Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various Infections Need Help


  • This topic is locked This topic is locked
12 replies to this topic

#1 Darkumas

Darkumas

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 27 July 2008 - 03:54 PM

I ran the DSS scan and I will post logs below. I had already ran a bitdefender online scan and I have that log. Do I still need to run the Kapersky scan or can I post the bitdefender log?

Deckard's System Scanner v20071014.68
Run by Deborah Clarke on 2008-07-27 16:35:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-07-27 20:35:19 UTC - RP372 - Deckard's System Scanner Restore Point
11: 2008-07-27 18:34:09 UTC - RP371 - Installed AVG Free 8.0
10: 2008-07-27 17:56:32 UTC - RP370 - Installed Java™ 6 Update 7
9: 2008-07-27 17:19:01 UTC - RP369 - Removed J2SE Runtime Environment 5.0 Update 1
8: 2008-07-27 07:17:29 UTC - RP368 - Installed Ad-Aware


-- First Restore Point --
1: 2008-05-12 20:06:41 UTC - RP361 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Deborah Clarke.exe) --------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-27 16:38:10
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\agrsmmsg.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Documents and Settings\DamonDarius\Desktop\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Deborah Clarke\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: (no name) - {C28DFC32-32DE-1C08-D226-39E672F05EB3} - C:\WINDOWS\system32\rme.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [{B4BDA73C-05D7-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D7-1033-1026-050504060001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [{ZN}] C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{B4BDA73C-05D8-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wjcwm] C:\Program Files\Common Files\W?nSxS\l?gonui.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eprc] "C:\DOCUME~1\DEBORA~1\APPLIC~1\YSTEM3~1\msiexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Wkhs] C:\WINDOWS\??stem\l?gonui.exe
O4 - HKCU\..\Run: [Gahgnhx] "C:\Program Files\Common Files\s?mbols\w?nlogon.exe"
O4 - HKCU\..\Run: [Mxibbj] "C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\r?gedit.exe"
O4 - HKCU\..\Run: [Uigvob] "C:\Program Files\Common Files\a?sembly\s?rvices.exe"
O4 - HKCU\..\Run: [Fflwu] C:\WINDOWS\?racle\w?crtupd.exe
O4 - HKCU\..\Run: [Rxrsi] "C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\s?rvices.exe"
O4 - HKCU\..\Run: [Xamfyowd] "C:\Program Files\Common Files\W?nSxS\??plorer.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Bajfp] C:\WINDOWS\??mbols\??anregw.exe
O4 - HKCU\..\Run: [Fsslj] C:\WINDOWS\F?nts\t?skmgr.exe
O4 - HKCU\..\Run: [Xyavu] "C:\Documents and Settings\Deborah Clarke\My Documents\W?nSxS\d?dplay.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{B4BDA73C-05D8-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" te-110-12-0000213
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Deborah Clarke\Local Settings\Temp\TICHD003.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: RAMASST.lnk = ?
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE () - http://deborahclarke.point2agent.com/Offic...rol/PUFLITE.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 12500 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsubleepa Electric Industrial Co.,Ltd.; >
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.10) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.10>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 TVALD (Toshiba Mobile PC Service) - c:\windows\system32\drivers\nbsmi.sys <Not Verified; Toshiba Corporation; Toshiba Notebook PC SMI Service>
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsubleepa Electric Industrial Co., Ltd.; >
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 TAPPSRV (TOSHIBA Application Service) - "c:\program files\toshiba\toshiba applet\tappsrv.exe" <Not Verified; TOSHIBA Corp.; TOSHIBA TAPPSRV>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 14:46:26 0 d-------- C:\WINDOWS\BDOSCAN8
2008-07-27 14:46:23 0 d-------- C:\WINDOWS\LastGood
2008-07-27 14:44:57 0 d--h----- C:\$AVG8.VAULT$
2008-07-27 14:34:30 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 14:34:30 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\AVGTOOLBAR
2008-07-27 14:34:10 0 d-------- C:\Program Files\AVG
2008-07-27 14:34:09 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-27 13:56:38 0 d-------- C:\Program Files\Java
2008-07-27 13:56:36 0 d-------- C:\Program Files\Common Files\Java
2008-07-27 12:19:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 03:17:31 0 d-------- C:\Program Files\Lavasoft
2008-07-27 03:17:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-27 03:17:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 22:44:34 0 d-------- C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}
2008-07-17 01:34:37 518 --a------ C:\WINDOWS\system32\pidgeae.dat
2008-07-17 01:34:37 0 --a------ C:\WINDOWS\system32\mmdrg.dat
2008-07-17 01:34:37 818 --a------ C:\WINDOWS\system32\acluulaw.dat
2008-07-17 01:34:09 0 --a------ C:\WINDOWS\system32\shmedig.dat
2008-07-17 01:34:09 3200 --a------ C:\WINDOWS\system32\kbdheph.dat
2008-07-17 01:34:09 6481 --a------ C:\WINDOWS\system32\hlinqc.dat
2008-07-17 01:34:09 388 --a------ C:\WINDOWS\system32\dbmsricn.dat
2008-06-28 20:24:26 0 d-------- C:\WINDOWS\F?nts


