Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic_c.oyj Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 firham74

firham74

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:singapore
  • Local time:04:27 PM

Posted 28 July 2008 - 04:44 AM

Hi there, and please forgive me if I am posting where I should not. I'm a bit overwhelmed.

What happened was this - I was browsing the internet when I got a pop-up, purportedly from Microsoft, asking me to download this program called Antivirus XP 2008 which I did. Well, I was stupid, what can I say.

The next time I started my computer, the background image was almost immediately changed to a blue screen with this warning from my AVG Resident Shield - "C/Windows/ System32/ phcek2j0ecer.bmp" and the next line saying "Trojan horse generic_c.oyj." Then another warning came up saying it cannot find : "C: Documentd and Settings / Faris/ local settings.temp/.tt4tmp.vbs"

From what I can tell so far it has messed up my "Display" button. The "background" click is no longer there.

I did a noadware free scan and it clearly identified the Antivirus XP 2008 as the culprit. I did everything I could with what I have but the problem persisted.

Kindly help. Thanks

I did a DSS and this is what it came up with -

Deckard's System Scanner v20071014.68
Run by Faris on 2008-07-28 17:03:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-07-28 09:03:38 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-07-28 08:11:04 UTC - RP2 - Removed Adobe Reader 7.1.0
1: 2008-07-28 05:16:34 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-28 17:06:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3S2.EXE
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\lphcek2j0ecer.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Faris\Desktop\dss.exe
C:\Program Files\AVG\AVG8\avgui.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sg.rd.yahoo.com/customize/ycomp/def...://sg.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ycomp/def...://sg.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sg.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O5 "LPT1:" /M "Stylus C65"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [lphcek2j0ecer] C:\WINDOWS\system32\lphcek2j0ecer.exe
O4 - HKLM\..\Run: [SMrhcak2j0ecer] C:\Program Files\rhcak2j0ecer\rhcak2j0ecer.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com (HKCU)
O15 - Trusted Zone: https://*.update.microsoft.com (HKCU)
O15 - Trusted Zone: http://download.windowsupdate.com (HKCU)
O16 - DPF: {0FC64BDC-D14D-4F04-802D-4B9104DF16FB} (SystemCheck Class) - http://www.singnet.com.sg/technical/helpto.../ALTControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/A...01F/wmvadvd.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1209003726014
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209013486002
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\system32\slserv.exe


--
End of file - 8739 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\fetnd5.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 MSICPL - d:\install4\msicpl.sys (file missing)
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 SetupNTGLM7X - d:\ntglm7x.sys (file missing)
S3 sysrest.sys - c:\windows\system32\sysrest.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-28 16:30:40 0 d-------- C:\Program Files\NoAdware5.0
2008-07-28 13:16:18 0 d---s---- C:\WINDOWS\Tasks
2008-07-27 00:28:11 6193152 --a------ C:\Documents and Settings\Faris\ntuser.dat
2008-07-26 23:09:10 60928 --a------ C:\WINDOWS\system32\blphcek2j0ecer.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-26 23:08:32 100864 --a------ C:\WINDOWS\system32\lphcek2j0ecer.exe
2008-07-19 23:34:08 0 d-------- C:\Documents and Settings\Faris\Application Data\Yahoo!
2008-07-19 23:34:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-19 21:47:31 0 d-------- C:\Program Files\Yahoo!
2008-07-19 21:46:26 0 d-------- C:\Program Files\Veoh Networks
2008-07-19 21:28:47 0 d-------- C:\Program Files\Real
2008-07-19 21:28:41 0 d-------- C:\Program Files\Common Files\Real
2008-07-19 21:28:32 0 d-------- C:\Documents and Settings\Faris\Application Data\Real
2008-07-14 22:04:37 0 d--h----- C:\$AVG8.VAULT$
2008-07-14 11:39:35 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-14 11:39:35 0 d-------- C:\Documents and Settings\Faris\Application Data\AVGTOOLBAR
2008-07-14 11:39:24 0 d-------- C:\Program Files\AVG
2008-07-14 11:39:23 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8


