k (Tablet Class Driver) - c:\windows\system32\drivers\tclass2k.sys <Not Verified; Tablet Driver; Tablet Class Driver for Win2000/XP>
R3 UCTblHid (HID Tablet Port Driver) - c:\windows\system32\drivers\uctblhid.sys <Not Verified; Tablet Driver; HID Tablet Filter Driver For Win2000/XP>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing)
S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing)
S3 BLKWGU(Belkin) (Belkin Wireless G USB Network Adapter(Belkin)) - c:\windows\system32\drivers\blkwgu.sys (file missing)
S3 FILESpy - c:\program files\softwin\bitdefender9\filespy.sys (file missing)
S3 ldiskl - c:\docume~1\phil\locals~1\temp\ldiskl.sys (file missing)
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 REGSpy - c:\program files\softwin\bitdefender9\regspy.sys (file missing)
S3 sony_ssm.sys - c:\docume~1\phil\locals~1\temp\sony_ssm.sys (file missing)
S3 Tablet2k (Serial Tablet Port Driver) - "c:\windows\system32\drivers\tablet2k.sys" (file missing)
S3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 RetroWDSvc (Retrospect WD Service) - c:\progra~1\dantz\retros~1\wdsvc.exe <Not Verified; Dantz Development Corporation; Retrospect>
R2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe <Not Verified; Sony DADC Austria AG.; >
R2 WinTabService (WinTab Service) - c:\windows\system32\drivers\wtsrv.exe <Not Verified; Tablet Driver; Tablet Driver for Win2000/XP>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe (file missing)
S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)
S3 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-05 07:47:01 284 --a----c- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2008-06-27 10:23:19 0 dr-h----- C:\Documents and Settings\Phil\Recent
2008-06-27 09:57:25 0 d-------- C:\WINDOWS\Prefetch
2008-06-26 19:32:42 1702 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-26 19:31:06 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-26 19:31:05 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-26 19:31:03 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-26 19:31:02 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-26 19:31:01 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-26 19:30:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-26 19:30:59 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-26 14:22:25 0 d-------- C:\Documents and Settings\Phil\Application Data\PC Tools
2008-06-26 14:14:01 0 d-------- C:\Program Files\Common Files\PC Tools
2008-06-26 14:13:38 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-06-26 14:13:38 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-25 18:25:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 18:20:41 427520 --a------ C:\WINDOWS\WRServices.dll <Not Verified; Webroot Software, Inc; >
2008-06-25 17:38:53 0 d-------- C:\Program Files\BearShare
2008-06-25 17:21:54 164 --a------ C:\install.dat
2008-06-25 17:07:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 12:53:55 0 d--h----- C:\$AVG8.VAULT$
2008-06-25 12:50:01 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-25 12:50:01 0 d-------- C:\Documents and Settings\Phil\Application Data\AVGTOOLBAR
2008-06-25 12:49:33 0 d-------- C:\Program Files\AVG
2008-06-25 12:49:32 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-24 12:14:01 99840 --a------ C:\WINDOWS\system32\avnuvlij.dll
2008-06-24 12:12:30 81920 --a------ C:\WINDOWS\system32\elogfbbr.dll
2008-06-24 12:12:22 91136 --a------ C:\WINDOWS\system32\wmmxqggt.dll
2008-06-23 18:52:31 0 d-------- C:\Program Files\Alwil Software
2008-06-23 15:06:31 642812 --ahs---- C:\WINDOWS\system32\RYIjlnnn.ini2
2008-06-18 21:30:39 0 d-------- C:\Documents and Settings\Phil\Application Data\SPORE Creature Creator
2008-06-18 21:29:31 658 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-16 17:25:31 65536 --a------ C:\Documents and Settings\Phil\backupRamSTV.bin
2008-06-16 17:25:27 0 d-------- C:\Documents and Settings\Phil\plugins
2008-06-13 18:09:57 0 d-------- C:\Documents and Settings\Phil\state
2008-06-10 19:30:43 0 d-------- C:\Program Files\THQ
2008-06-08 19:20:10 0 d-------- C:\Program Files\MSECache
2008-06-03 23:00:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-05-29 18:40:03 32768 --a------ C:\NULL
2008-05-27 13:15:20 0 d-------- C:\Documents and Settings\Phil\Application Data\Pointstone
2008-05-27 13:11:49 0 d-------- C:\Program Files\Pointstone
2008-05-27 13:11:49 0 d-------- C:\Program Files\Common Files\Pointstone
2008-05-27 12:52:49 0 d---s---- C:\Documents and Settings\Phil\Cookies
2008-05-27 12:25:26 83552 --a------ C:\WINDOWS\system32\Gapi32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-06-26 14:14:01 0 d-------- C:\Program Files\Common Files
2008-06-26 13:57:05 4 --a------ C:\WINDOWSRegDefrag.dat
2008-06-25 18:25:45 0 d-------- C:\Program Files\Lavasoft
2008-06-25 17:10:47 0 d-------- C:\Documents and Settings\Phil\Application Data\Lavasoft
2008-06-25 16:18:14 0 d-------- C:\Documents and Settings\Phil\Application Data\Yahoo!
2008-06-24 21:33:14 0 d-------- C:\Documents and Settings\Phil\Application Data\Mozilla
2008-06-24 20:20:41 0 d-------- C:\Program Files\HP
2008-06-23 22:50:06 0 d-------- C:\Documents and Settings\Phil\Application Data\CoreFTP
2008-06-23 20:51:30 81984 --a----c- C:\WINDOWS\system32\bdod.bin
2008-06-23 19:17:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-22 16:47:00 256 --a------ C:\Documents and Settings\Phil\Application Data\urlredir.cfg
2008-06-21 16:04:27 0 d-------- C:\Program Files\Canon
2008-06-21 16:03:44 0 d-------- C:\Program Files\Allscoop RSS Submit Pro
2008-06-13 21:51:35 0 d-------- C:\Documents and Settings\Phil\Application Data\AdobeUM
2008-05-27 12:42:40 0 d-------- C:\Program Files\CoreFTP
2008-05-07 15:21:24 0 d-------- C:\Program Files\TagBot
2008-05-04 00:04:40 0 d-------- C:\Program Files\RagTag