-- Find3M Report ---------------------------------------------------------------

2008-07-27 16:31:43 0 d-------- C:\Program Files\iMesh Applications
2008-07-27 15:30:37 0 d-------- C:\Program Files\ipwins
2008-07-27 15:27:44 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\?ystem32
2008-07-27 13:56:36 0 d-------- C:\Program Files\Common Files
2008-07-27 13:20:58 0 d-------- C:\Program Files\Norton AntiVirus
2008-07-27 13:20:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-27 13:18:25 0 d-------- C:\Program Files\Symantec
2008-07-27 13:16:41 0 d-------- C:\Program Files\SymNetDrv
2008-07-27 12:04:57 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-07-27 12:04:16 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-27 12:03:54 0 d-------- C:\Program Files\Common Files\AOL
2008-07-27 12:01:51 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\Mozilla
2008-07-27 04:00:30 0 d-------- C:\Program Files\Common Files\{34BDA73C-05D8-1033-1026-050504060001}
2008-07-27 04:00:30 0 d-------- C:\Program Files\BearShare Applications
2008-06-28 21:00:34 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\U3
2008-06-01 01:03:43 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\Sonic
2008-05-12 15:28:35 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/27/2008 02:34 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C28DFC32-32DE-1C08-D226-39E672F05EB3}]
C:\WINDOWS\system32\rme.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/27/2008 02:34 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [04/12/2005 07:17 PM C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [12/28/2004 07:02 PM C:\WINDOWS\system32\TPSMain.exe]
"CFSServ.exe"="CFSServ.exe" []
"{B4BDA73C-05D7-1033-1026-050504060001}"="C:\Program Files\Common Files\{B4BDA73C-05D7-1033-1026-050504060001}\Update.exe" []
"Lexmark_X79-55"="C:\WINDOWS\system32\lsasss.exe" []
"{ZN}"="C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\TICHD003.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"{B4BDA73C-05D8-1033-1026-050504060001}"="C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [07/27/2008 01:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/27/2008 02:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"Wjcwm"="C:\Program Files\Common Files\W?nSxS\l?gonui.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Eprc"="C:\DOCUME~1\DEBORA~1\APPLIC~1\YSTEM3~1\msiexec.exe" []
"Wkhs"="C:\WINDOWS\??stem\l?gonui.exe" []
"Gahgnhx"="C:\Program Files\Common Files\s?mbols\w?nlogon.exe" []
"Mxibbj"="C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\r?gedit.exe" []
"Uigvob"="C:\Program Files\Common Files\a?sembly\s?rvices.exe" []
"Fflwu"="C:\WINDOWS\?racle\w?crtupd.exe" []
"Rxrsi"="C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\s?rvices.exe" []
"Xamfyowd"="C:\Program Files\Common Files\W?nSxS\??plorer.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [06/11/2007 06:16 PM]
"Bajfp"="C:\WINDOWS\??mbols\??anregw.exe" []
"Fsslj"="C:\WINDOWS\F?nts\t?skmgr.exe" []
"Xyavu"="C:\Documents and Settings\Deborah Clarke\My Documents\W?nSxS\d?dplay.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{B4BDA73C-05D8-1033-1026-050504060001}"="C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" te-110-12-0000213

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ccbb04a-ae39-11db-bcfa-00038a000015}]
AutoRun\command- E:\setupSNK.exe

*Newly Created Service* - AVG8EMC
*Newly Created Service* - AVG8WD
*Newly Created Service* - AVGLDX86
*Newly Created Service* - AVGMFX86
*Newly Created Service* - AVGTDIX



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8910 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-27 16:40:18 ------------

Attached Files


Edited by Darkumas, 27 July 2008 - 03:58 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:20 PM

Posted 27 July 2008 - 05:57 PM

Hi,

Welcome to Bleeping Computer HijackThis forum. I am going to assist you with your problem.

Please give me some time to look it over and I will get back to you as soon as possible. If it took some time to get back to you please be patient and refrain from any system changes. Meanwhile limit online use of this computer to minimum as a quick look at your log shows it apparent infection.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:20 PM

Posted 28 July 2008 - 04:11 AM

Hi again,


Please copy and paste the logs to your reply instead of attaching them.
  • I see you are running Teatimer.