-- Find3M Report ---------------------------------------------------------------

2008-07-26 02:41:45 0 d-------- C:\Program Files\Common Files
2008-07-26 02:25:46 0 d-------- C:\Documents and Settings\Faris\Application Data\AdobeUM
2008-07-19 21:47:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-24 23:25:07 0 d-------- C:\Documents and Settings\Faris\Application Data\WinRAR
2008-06-07 18:52:55 18424 --a------ C:\Documents and Settings\Faris\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/14/2008 11:39 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/14/2008 11:39 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [09/30/2004 02:44 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"EPSON Stylus C65 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.exe" [11/27/2003 02:00 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" []
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/28/2007 06:38 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/14/2008 11:39 AM]
"lphcek2j0ecer"="C:\WINDOWS\system32\lphcek2j0ecer.exe" [07/26/2008 11:08 PM]
"SMrhcak2j0ecer"="C:\Program Files\rhcak2j0ecer\rhcak2j0ecer.exe" []
"sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [06/19/2008 03:15 PM]
"@"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2/25/2006 1:56:05 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOWS\system32\srr

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-28 17:07:12 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 479.48 MiB / 118.42 MiB
Pagefile Memory (total/avail): 1362.16 MiB / 1081.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1910.09 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 17.17 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380215A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Disabled:Veoh Client"
"C:\\Documents and Settings\\Faris\\Local Settings\\Temp\\.tt2B6.tmp"="C:\\Documents and Settings\\Faris\\Local Settings\\Temp\\.tt2B6.tmp:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Faris\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FARISPC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Faris
LOGONSERVER=\\FARISPC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:27 PM

Posted 28 July 2008 - 05:02 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [lphcek2j0ecer] C:\WINDOWS\system32\lphcek2j0ecer.exe
O4 - HKLM\..\Run: [SMrhcak2j0ecer] C:\Program Files\rhcak2j0ecer\rhcak2j0ecer.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O8 - Extra context menu item: &Search - ?p=ZS

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\blphcek2j0ecer.scr
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\lphcek2j0ecer.exe
C:\Program Files\rhcak2j0ecer <--folder

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back into normal mode.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"="msv1_0"

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 firham74

firham74
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:singapore
  • Local time:04:27 PM

Posted 29 July 2008 - 02:54 AM

Hi David, this is Faris.

Nice to make your acquaintance and thank you for your reply. Before I came to this page and saw your reply, I was reading the main page of bleepingcomputer. Being the impulsive person that I am, a trait which has served me very well in life btw, I decided to take the advice about removing AntiVirus 2009.

So I downloaded the Malwarebytes' Anti-Malware and followed the instructions given. And it seems that the problem has already been solved. At least for now.

My "Display" button is back to normal and I've successfully returned my screen to my desired background without it changing back to blue. And the pop-ups warnings have apparently disappeared as well, just like a pair of oreo cookies.

I did however yesterday already deleted my cookies, history and temporary files from my Internet Options and run cleanmgr.

So, do I still need to do as per your instructions above ?

I'm so sorry if I've taken your time unnecessarily - your help is appreciated no less. But don't worry, most likely I'll be back to these forums since I'm a klutz.

Again thank you and sorry.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:27 PM

Posted 29 July 2008 - 04:20 AM

I would still continue with the instructions - there are randomly named infected files on your PC that malware bytes will probably not target. The 'sysrest32.exe' file I've instructed you to delete is a backdoor trojan which would not cause popups, so just because the popups have stopped does not mean this issue is resolved. Some of the files on your PC pose an unfortunately high threat, so I do thoroughly recommend you continue.. :thumbsup:

#5 firham74

firham74
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:singapore
  • Local time:04:27 PM

Posted 29 July 2008 - 12:36 PM

Hi David.......

I think you've got the right idea about me following through with the procedures. So I did the scan but I couldn't find the items you wanted me to check against. So obviously I didn't get to do Fix Checked.