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3745175d-70b0-4f50-be16-fdae9a191a56}]
06/24/2008 12:14 99840 --a------ C:\WINDOWS\system32\avnuvlij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F11D5D5-3FB2-4ADD-84AD-D69BC9A5D312}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/25/2008 12:49 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0B54E67-901D-45BD-B61C-0DC13640ED42}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/25/2008 12:49 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WService"="WService.EXE" [09/07/2002 03:23 C:\WINDOWS\system32\WService.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/25/2008 12:49]
"BMaf3a6097"="C:\WINDOWS\system32\wmmxqggt.dll" [06/24/2008 12:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkliHw]
pmnkliHw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnljIYR

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime




-- Hosts -----------------------------------------------------------------------

66.98.148.65 auto.search.msn.es
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

7898 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-27 11:13:48 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:09 PM

Posted 27 June 2008 - 02:24 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 satur9

satur9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 27 June 2008 - 04:00 PM

Thank you so much Sam. I did all the steps and when I restarted I got an RUNDLL alert saying: C:\WINDOWS\System\wmmxqggt.dll is missing.
is that something to be concerned about? I also just got another popup =/


Malwarebytes' Anti-Malware 1.18
Database version: 895

1:13:38 PM 6/27/2008
mbam-log-6-27-2008 (13-13-38).txt

Scan type: Quick Scan
Objects scanned: 41151
Time elapsed: 11 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iebrowsercmp.browsercmp (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iebrowsercmp.browsercmp.1 (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3160f356-e8c3-4de2-a698-92eeeb3d3400} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f11d5d5-3fb2-4add-84ad-d69bc9a5d312} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5f11d5d5-3fb2-4add-84ad-d69bc9a5d312} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMaf3a6097 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\elogfbbr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rbbfgole.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmmxqggt.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Phil\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.