    I suggest you to disable it because it can interfere with the changes you'll make on your system.
    When everything is done and your log is clean again, you can enable it again.
    If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    How to disable TeaTimer during HijackThis Cleanup
    Then, Download ResetTeaTimer.bat.
    Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

  • Turn off Windows automatic updates as it might lead to unexpected results at this stage:
    • Go to start -> Control Panel -> double-click System to open it.
    • Go to the Automatic Updates tab.
    • Select the "Turn off Automatic Updates" box.
    • Click Apply and then OK.
  • You seem to have some leftovers from an incomplete uninstalled Symantec product on your computer:

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    To remove the leftovers please download and run the Norton Removal Tool.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program now.
    Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Also remove the folder in bold: C:\Program Files\Viewpoint

  • We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix


    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.
    When the tool is finished, it will produce a report for you (C:\ComboFix.txt). Please copy and paste the report for further review.

  • Click here to download HijackThis Installer.
    • Save HJTInstall.exe to your Desktop.
    • Double click on the HJTInstall.exe icon to start the installation.
    • When a window pops up asking you the directory to install the program please accept the proposed default directory.
    The program will automatically place a shortcut on your desktop and if further use of the program is required, you can click on the shortcut to run the program.

  • Please copy and paste a Hijackthis log along with the ComboFix log.


#4 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 28 July 2008 - 09:03 AM

Hi again,


Please copy and paste the logs to your reply instead of attaching them.
[list=1]
[*]I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.


I disabled teatimer but when I click on the resetteatimer.bat link it just's takes me to a log sheet. There's nothing to dwnld. I will continue with the rest of the steps.

#5 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 28 July 2008 - 10:01 AM

Here's the Combofix log

ComboFix 08-07-27.5 - Deborah Clarke 2008-07-28 10:41:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.167 [GMT -4:00]
Running from: C:\Documents and Settings\Deborah Clarke\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Deborah Clarke\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\DamonDarius\Application Data\Install.dat
C:\Documents and Settings\DamonDarius\err.log
C:\Documents and Settings\DamonDarius\ResErrors.log
C:\Documents and Settings\Deborah Clarke\Application Data\ASEMBL~1
C:\Documents and Settings\Deborah Clarke\Application Data\CURITY~1
C:\Documents and Settings\Deborah Clarke\Application Data\macromedia\Flash Player\#SharedObjects\4XNLU4KW\www.broadcaster.com
C:\Documents and Settings\Deborah Clarke\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Deborah Clarke\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Deborah Clarke\Application Data\SMANTE~1
C:\Documents and Settings\Deborah Clarke\Application Data\SSEMBL~1
C:\Documents and Settings\Deborah Clarke\Application Data\WNSXS~1
C:\Documents and Settings\Deborah Clarke\Application Data\YSTEM3~1
C:\Documents and Settings\Deborah Clarke\err.log
C:\Documents and Settings\Deborah Clarke\My Documents\APPATC~1
C:\Documents and Settings\Deborah Clarke\My Documents\CROSOF~1
C:\Documents and Settings\Deborah Clarke\My Documents\CROSOF~1.NET
C:\Documents and Settings\Deborah Clarke\My Documents\MCROSO~1
C:\Documents and Settings\Deborah Clarke\My Documents\PPATCH~1
C:\Documents and Settings\Deborah Clarke\My Documents\RACLE~1
C:\Documents and Settings\Deborah Clarke\My Documents\SEMBLY~1
C:\Documents and Settings\Deborah Clarke\My Documents\STEM32~1
C:\Documents and Settings\Deborah Clarke\My Documents\WNSXS~1
C:\Documents and Settings\Deborah Clarke\ResErrors.log
C:\Documents and Settings\Deborah Clarke\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\Common Files\{34BDA~1
C:\Program Files\Common Files\{B4BDA~1
C:\Program Files\Common Files\{B4BDA~2
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~2
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\dobe~1
C:\Program Files\ipwins
C:\Program Files\ipwins\pop11.tmp
C:\Program Files\ipwins\pop149.tmp
C:\Program Files\ipwins\pop42.tmp
C:\Program Files\ipwins\pop45.tmp
C:\Program Files\ipwins\pop4C.tmp
C:\Program Files\ipwins\pop75.tmp
C:\Program Files\ipwins\pop78.tmp
C:\Program Files\ipwins\popD.tmp
C:\Program Files\ipwins\popD9.tmp
C:\Program Files\ipwins\popF3.tmp
C:\Program Files\oin search
C:\Program Files\oin search\OINSearch.dll
C:\Program Files\oin search\Uninstall.exe
C:\Program Files\sstem~1
C:\Program Files\ystem~1
C:\UWA7P
C:\WINDOWS\clear.bat
C:\WINDOWS\fnts~1
C:\WINDOWS\mantec~1
C:\WINDOWS\mbols~1
C:\WINDOWS\racle~1
C:\WINDOWS\stem~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\racle~2
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\wnsintit.exe
C:\WINDOWS\system32\wnsintsv32.exe
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\tsks~1
C:\WINDOWS\ystem3~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COM+_MESSAGES