Neither have I done the rest of the steps because I want to show you the log first. Want do you think ?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:10 AM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Faris\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sg.rd.yahoo.com/customize/ycomp/def...://sg.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sg.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ycomp/def...://sg.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O5 "LPT1:" /M "Stylus C65"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0FC64BDC-D14D-4F04-802D-4B9104DF16FB} (SystemCheck Class) - http://www.singnet.com.sg/technical/helpto.../ALTControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1209003726014
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209013486002
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll,
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6967 bytes

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:27 PM

Posted 29 July 2008 - 04:07 PM

Ok, things are looking better but can you run Combofix as per the instructions at the bottom of the fix?

#7 firham74

firham74
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:singapore
  • Local time:04:27 PM

Posted 29 July 2008 - 10:18 PM

One Combofix log coming right up !

Though it deleted my macromedia flash - does it mean its not safe for me to download it again ? And what's a recovery console and where can I get it ?




ComboFix 08-07-28.4 - Faris 2008-07-30 10:46:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.170 [GMT 8:00]
Running from: C:\Documents and Settings\Faris\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Faris\Application Data\macromedia\Flash Player\#SharedObjects\CVYLKMYB\interclick.com
C:\Documents and Settings\Faris\Application Data\macromedia\Flash Player\#SharedObjects\CVYLKMYB\interclick.com\ud.sol
C:\Documents and Settings\Faris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Faris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-30 02:02 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-07-30 02:02 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-07-29 14:56 . 2008-07-29 14:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-29 14:56 . 2008-07-29 14:56 <DIR> d-------- C:\Documents and Settings\Faris\Application Data\Malwarebytes
2008-07-29 14:56 . 2008-07-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 14:56 . 2008-07-23 20:20 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-29 14:56 . 2008-07-23 20:20 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 16:30 . 2008-07-28 16:57 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-07-28 16:23 . 2008-07-28 16:23 <DIR> d-------- C:\Deckard
2008-07-19 23:34 . 2008-07-19 23:34 <DIR> d-------- C:\Documents and Settings\Faris\Application Data\Yahoo!
2008-07-19 23:34 . 2008-07-19 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-19 21:47 . 2008-07-19 21:47 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-19 21:46 . 2008-07-19 21:46 <DIR> d-------- C:\Program Files\Veoh Networks
2008-07-19 21:28 . 2008-07-19 21:28 <DIR> d-------- C:\Program Files\Real
2008-07-19 21:28 . 2008-07-19 23:11 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-14 22:04 . 2008-07-30 00:24 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-14 11:39 . 2008-07-30 10:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-14 11:39 . 2008-07-14 11:39 <DIR> d-------- C:\Program Files\AVG
2008-07-14 11:39 . 2008-07-14 11:39 <DIR> d-------- C:\Documents and Settings\Faris\Application Data\AVGTOOLBAR
2008-07-14 11:39 . 2008-07-14 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-14 11:39 . 2008-07-14 11:39 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-14 11:39 . 2008-07-14 11:39 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-14 11:39 . 2008-07-14 11:39 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-21 01:41 . 2008-06-21 01:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 18:44 . 2008-06-20 18:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-11 07:52 . 2008-06-13 21:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 18:01 --------- d-----w C:\Program Files\Ahead
2008-07-29 17:44 --------- d-----w C:\Documents and Settings\Faris\Application Data\Ahead
2008-07-25 18:25 --------- d-----w C:\Documents and Settings\Faris\Application Data\AdobeUM
2008-07-19 13:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 10:52 18,424 ----a-w C:\Documents and Settings\Faris\Application Data\GDIPFONTCACHEV1.DAT
2007-08-14 13:33 81,920 ----a-w C:\Documents and Settings\Faris\Application Data\ezpinst.exe
2007-08-14 13:33 47,360 ----a-w C:\Documents and Settings\Faris\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-06-19 15:15 3664944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-09-30 14:44 7957504]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"EPSON Stylus C65 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE" [2003-11-27 02:00 99840]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-28 18:38 1838592]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-14 11:39 1232152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-25 01:56:05 278528]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-14 11:39]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-14 11:39]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-14 11:39]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-14 11:39]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LanguageShortcut - C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
HKLM-Run-ISUSPM - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = \blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Start Page = hxxp://sg.yahoo.com
R1 -: HKCU-SearchURL,(Default) = hxxp://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
O8 -: &Search - ?p=ZS
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: {0FC64BDC-D14D-4F04-802D-4B9104DF16FB} - hxxp://www.singnet.com.sg/technical/helptools/pc-check/media/ALTControl.cab
C:\WINDOWS\Downloaded Program Files\ALTControl.inf
C:\WINDOWS\Downloaded Program Files\ALTControl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 10:57:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-07-30 11:06:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-30 03:06:21