Deckard's System Scanner v20071014.68
Run by Phil on 2008-06-27 13:50:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-27 13:51:05
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\WService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcserv.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\drivers\WtSrv.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Documents and Settings\Phil\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - (no file)
O2 - BHO: {65a191a9-eadf-61eb-05f4-0b07d5715473} - {3745175d-70b0-4f50-be16-fdae9a191a56} - C:\WINDOWS\system32\avnuvlij.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: (no name) - {B0B54E67-901D-45BD-B61C-0DC13640ED42} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} () -
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - AppInit_DLLs: sockspy.dll,avgrsstx.dll,
O20 - Winlogon Notify: pmnkliHw - C:\WINDOWS\system32\pmnkliHw.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device - Unknown owner - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\wdsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\drivers\WtSrv.exe


--
End of file - 7257 bytes

-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2008-06-27 12:50:24 0 d-------- C:\Documents and Settings\Phil\Application Data\Malwarebytes
2008-06-27 12:50:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-27 12:50:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-27 12:10:47 0 dr-h----- C:\Documents and Settings\Phil\Recent
2008-06-27 09:57:25 0 d-------- C:\WINDOWS\Prefetch
2008-06-26 19:32:42 1702 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-26 19:31:06 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-26 19:31:05 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-26 19:31:03 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-26 19:31:02 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-26 19:31:01 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-26 19:30:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-26 19:30:59 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-26 14:22:25 0 d-------- C:\Documents and Settings\Phil\Application Data\PC Tools
2008-06-26 14:14:01 0 d-------- C:\Program Files\Common Files\PC Tools
2008-06-26 14:13:38 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-06-26 14:13:38 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-25 18:25:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 18:20:41 427520 --a------ C:\WINDOWS\WRServices.dll <Not Verified; Webroot Software, Inc; >
2008-06-25 17:38:53 0 d-------- C:\Program Files\BearShare
2008-06-25 17:21:54 164 --a------ C:\install.dat
2008-06-25 17:07:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 12:53:55 0 d--h----- C:\$AVG8.VAULT$
2008-06-25 12:50:01 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-25 12:50:01 0 d-------- C:\Documents and Settings\Phil\Application Data\AVGTOOLBAR
2008-06-25 12:49:33 0 d-------- C:\Program Files\AVG
2008-06-25 12:49:32 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-24 12:14:01 99840 --a------ C:\WINDOWS\system32\avnuvlij.dll
2008-06-23 18:52:31 0 d-------- C:\Program Files\Alwil Software
2008-06-23 15:06:31 642812 --ahs---- C:\WINDOWS\system32\RYIjlnnn.ini2
2008-06-18 21:30:39 0 d-------- C:\Documents and Settings\Phil\Application Data\SPORE Creature Creator
2008-06-18 21:29:31 658 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-16 17:25:31 65536 --a------ C:\Documents and Settings\Phil\backupRamSTV.bin
2008-06-16 17:25:27 0 d-------- C:\Documents and Settings\Phil\plugins
2008-06-13 18:09:57 0 d-------- C:\Documents and Settings\Phil\state
2008-06-10 19:30:43 0 d-------- C:\Program Files\THQ
2008-06-08 19:20:10 0 d-------- C:\Program Files\MSECache
2008-06-03 23:00:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-05-29 18:40:03 32768 --a------ C:\NULL
2008-05-27 13:15:20 0 d-------- C:\Documents and Settings\Phil\Application Data\Pointstone
2008-05-27 13:11:49 0 d-------- C:\Program Files\Pointstone
2008-05-27 13:11:49 0 d-------- C:\Program Files\Common Files\Pointstone
2008-05-27 12:52:49 0 d---s---- C:\Documents and Settings\Phil\Cookies
2008-05-27 12:25:26 83552 --a------ C:\WINDOWS\system32\Gapi32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-06-26 14:14:01 0 d-------- C:\Program Files\Common Files
2008-06-26 13:57:05 4 --a------ C:\WINDOWSRegDefrag.dat
2008-06-25 18:25:45 0 d-------- C:\Program Files\Lavasoft
2008-06-25 17:10:47 0 d-------- C:\Documents and Settings\Phil\Application Data\Lavasoft
2008-06-25 16:18:14 0 d-------- C:\Documents and Settings\Phil\Application Data\Yahoo!
2008-06-24 21:33:14 0 d-------- C:\Documents and Settings\Phil\Application Data\Mozilla
2008-06-24 20:20:41 0 d-------- C:\Program Files\HP
2008-06-23 22:50:06 0 d-------- C:\Documents and Settings\Phil\Application Data\CoreFTP
2008-06-23 20:51:30 81984 --a----c- C:\WINDOWS\system32\bdod.bin
2008-06-23 19:17:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-21 16:04:27 0 d-------- C:\Program Files\Canon
2008-06-21 16:03:44 0 d-------- C:\Program Files\Allscoop RSS Submit Pro
2008-06-13 21:51:35 0 d-------- C:\Documents and Settings\Phil\Application Data\AdobeUM
2008-05-27 12:42:40 0 d-------- C:\Program Files\CoreFTP
2008-05-07 15:21:24 0 d-------- C:\Program Files\TagBot
2008-05-04 00:04:40 0 d-------- C:\Program Files\RagTag