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-27 16:34 . 2008-07-27 16:34 <DIR> d-------- C:\Deckard
2008-07-27 14:46 . 2008-07-27 16:07 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-07-27 14:44 . 2008-07-27 16:00 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-27 14:34 . 2008-07-28 09:41 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 14:34 . 2008-07-27 14:34 <DIR> d-------- C:\Program Files\AVG
2008-07-27 14:34 . 2008-07-27 16:37 <DIR> d-------- C:\Documents and Settings\Deborah Clarke\Application Data\AVGTOOLBAR
2008-07-27 14:34 . 2008-07-27 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-27 14:34 . 2008-07-27 14:34 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 14:34 . 2008-07-27 14:34 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 14:34 . 2008-07-27 14:34 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 13:57 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-27 13:56 . 2008-07-27 13:57 <DIR> d-------- C:\Program Files\Java
2008-07-27 13:56 . 2008-07-27 13:56 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-27 12:19 . 2008-07-27 12:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-27 12:19 . 2008-07-27 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 03:17 . 2008-07-27 03:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-27 03:17 . 2008-07-27 03:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 03:17 . 2008-07-27 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-27 03:03 . 2008-07-27 03:03 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-07-17 01:50 . 2008-07-17 01:50 61,224 --a------ C:\Documents and Settings\Deborah Clarke\GoToAssistDownloadHelper.exe
2008-07-17 01:34 . 2008-07-27 17:16 9,276 --a------ C:\WINDOWS\system32\hlinqc.dat
2008-07-17 01:34 . 2008-07-27 14:42 3,200 --a------ C:\WINDOWS\system32\kbdheph.dat
2008-07-17 01:34 . 2008-07-28 09:49 892 --a------ C:\WINDOWS\system32\acluulaw.dat
2008-07-17 01:34 . 2008-07-28 09:49 592 --a------ C:\WINDOWS\system32\pidgeae.dat
2008-07-17 01:34 . 2008-07-27 12:09 388 --a------ C:\WINDOWS\system32\dbmsricn.dat
2008-07-17 01:34 . 2008-07-27 14:41 0 --a------ C:\WINDOWS\system32\shmedig.dat
2008-07-17 01:34 . 2008-07-27 20:45 0 --a------ C:\WINDOWS\system32\mmdrg.dat
2008-06-28 20:23 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-28 20:23 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-28 14:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-27 20:31 --------- d-----w C:\Program Files\iMesh Applications
2008-07-27 16:04 --------- d-----w C:\Program Files\Common Files\aolshare
2008-07-27 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-27 16:03 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-29 01:00 --------- d-----w C:\Documents and Settings\Deborah Clarke\Application Data\U3
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-01 05:03 --------- d-----w C:\Documents and Settings\Deborah Clarke\Application Data\Sonic
2006-12-03 17:56 172 ----a-w C:\Documents and Settings\Deborah Clarke\Application Data\wklnhst.dat
2006-07-19 19:07 0 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
2005-04-21 01:51 105 ----a-w C:\Documents and Settings\All Users\B1.bat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 339,968 2005-04-11 17:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 5,283,840 2006-06-19 15:15:34 C:\Program Files\BeamFile\bak\BeamFile.exe
----a-w 5,283,840 2006-06-19 14:15:34 C:\Program Files\BeamFile\BeamFile.exe

----a-w 185,896 2007-01-01 09:21:15 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 59,040 2006-04-13 18:20:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 171,448 2007-01-27 19:05:14 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

----a-w 184,320 2005-04-12 23:18:46 C:\Program Files\ltmoh\bak\Ltmoh.exe

----a-w 101,136 2006-05-15 19:24:30 C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe

----a-w 98,304 2005-04-20 22:12:23 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 4,796,416 2006-06-19 22:30:00 C:\Program Files\RitzPix E-Z Print & Share\bak\OurPictures.exe

----a-w 688,218 2004-10-14 22:26:40 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 98,394 2004-10-14 22:28:02 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 65,536 2004-12-30 07:32:20 C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe

----a-w 339,968 2005-04-25 16:15:18 C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe

----a-w 122,880 2005-04-15 23:51:48 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe

----a-w 1,077,301 2004-09-07 21:03:20 C:\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe

----a-w 73,728 2005-04-05 23:25:34 C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe

