Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help - Hjt Log


  • Please log in to reply
19 replies to this topic

#1 OrygunGal

OrygunGal

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 01 September 2008 - 12:40 PM

I'd love some guidance here. I've never been infected before so this is all new for me. Whatever has hijacked my PC won't allow me to even get to my C: or D: drives. I think I have a real mess here and I'm usually very cautious. Any help in defeating this bugger would be much appreciated. Please tell me if you need any further infrom me. I'm using my laptop to send this as my PC won't currently access a website that I want to navigate to. I used a USB flash drive to copy the HTJ log from the PC to the laptop. Since infection last night, I installed the latest HJT, AVG 8 (had 7 previously), and SAS. I'll incude the SAS log under the HTJ log. Thank you.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:24: VIRUS ALERT!, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINNT\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\WINNT\system32\RunDll32.exe
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe
D:\Program Files\PieAutoUpdater\pglite.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\VIA\RAID\raid_tool.exe
D:\WINNT\system32\rundll32.exe
D:\WINNT\system32\rundll32.exe
D:\WINNT\system32\wscntfy.exe
D:\WINNT\system32\NOTEPAD.EXE
D:\WINNT\system32\msiexec.exe
D:\Program Files\AVG\AVG8\avgfrw.exe
I:\SUPERAntiSpyware.exe
D:\WINNT\system32\MSIEXEC.exe
D:\WINNT\system32\MsiExec.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: qalkfxor - {5371FF76-9602-4029-9626-BE8CD757EB36} - D:\WINNT\qalkfxor.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Pie Auto Updater] "D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe"
O4 - HKLM\..\Run: [ACD mPower Tools] D:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] D:\WINNT\system32\msltstsoft_updt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [c093abf1] rundll32.exe "D:\WINNT\system32\xbhqeloy.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.9/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://mn103.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177195986906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185381986687
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www247.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E481BAAC-19BE-4738-899A-84DA687C6D15}: NameServer = 206.26.36.34
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: rqbmvpso - {99052F35-324F-47EE-9029-6D8D2E3BBF68} - D:\WINNT\rqbmvpso.dll
O21 - SSODL: pdoskegl - {4EF6959D-7203-47B1-A6F7-E826E50AE298} - D:\WINNT\pdoskegl.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - D:\WINNT\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O24 - Desktop Component 0: Privacy Protection - file:///D:\WINNT\privacy_danger\index.htm

--
End of file - 12415 bytes

_______________________________________________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/01/2008 at 09:30 AM

Application Version : 4.20.1046

Core Rules Database Version : 3553
Trace Rules Database Version: 1542

Scan type : Complete Scan
Total Scan Time : 00:57:38

Memory items scanned : 343
Memory threats detected : 9
Registry items scanned : 5835
Registry threats detected : 71
File items scanned : 41543
File threats detected : 208

Trojan.Vundo-Variant/Small-GEN
D:\WINNT\SYSTEM32\PMNLLMFV.DLL
D:\WINNT\SYSTEM32\PMNLLMFV.DLL

Adware.Vundo Variant/Resident
D:\WINNT\SYSTEM32\MLJBSMFD.DLL
D:\WINNT\SYSTEM32\MLJBSMFD.DLL