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3745175d-70b0-4f50-be16-fdae9a191a56}]
06/24/2008 12:14 99840 --a------ C:\WINDOWS\system32\avnuvlij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/25/2008 12:49 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0B54E67-901D-45BD-B61C-0DC13640ED42}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/25/2008 12:49 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WService"="WService.EXE" [09/07/2002 03:23 C:\WINDOWS\system32\WService.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/25/2008 12:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkliHw]
pmnkliHw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll,avgrsstx.dll,

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnljIYR

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime




-- End of Deckard's System Scanner: finished at 2008-06-27 13:51:51 ------------

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:09 PM

Posted 27 June 2008 - 04:08 PM

You've got a load of malware, so this will take a few more steps.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - (no file)
O2 - BHO: {65a191a9-eadf-61eb-05f4-0b07d5715473} - {3745175d-70b0-4f50-be16-fdae9a191a56} - C:\WINDOWS\system32\avnuvlij.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {B0B54E67-901D-45BD-B61C-0DC13640ED42} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} () -
O20 - Winlogon Notify: pmnkliHw - C:\WINDOWS\system32\pmnkliHw.dll (file missing)



================


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\avnuvlij.dll
    C:\WINDOWS\system32\RYIjlnnn.ini2
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Make sure you reboot and then post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 satur9

satur9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 27 June 2008 - 05:56 PM

When I restarted it gave me new hardware found message not sure if this is part of the problem. Thank you again, here is what I got:

File/Folder C:\WINDOWS\system32\avnuvlij.dll not found.
C:\WINDOWS\system32\RYIjlnnn.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06272008_153638




Deckard's System Scanner v20071014.68
Run by Phil on 2008-06-27 15:46:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).


-- HijackThis (run as Phil.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:47:18, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\WService.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdcserv.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Phil\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Phil.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: sockspy.dll,avgrsstx.dll,
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 5427 bytes