----a-w 151,552 2005-03-18 00:37:26 C:\TOSHIBA\IVP\ISM\bak\pinger.exe

----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 122,941 2005-05-31 12:33:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wjcwm"="C:\Program Files\Common Files\W?nSxS\l?gonui.exe" [?]
"Wkhs"="C:\WINDOWS\??stem\l?gonui.exe" [?]
"Gahgnhx"="C:\Program Files\Common Files\s?mbols\w?nlogon.exe" [?]
"Mxibbj"="C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\r?gedit.exe" [?]
"Uigvob"="C:\Program Files\Common Files\a?sembly\s?rvices.exe" [?]
"Fflwu"="C:\WINDOWS\?racle\w?crtupd.exe" [?]
"Rxrsi"="C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\s?rvices.exe" [?]
"Xamfyowd"="C:\Program Files\Common Files\W?nSxS\??plorer.exe" [?]
"Bajfp"="C:\WINDOWS\??mbols\??anregw.exe" [?]
"Fsslj"="C:\WINDOWS\F?nts\t?skmgr.exe" [?]
"Xyavu"="C:\Documents and Settings\Deborah Clarke\My Documents\W?nSxS\d?dplay.exe" [?]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Eprc"="C:\DOCUME~1\DEBORA~1\APPLIC~1\YSTEM3~1\msiexec.exe" [N/A]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{B4BDA73C-05D7-1033-1026-050504060001}"="C:\Program Files\Common Files\{B4BDA73C-05D7-1033-1026-050504060001}\Update.exe" [N/A]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"{B4BDA73C-05D8-1033-1026-050504060001}"="C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" [N/A]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 14:34 1232152]
"NDSTray.exe"="NDSTray.exe" [N/A]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 19:17 88358 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2004-12-28 19:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"CFSServ.exe"="CFSServ.exe" [N/A]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{B4BDA73C-05D8-1033-1026-050504060001}"="C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" [N/A]

C:\Documents and Settings\Deborah Clarke\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-06-22 01:16:07 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-19 12:14:58 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 14:34]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 14:34]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 14:34]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 14:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ccbb04a-ae39-11db-bcfa-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{C28DFC32-32DE-1C08-D226-39E672F05EB3} - C:\WINDOWS\system32\rme.dll
ShellIconOverlayIdentifiers-{455846FC-4662-89F2-8141-7D071F41D7CB} - C:\WINDOWS\system32\dbmsricn.dIl


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.cnn.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Webshots Photo Search - C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: PUFLITE - hxxp://deborahclarke.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
C:\WINDOWS\Downloaded Program Files\OSD133B.OSD
C:\WINDOWS\Downloaded Program Files\PUFLITE.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 10:48:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-28 10:53:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-28 14:53:39

Pre-Run: 57,623,486,464 bytes free
Post-Run: 57,775,603,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

287 --- E O F --- 2008-07-27 07:01:15


And Here's the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:43 AM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\DamonDarius\Desktop\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [{B4BDA73C-05D7-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D7-1033-1026-050504060001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{B4BDA73C-05D8-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wjcwm] C:\Program Files\Common Files\W?nSxS\l?gonui.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eprc] "C:\DOCUME~1\DEBORA~1\APPLIC~1\YSTEM3~1\msiexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Wkhs] C:\WINDOWS\??stem\l?gonui.exe
O4 - HKCU\..\Run: [Gahgnhx] "C:\Program Files\Common Files\s?mbols\w?nlogon.exe"
O4 - HKCU\..\Run: [Mxibbj] "C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\r?gedit.exe"
O4 - HKCU\..\Run: [Uigvob] "C:\Program Files\Common Files\a?sembly\s?rvices.exe"
O4 - HKCU\..\Run: [Fflwu] C:\WINDOWS\?racle\w?crtupd.exe
O4 - HKCU\..\Run: [Rxrsi] "C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\s?rvices.exe"
O4 - HKCU\..\Run: [Xamfyowd] "C:\Program Files\Common Files\W?nSxS\??plorer.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Bajfp] C:\WINDOWS\??mbols\??anregw.exe
O4 - HKCU\..\Run: [Fsslj] C:\WINDOWS\F?nts\t?skmgr.exe
O4 - HKCU\..\Run: [Xyavu] "C:\Documents and Settings\Deborah Clarke\My Documents\W?nSxS\d?dplay.exe"
O4 - HKCU\..\Policies\Explorer\Run: [{B4BDA73C-05D8-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" te-110-12-0000213
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: PUFLITE - http://deborahclarke.point2agent.com/Offic...rol/PUFLITE.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9692 bytes

Edited by Darkumas, 28 July 2008 - 10:03 AM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:20 PM

Posted 28 July 2008 - 02:03 PM

Hi again,

Thanks for the feedback about the ResetTeatimer.bat, the file is indeed removed.