Adware.VideoAccessCodec/Gen
D:\WINNT\RQBMVPSO.DLL
D:\WINNT\RQBMVPSO.DLL

Adware.Vundo-Variant/J
D:\WINNT\PDOSKEGL.DLL
D:\WINNT\PDOSKEGL.DLL

Trojan.Net-MSV/VPS-Variant
D:\WINNT\RODQGPVLDBV.DLL
D:\WINNT\RODQGPVLDBV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26027218-80B3-40FA-9FA1-70FD56AA5328}
HKCR\CLSID\{26027218-80B3-40FA-9FA1-70FD56AA5328}
HKCR\CLSID\{26027218-80B3-40FA-9FA1-70FD56AA5328}
HKCR\CLSID\{26027218-80B3-40FA-9FA1-70FD56AA5328}\InprocServer32
HKCR\CLSID\{26027218-80B3-40FA-9FA1-70FD56AA5328}\InprocServer32#ThreadingModel
HKCR\CLSID\{26027218-80B3-40FA-9FA1-70FD56AA5328}\ProgID
HKCR\CLSID\{26027218-80B3-40FA-9FA1-70FD56AA5328}\Programmable
HKCR\CLSID\{26027218-80B3-40FA-9FA1-70FD56AA5328}\TypeLib
HKCR\CLSID\{26027218-80B3-40FA-9FA1-70FD56AA5328}\VersionIndependentProgID
HKCR\QXK.Olive
HKCR\TypeLib\{FD924082-30CA-4C7F-8866-9B494A03889D}
HKCR\TypeLib\{FD924082-30CA-4C7F-8866-9B494A03889D}\1.0
HKCR\TypeLib\{FD924082-30CA-4C7F-8866-9B494A03889D}\1.0\0
HKCR\TypeLib\{FD924082-30CA-4C7F-8866-9B494A03889D}\1.0\0\win32
HKCR\TypeLib\{FD924082-30CA-4C7F-8866-9B494A03889D}\1.0\FLAGS
HKCR\TypeLib\{FD924082-30CA-4C7F-8866-9B494A03889D}\1.0\HELPDIR
HKCR\Interface\{9DA604E4-8A8F-47FB-B4F1-BB4BC73E546C}
HKCR\Interface\{9DA604E4-8A8F-47FB-B4F1-BB4BC73E546C}\ProxyStubClsid
HKCR\Interface\{9DA604E4-8A8F-47FB-B4F1-BB4BC73E546C}\ProxyStubClsid32
HKCR\Interface\{9DA604E4-8A8F-47FB-B4F1-BB4BC73E546C}\TypeLib
HKCR\Interface\{9DA604E4-8A8F-47FB-B4F1-BB4BC73E546C}\TypeLib#Version
HKCR\Interface\{A878FFB4-52DE-4396-8F6E-A03417493F9A}
HKCR\Interface\{A878FFB4-52DE-4396-8F6E-A03417493F9A}\ProxyStubClsid
HKCR\Interface\{A878FFB4-52DE-4396-8F6E-A03417493F9A}\ProxyStubClsid32
HKCR\Interface\{A878FFB4-52DE-4396-8F6E-A03417493F9A}\TypeLib
HKCR\Interface\{A878FFB4-52DE-4396-8F6E-A03417493F9A}\TypeLib#Version

Trojan.Downloader-NewJuan/VM
D:\WINNT\SYSTEM32\FNAUGN.DLL
D:\WINNT\SYSTEM32\FNAUGN.DLL
D:\WINNT\SYSTEM32\PLQXUQHL.DLL
D:\WINNT\SYSTEM32\PLQXUQHL.DLL
D:\WINNT\SYSTEM32\CZEVBS.DLL
D:\WINNT\SYSTEM32\CZEVBS.DLL

Trojan.Unclassified/GTS
D:\WINNT\QALKFXOR.DLL
D:\WINNT\QALKFXOR.DLL

Trojan.Unclassified/QALKFXOR
HKLM\Software\Classes\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\InprocServer32
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\InprocServer32#ThreadingModel
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\ProgID
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\Programmable
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\TypeLib
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\VersionIndependentProgID
HKCR\qalkfxor.1
HKCR\qalkfxor
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0\0
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0\0\win32
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0\FLAGS
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0\HELPDIR
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{5371FF76-9602-4029-9626-BE8CD757EB36}
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}\ProxyStubClsid
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}\ProxyStubClsid32
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}\TypeLib
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}\TypeLib#Version

Trojan.Vundo-Variant/NextGen
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A000198-FDBC-4B53-990E-A16C8F45D5E7}
HKCR\CLSID\{7A000198-FDBC-4B53-990E-A16C8F45D5E7}
HKCR\CLSID\{7A000198-FDBC-4B53-990E-A16C8F45D5E7}\InprocServer32
HKCR\CLSID\{7A000198-FDBC-4B53-990E-A16C8F45D5E7}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE45F323-53BF-45D5-A73A-358DDFA2E3EB}
HKCR\CLSID\{BE45F323-53BF-45D5-A73A-358DDFA2E3EB}
HKCR\CLSID\{BE45F323-53BF-45D5-A73A-358DDFA2E3EB}\InprocServer32
HKCR\CLSID\{BE45F323-53BF-45D5-A73A-358DDFA2E3EB}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BE45F323-53BF-45D5-A73A-358DDFA2E3EB}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pmnllMFV