Pre-Run: 17,760,505,856 bytes free
Post-Run: 19,484,106,752 bytes free

130 --- E O F --- 2008-07-13 09:20:09

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:27 PM

Posted 30 July 2008 - 04:14 AM

First things first, we need to install the recovery console onto your system:
http://support.microsoft.com/KB/314058

It's an important security and safety feature which you really do need to have installed. You can install the recovery console regardless of whether or not you have the XP cd that came with the operating system - I recommend you download the recovery console installation file from the internet, it's only about 4mb in size, so it shouldn't take too long to download.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop.

If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information:

1) Click on the Start button.
2) Click on the Run menu option.
3) In the Open: field type the following: sysdm.cpl and then click on the OK button.
4) A screen will appear showing information about your installation.
Under the System: category you should see your Windows version and the installed Service Pack.

Once the Microsoft file has finished downloading, close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. This is shown in the following image:
Posted Image
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open.

Please post the contents of that log.

Are you sure that Combofix has removed the whole of your macromedia flash? It looks as though it has simply removed some malicious links from the history/settings or something like that. Can you try loading flash again and make sure that it works.. It was a good idea to run combofix because it delete the remnants of a nasty service you had in your registry; I think we should be just about done now, the PC looks clean!

Let me know about the flash please, if it's the case the entire program's been deleted, the tool author must be notified! :thumbsup:

Edited by D-Trojanator, 30 July 2008 - 04:15 AM.


#9 firham74

firham74
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:singapore
  • Local time:04:27 PM

Posted 30 July 2008 - 09:03 AM

Okay, so this is the combofix log after I had installed the recovery console and did that merging thingy.

About the media flash, you know what I was wrong after all. Sorry. I decided to check it out and I gladly say that I can watch the videos on youtube and several other places. I think you're right. Again, sorry.

So don't you be calling you know who, now !

Anyway, log time.