It looks ComboFix is run many times and we did not get the log of the first run.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):


    R3 - URLSearchHook: (no name) - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
    O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll (file missing)
    O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
    O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
    O4 - HKLM\..\Run: [{B4BDA73C-05D7-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D7-1033-1026-050504060001}\Update.exe" te-110-12-0000213
    O4 - HKLM\..\Run: [{B4BDA73C-05D8-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" te-110-12-0000213
    O4 - HKCU\..\Run: [Wjcwm] C:\Program Files\Common Files\W?nSxS\l?gonui.exe
    O4 - HKCU\..\Run: [Eprc] "C:\DOCUME~1\DEBORA~1\APPLIC~1\YSTEM3~1\msiexec.exe" -vt ndrv
    O4 - HKCU\..\Run: [Wkhs] C:\WINDOWS\??stem\l?gonui.exe
    O4 - HKCU\..\Run: [Gahgnhx] "C:\Program Files\Common Files\s?mbols\w?nlogon.exe"
    O4 - HKCU\..\Run: [Mxibbj] "C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\r?gedit.exe"
    O4 - HKCU\..\Run: [Uigvob] "C:\Program Files\Common Files\a?sembly\s?rvices.exe"
    O4 - HKCU\..\Run: [Fflwu] C:\WINDOWS\?racle\w?crtupd.exe
    O4 - HKCU\..\Run: [Rxrsi] "C:\Documents and Settings\Deborah Clarke\My Documents\??crosoft.NET\s?rvices.exe"
    O4 - HKCU\..\Run: [Xamfyowd] "C:\Program Files\Common Files\W?nSxS\??plorer.exe"
    O4 - HKCU\..\Run: [Bajfp] C:\WINDOWS\??mbols\??anregw.exe
    O4 - HKCU\..\Run: [Fsslj] C:\WINDOWS\F?nts\t?skmgr.exe
    O4 - HKCU\..\Run: [Xyavu] "C:\Documents and Settings\Deborah Clarke\My Documents\W?nSxS\d?dplay.exe"
    O4 - HKCU\..\Policies\Explorer\Run: [{B4BDA73C-05D8-1033-1026-050504060001}] "C:\Program Files\Common Files\{B4BDA73C-05D8-1033-1026-050504060001}\Update.exe" te-110-12-0000213


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

    Note: Some items might be present more than once, make sure to remove all of them.

  • Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the file in bold (if present):

    C:\WINDOWS\system32\Jamster.ico

  • Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main "Select Files to Delete" choose: Select All.
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please click this link--> virustotal

    Click the browse button and navigate to the files listed below in bold, then click Send File. You will only be able to have one file scanned at a time.

    C:\WINDOWS\system32\hlinqc.dat
    C:\WINDOWS\system32\kbdheph.dat

    Please post back the results of the scan in your next post.

  • Please make a fresh DSS log and copy and paste it into your replay. DSS makes this time just one log (main.txt).


    In your next reply:
    • The log of MBAM.
    • The Virustotal report.
    • A fresh DSS log.


#7 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 28 July 2008 - 03:01 PM

To my knowledge this is the first time combofix has ever been ran on this computer. This is my girlfriends computer that her sons use from time to time and from the looks of it it has never been cleaned. The sad thing is she has 2 more computers, possibly with the same problems. Any who the logs are below. Thanks again for all your help.

MBAM Log
Malwarebytes' Anti-Malware 1.23
Database version: 1002
Windows 5.1.2600 Service Pack 2

3:37:47 PM 7/28/2008
mbam-log-7-28-2008 (15-37-47).txt

Scan type: Quick Scan
Objects scanned: 40324
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\oinsearchtoolbar.oinsbarband (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oinsearchtoolbar.oinsbarband.1 (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.


First Virustotal Scan

File hlinqc.dat received on 07.28.2008 21:40:53 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.28 -
AntiVir 7.8.1.12 2008.07.28 -
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.28 -
AVG 8.0.0.130 2008.07.28 -
BitDefender 7.2 2008.07.28 -
CAT-QuickHeal 9.50 2008.07.28 -
ClamAV 0.93.1 2008.07.28 -
DrWeb 4.44.0.09170 2008.07.28 -
eSafe 7.0.17.0 2008.07.28 -
eTrust-Vet 31.6.5989 2008.07.28 -
Ewido 4.0 2008.07.28 -
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.28 -
Fortinet 3.14.0.0 2008.07.28 -
GData 2.0.7306.1023 2008.07.28 -
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5348 2008.07.28 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3304 2008.07.28 -
Norman 5.80.02 2008.07.28 -
Panda 9.0.0.4 2008.07.28 -
PCTools 4.4.2.0 2008.07.28 -
Prevx1 V2 2008.07.28 -
Rising 20.55.02.00 2008.07.28 -
Sophos 4.31.0 2008.07.28 -
Sunbelt 3.1.1536.1 2008.07.28 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.28 -
VBA32 3.12.8.1 2008.07.28 -
ViRobot 2008.7.26.1311 2008.07.28 -
VirusBuster 4.5.11.0 2008.07.28 -
Webwasher-Gateway 6.6.2 2008.07.28 -
Additional information
File size: 9276 bytes
MD5...: ec352b6b076f1905c53c86fcc4016588
SHA1..: d87264c59f2de2c08eac85f639f9f82f73fcd217
SHA256: b108263a9ee6d2dd42ed5ce9a6d657267079a36b49436d15fdf11b495b1d0728
SHA512: 7051f959054ca4437523d0a68930b67a32c4abe22e747ee50c151f9f09b57544<br>6687d1e8522cb90a41814e7077c4bd60732e72ce0875a167121d414975e721ad
PEiD..: -
PEInfo: -