-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2008-06-27 14:08:08 0 dr-h----- C:\Documents and Settings\Phil\Recent
2008-06-27 14:06:04 0 d-------- C:\Program Files\Trend Micro
2008-06-27 12:50:24 0 d-------- C:\Documents and Settings\Phil\Application Data\Malwarebytes
2008-06-27 12:50:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-27 12:50:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-27 09:57:25 0 d-------- C:\WINDOWS\Prefetch
2008-06-26 19:32:42 1702 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-26 19:31:06 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-26 19:31:05 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-26 19:31:03 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-26 19:31:02 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-26 19:31:01 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-26 19:30:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-26 19:30:59 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-26 14:22:25 0 d-------- C:\Documents and Settings\Phil\Application Data\PC Tools
2008-06-26 14:14:01 0 d-------- C:\Program Files\Common Files\PC Tools
2008-06-26 14:13:38 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-06-26 14:13:38 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-25 18:25:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 18:20:41 427520 --a------ C:\WINDOWS\WRServices.dll <Not Verified; Webroot Software, Inc; >
2008-06-25 17:38:53 0 d-------- C:\Program Files\BearShare
2008-06-25 17:21:54 164 --a------ C:\install.dat
2008-06-25 17:07:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 12:53:55 0 d--h----- C:\$AVG8.VAULT$
2008-06-25 12:50:01 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-25 12:50:01 0 d-------- C:\Documents and Settings\Phil\Application Data\AVGTOOLBAR
2008-06-25 12:49:33 0 d-------- C:\Program Files\AVG
2008-06-25 12:49:32 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-23 18:52:31 0 d-------- C:\Program Files\Alwil Software
2008-06-18 21:30:39 0 d-------- C:\Documents and Settings\Phil\Application Data\SPORE Creature Creator
2008-06-18 21:29:31 658 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-16 17:25:31 65536 --a------ C:\Documents and Settings\Phil\backupRamSTV.bin
2008-06-16 17:25:27 0 d-------- C:\Documents and Settings\Phil\plugins
2008-06-13 18:09:57 0 d-------- C:\Documents and Settings\Phil\state
2008-06-10 19:30:43 0 d-------- C:\Program Files\THQ
2008-06-08 19:20:10 0 d-------- C:\Program Files\MSECache
2008-06-03 23:00:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-05-29 18:40:03 32768 --a------ C:\NULL
2008-05-27 13:15:20 0 d-------- C:\Documents and Settings\Phil\Application Data\Pointstone
2008-05-27 13:11:49 0 d-------- C:\Program Files\Pointstone
2008-05-27 13:11:49 0 d-------- C:\Program Files\Common Files\Pointstone
2008-05-27 12:52:49 0 d---s---- C:\Documents and Settings\Phil\Cookies
2008-05-27 12:25:26 83552 --a------ C:\WINDOWS\system32\Gapi32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-06-26 14:14:01 0 d-------- C:\Program Files\Common Files
2008-06-26 13:57:05 4 --a------ C:\WINDOWSRegDefrag.dat
2008-06-25 18:25:45 0 d-------- C:\Program Files\Lavasoft
2008-06-25 17:10:47 0 d-------- C:\Documents and Settings\Phil\Application Data\Lavasoft
2008-06-25 16:18:14 0 d-------- C:\Documents and Settings\Phil\Application Data\Yahoo!
2008-06-24 21:33:14 0 d-------- C:\Documents and Settings\Phil\Application Data\Mozilla
2008-06-24 20:20:41 0 d-------- C:\Program Files\HP
2008-06-23 22:50:06 0 d-------- C:\Documents and Settings\Phil\Application Data\CoreFTP
2008-06-23 20:51:30 81984 --a----c- C:\WINDOWS\system32\bdod.bin
2008-06-23 19:17:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-21 16:04:27 0 d-------- C:\Program Files\Canon
2008-06-21 16:03:44 0 d-------- C:\Program Files\Allscoop RSS Submit Pro
2008-06-13 21:51:35 0 d-------- C:\Documents and Settings\Phil\Application Data\AdobeUM
2008-05-27 12:42:40 0 d-------- C:\Program Files\CoreFTP
2008-05-07 15:21:24 0 d-------- C:\Program Files\TagBot
2008-05-04 00:04:40 0 d-------- C:\Program Files\RagTag


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/25/2008 12:49 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/25/2008 12:49 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WService"="WService.EXE" [09/07/2002 03:23 C:\WINDOWS\system32\WService.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/25/2008 12:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll,avgrsstx.dll,

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnljIYR

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime




-- End of Deckard's System Scanner: finished at 2008-06-27 15:48:21 ------------

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:09 PM

Posted 28 June 2008 - 11:21 AM

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:09 PM

Posted 20 July 2008 - 09:48 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users