ComboFix 08-07-28.4 - Faris 2008-07-30 21:40:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT 8:00]
Running from: C:\Documents and Settings\Faris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Faris\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-30 02:02 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-07-30 02:02 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-07-29 14:56 . 2008-07-29 14:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-29 14:56 . 2008-07-29 14:56 <DIR> d-------- C:\Documents and Settings\Faris\Application Data\Malwarebytes
2008-07-29 14:56 . 2008-07-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 14:56 . 2008-07-23 20:20 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-29 14:56 . 2008-07-23 20:20 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 16:30 . 2008-07-28 16:57 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-07-28 16:23 . 2008-07-28 16:23 <DIR> d-------- C:\Deckard
2008-07-19 23:34 . 2008-07-19 23:34 <DIR> d-------- C:\Documents and Settings\Faris\Application Data\Yahoo!
2008-07-19 23:34 . 2008-07-19 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-19 21:47 . 2008-07-19 21:47 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-19 21:46 . 2008-07-19 21:46 <DIR> d-------- C:\Program Files\Veoh Networks
2008-07-19 21:28 . 2008-07-19 21:28 <DIR> d-------- C:\Program Files\Real
2008-07-19 21:28 . 2008-07-19 23:11 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-14 22:04 . 2008-07-30 00:24 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-14 11:39 . 2008-07-30 10:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-14 11:39 . 2008-07-14 11:39 <DIR> d-------- C:\Program Files\AVG
2008-07-14 11:39 . 2008-07-14 11:39 <DIR> d-------- C:\Documents and Settings\Faris\Application Data\AVGTOOLBAR
2008-07-14 11:39 . 2008-07-14 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-14 11:39 . 2008-07-14 11:39 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-14 11:39 . 2008-07-14 11:39 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-14 11:39 . 2008-07-14 11:39 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-21 01:41 . 2008-06-21 01:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 18:44 . 2008-06-20 18:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-11 07:52 . 2008-06-13 21:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 18:01 --------- d-----w C:\Program Files\Ahead
2008-07-29 17:44 --------- d-----w C:\Documents and Settings\Faris\Application Data\Ahead
2008-07-25 18:25 --------- d-----w C:\Documents and Settings\Faris\Application Data\AdobeUM
2008-07-19 13:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 13:28 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 10:52 18,424 ----a-w C:\Documents and Settings\Faris\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-08-14 13:33 81,920 ----a-w C:\Documents and Settings\Faris\Application Data\ezpinst.exe
2007-08-14 13:33 47,360 ----a-w C:\Documents and Settings\Faris\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-06-19 15:15 3664944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-09-30 14:44 7957504]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"EPSON Stylus C65 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE" [2003-11-27 02:00 99840]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-28 18:38 1838592]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-14 11:39 1232152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-25 01:56:05 278528]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-14 11:39]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-14 11:39]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-14 11:39]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-14 11:39]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = \blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Start Page = hxxp://sg.yahoo.com
R1 -: HKCU-SearchURL,(Default) = hxxp://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
O8 -: &Search - ?p=ZS
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: {0FC64BDC-D14D-4F04-802D-4B9104DF16FB} - hxxp://www.singnet.com.sg/technical/helptools/pc-check/media/ALTControl.cab
C:\WINDOWS\Downloaded Program Files\ALTControl.inf
C:\WINDOWS\Downloaded Program Files\ALTControl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 21:44:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-30 21:51:39
ComboFix-quarantined-files.txt 2008-07-30 13:51:30
ComboFix2.txt 2008-07-30 03:06:34

Pre-Run: 19,188,310,016 bytes free
Post-Run: 19,644,084,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

120 --- E O F --- 2008-07-13 09:20:09

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:27 PM

Posted 30 July 2008 - 10:18 AM

Great! Thanks for clarifying the flash issue, I'm glad it's sorted now.
The logs are looking clean, how is the PC running? :thumbsup:

#11 firham74

firham74
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:singapore
  • Local time:04:27 PM

Posted 30 July 2008 - 12:00 PM

So far so good. Everything is running great......ah, looked....... AVG just did a scan and it said no infections. How great is that ?

Thanks by the way for all your help and again sorry for the media flash scare. As I've said, my impulsive behaviour has always served me well in life. I'm surprise I'm not in more troubles.

Anyway, hope NOT to be bothering anyone in bleepingcomputer soon but I'm pretty sure I'll be back, whether I like it or not.

You're great, this website is great. Have great days ahead, David.


Peace.

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:27 PM

Posted 30 July 2008 - 01:25 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. This link has listings of stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#13 firham74

firham74
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:singapore
  • Local time:04:27 PM

Posted 30 July 2008 - 07:32 PM

Thanks for these extra inputs. How come I don't know all these free goodies are out there ? I took what I can e.g spybot. I do believe I now have adequate protection.........you know, for my computer I mean.

I shall remember to update them as you said.

As for any additional questions, I'll surely drop by when I have any.

Well, David, I suppose until whenever I bust my computer again..........which can be soon, actually. BUT hope not, of course.

Thanks again. Take care.



Faris

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:27 PM

Posted 31 July 2008 - 08:17 AM

Glad to hear you've increased your protection, there's a whole host of free security software! :thumbsup:

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users