Second Virustotal Scan

Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.28 -
AntiVir 7.8.1.12 2008.07.28 -
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.28 -
AVG 8.0.0.130 2008.07.28 -
BitDefender 7.2 2008.07.28 -
CAT-QuickHeal 9.50 2008.07.28 -
ClamAV 0.93.1 2008.07.28 -
DrWeb 4.44.0.09170 2008.07.28 -
eSafe 7.0.17.0 2008.07.28 -
eTrust-Vet 31.6.5989 2008.07.28 -
Ewido 4.0 2008.07.28 -
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.28 -
Fortinet 3.14.0.0 2008.07.28 -
GData 2.0.7306.1023 2008.07.28 -
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5348 2008.07.28 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3304 2008.07.28 -
Norman 5.80.02 2008.07.28 -
Panda 9.0.0.4 2008.07.28 -
PCTools 4.4.2.0 2008.07.28 -
Prevx1 V2 2008.07.28 -
Rising 20.55.02.00 2008.07.28 -
Sophos 4.31.0 2008.07.28 -
Sunbelt 3.1.1536.1 2008.07.28 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.28 -
VBA32 3.12.8.1 2008.07.28 -
ViRobot 2008.7.26.1311 2008.07.28 -
VirusBuster 4.5.11.0 2008.07.28 -
Webwasher-Gateway 6.6.2 2008.07.28 -
Additional information
File size: 3200 bytes
MD5...: 4a97edc03f6eac0ceec7ac7ef4708921
SHA1..: 3ff6c788502242b6e96849f1ba8a6ac4b121a9b4
SHA256: 9cee0d49dbbf98c0ffe53a962dcee02835b5ef7d72f32df8008980157818eb36
SHA512: 133de6a8ae05027afd7b376e24316ab3a3b37883bbde50b5a04ca1ca7e9d877f
4bff5ea1fe3b1b29cb475396d4cc21f93d749f1bcd77e79f48800e879ea94bc3
PEiD..: -
PEInfo: -

And here's the fresh DSS Log

Deckard's System Scanner v20071014.68
Run by Deborah Clarke on 2008-07-28 15:58:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Deborah Clarke.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:27 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\DamonDarius\Desktop\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Deborah Clarke\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Deborah Clarke.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: PUFLITE - http://deborahclarke.point2agent.com/Offic...rol/PUFLITE.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 7889 bytes

-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-28 15:25:43 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\Malwarebytes
2008-07-28 15:25:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 15:25:36 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 10:59:05 0 d-------- C:\Program Files\Trend Micro
2008-07-28 10:40:33 0 d-------- C:\cmdcons
2008-07-28 10:38:43 68096 --a------ C:\WINDOWS\zip.exe
2008-07-28 10:38:43 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-28 10:38:43 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-28 10:38:43 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-28 10:38:43 98816 --a------ C:\WINDOWS\sed.exe
2008-07-28 10:38:43 80412 --a------ C:\WINDOWS\grep.exe
2008-07-28 10:38:43 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-28 10:38:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-27 14:46:26 0 d-------- C:\WINDOWS\BDOSCAN8
2008-07-27 14:44:57 0 d--h----- C:\$AVG8.VAULT$
2008-07-27 14:34:30 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 14:34:30 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\AVGTOOLBAR
2008-07-27 14:34:10 0 d-------- C:\Program Files\AVG
2008-07-27 14:34:09 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-27 13:56:38 0 d-------- C:\Program Files\Java
2008-07-27 13:56:36 0 d-------- C:\Program Files\Common Files\Java
2008-07-27 12:19:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 03:17:31 0 d-------- C:\Program Files\Lavasoft
2008-07-27 03:17:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-27 03:17:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 01:34:37 592 --a------ C:\WINDOWS\system32\pidgeae.dat
2008-07-17 01:34:37 0 --a------ C:\WINDOWS\system32\mmdrg.dat
2008-07-17 01:34:37 892 --a------ C:\WINDOWS\system32\acluulaw.dat
2008-07-17 01:34:09 0 --a------ C:\WINDOWS\system32\shmedig.dat
2008-07-17 01:34:09 3200 --a------ C:\WINDOWS\system32\kbdheph.dat
2008-07-17 01:34:09 9276 --a------ C:\WINDOWS\system32\hlinqc.dat
2008-07-17 01:34:09 388 --a------ C:\WINDOWS\system32\dbmsricn.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-28 10:43:46 0 d-------- C:\Program Files\Common Files
2008-07-28 10:15:18 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-27 16:31:43 0 d-------- C:\Program Files\iMesh Applications
2008-07-27 12:04:16 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-27 12:03:54 0 d-------- C:\Program Files\Common Files\AOL
2008-07-27 12:01:51 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\Mozilla
2008-06-28 21:00:34 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\U3
2008-06-01 01:03:43 0 d-------- C:\Documents and Settings\Deborah Clarke\Application Data\Sonic


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/27/2008 02:34 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/27/2008 02:34 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [04/12/2005 07:17 PM C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [12/28/2004 07:02 PM C:\WINDOWS\system32\TPSMain.exe]
"CFSServ.exe"="CFSServ.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/27/2008 02:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [06/11/2007 06:16 PM]

C:\Documents and Settings\Deborah Clarke\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [6/22/2006 1:16:07 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [8/19/2005 12:14:58 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ccbb04a-ae39-11db-bcfa-00038a000015}]
AutoRun\command- E:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2008-07-28 15:59:12 ------------

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:20 PM

Posted 29 July 2008 - 12:37 AM

Hi Darkumas,

I checked it again and you are right about running ComboFix once. You have done a great job. The things are looking good but I want to make sure the job is done properly.
  • Please update and run Kaspersky once more and post the scan result.

  • Please copy and paste a fresh Hijackthis log to your reply.


#9 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 29 July 2008 - 01:18 PM

Here are the logs you requested. Also do I uninstall combofix and/or DSS now that we're finished with it, if so how do i do that. ALso the active shield on my AVG is not active and I cannot figure out how to get it back active once the cleaning is done. Simply checking the box doesn't seem to be working.

Tuesday, July 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 29, 2008 16:40:54
Records in database: 1023241
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 57369
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:35:35

No malware has been detected. The scan area is clean.
The selected area was scanned.

Here's the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:46 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\DamonDarius\Desktop\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: PUFLITE - http://deborahclarke.point2agent.com/Offic...rol/PUFLITE.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 7837 bytes

Edited by Darkumas, 29 July 2008 - 05:50 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:20 PM

Posted 30 July 2008 - 01:00 AM

Hi Darkumas,


:)
  • Go to start > run and copy and paste next command in the field:

    ComboFix /u

    Make sure there's a space between Combofix and /
    Then hit enter.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

  • You can delete dss.exe and its folder C:\Deckard.

  • If you can not activate the AVG shield, even after rebooting you may try this:
    • Go to Start > Run, type services.msc and hit Enter.
    • In the right panel under Name tab find service name AVG Free8 WatchDog and then AVG Free8 E-mail Scanner.
    • Double-click on the service and set the Startup type to Automatic if it is not. Then click Start to start the service. Do the same for the second service.
    • If it did not work do a repair install by going to Add/Remove and selecting remove, instead of Uninstall select repair install if the option is there.
  • You may turn on Windows update and Teatimer again .
Everything looks good. But the computer is still very much susceptible to reinfection. I strongly advise you to install a firewall before surfing. You find more information on this below.

:thumbsup:
In order to reduce the possible infection in the future, you may follow the following steps:
  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.
  • Sometimes the Privacy, Security and Web settings are altered by the malware. Check and if needed reset them to default:
    • Open Internet explorer > Tools menu > Internet options.
    • Under privacy tab press default.
    • Under security tab press default.
    • Under Programs tab press Reset Web Settings and click OK.
  • Update your Anti Virus and Antispyware Software definitions and run the programs on a regular basis.

  • Use a firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
    Click for more information on:Understanding and Using Firewalls

  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has recently released Service Pack 3 which has more features and is more secure than Service Pack 2. You may update your Windows via Windows update.

    Go here to check for & install updates to Microsoft applications.

  • Install Javacools© SpywareBlaster -
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. You can find more information and a download link here.

Edited by farbar, 30 July 2008 - 01:00 AM.


#11 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 31 July 2008 - 11:27 AM

Thanks alot, everything looks great now. I appreciate all the help.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:20 PM

Posted 31 July 2008 - 11:32 AM

Glad we could help, you are welcome.

#13 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:20 PM

Posted 31 July 2008 - 11:38 AM

Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users