Trojan.Vundo-Variant/NextGen-Six
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9535358-8a4e-47c8-8d38-cb92c72b2da1}
HKCR\CLSID\{C9535358-8A4E-47C8-8D38-CB92C72B2DA1}
HKCR\CLSID\{C9535358-8A4E-47C8-8D38-CB92C72B2DA1}\InprocServer32
HKCR\CLSID\{C9535358-8A4E-47C8-8D38-CB92C72B2DA1}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@richmedia.yahoo[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.accountonline[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@coolsavings[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@citi.bridgetrack[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@countrytradedays[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.cowboycountryclothing[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@adserver.filefront[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@account.live[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@cmedia.com[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@ads.bridgetrack[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.cmedia.com[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@hatcountry[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.mediamax[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@ads.vegas[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@track.bestbuy[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@friendfinder[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@angleinteractive.directtrack[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@mediamax[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.mycountrymatch[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@findadate[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@virusremover2008[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@account.mycricket[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@v7.stats.load[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@webreports.digitalinsight[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@apmebf[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@adknowledge[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.statssheet[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.system-defender[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@discountwesternwear[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@mycountrymatch[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@mediafire[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@amsweb[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@statse.webtrendslive[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@countrywide[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@directtrack[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@krktcountry[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@db[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@counter.rewardsnetwork[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@gomyhit[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@r[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.countrytradedays[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@data.coremetrics[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@www.safewebnavigate2008[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@linkto.mediafire[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@adtrafficstats[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@statcounter[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@mediaplex[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@wmvmedialease[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@stats.paypal[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@OS[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@ad.yieldmanager[2].txt
D:\Documents and Settings\Kim\Cookies\kim@www.tagworld[1].txt
D:\Documents and Settings\Kim\Cookies\kim@ticketsnow[1].txt
D:\Documents and Settings\Kim\Cookies\kim@www.hatcountry[1].txt
D:\Documents and Settings\Kim\Cookies\kim@www.mycountrymatch[2].txt
D:\Documents and Settings\Kim\Cookies\kim@www.accountonline[2].txt
D:\Documents and Settings\Kim\Cookies\kim@www.myaccount.cingular[1].txt
D:\Documents and Settings\Kim\Cookies\kim@www.ticketsnow[2].txt
D:\Documents and Settings\Kim\Cookies\kim@accounts[1].txt
D:\Documents and Settings\Kim\Cookies\kim@ads.as4x.tmcs.ticketmaster[1].txt
D:\Documents and Settings\Kim\Cookies\kim@adserving.autotrader[1].txt
D:\Documents and Settings\Kim\Cookies\kim@azjmp[1].txt
D:\Documents and Settings\Kim\Cookies\kim@friendfinder[2].txt
D:\Documents and Settings\Kim\Cookies\kim@media.tinypic[2].txt
D:\Documents and Settings\Kim\Cookies\kim@mediamax[1].txt
D:\Documents and Settings\Kim\Cookies\kim@track.bestbuy[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@accounts[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@virusremover2008[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@accounts[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@track[1].txt
D:\Documents and Settings\Kimberlin\Local Settings\Temp\Cookies\kimberlin@discountwesternwear[2].txt
D:\Documents and Settings\Kimberlin\Local Settings\Temp\Cookies\kimberlin@richmedia.yahoo[1].txt

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-117609710-1897051121-1417001333-1003\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Desktop Hijacker.AboutYourPrivacy
D:\WINNT\privacy_danger\images\capt.gif
D:\WINNT\privacy_danger\images\danger.jpg
D:\WINNT\privacy_danger\images\down.gif
D:\WINNT\privacy_danger\images\spacer.gif
D:\WINNT\privacy_danger\images
D:\WINNT\privacy_danger
D:\Documents and Settings\Kimberlin\Desktop\Error Cleaner.url
D:\Documents and Settings\Kimberlin\Desktop\Privacy Protector.url
D:\Documents and Settings\Kimberlin\Desktop\Spyware&Malware Protection.url
D:\Documents and Settings\Kimberlin\Favorites\Error Cleaner.url
D:\Documents and Settings\Kimberlin\Favorites\Privacy Protector.url
D:\Documents and Settings\Kimberlin\Favorites\Spyware&Malware Protection.url

Trojan.Net-MU/Gen
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#uninstallString

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-117609710-1897051121-1417001333-1003\Software\Microsoft\rdfa

Rogue.VirusRemover2008
D:\DOCUMENTS AND SETTINGS\KIMBERLIN\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K96V8DEJ\VRM_FREE[1].EXE

Adware.HBHelper
D:\PROGRAM FILES\MYSECRETCODES TOOLBAR\TBHELPER.DLL

Trojan.Downloader-Gen/Suspicious
D:\SYSTEM VOLUME INFORMATION\_RESTORE{B42D40A0-1CB4-49AA-8AFF-94AC5B94FA60}\RP498\A0093332.EXE

Trojan.Vundo-Variant/Small
D:\WINNT\SYSTEM32\OPNMKCSM.DLL

Trace.Known Threat Sources
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\KFQ1KFK3\1[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\secstat[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OFYBGVQF\progressbar[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\shkaladelenie[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OLYBGTMV\l.s.bg1z[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\favicon[3].ico
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\ODCNK3SF\i[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\secured[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\KFQ1KFK3\indexsg[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\closebutton[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\K96V8DEJ\sh[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OLYBGTMV\indexsg[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OFYBGVQF\progressbar[3].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OLYBGTMV\l.s.bg2z[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\8H8PAZSX\common[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\bg2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\K96V8DEJ\indexsg[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\4[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OL2F8TUF\boot_03[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\4[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OPQ01PC4\4[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\fileslist[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\8H8PAZSX\logo2_03[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\fileslist[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OLYBGTMV\activex[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OFYBGVQF\cut1[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\8H8PAZSX\shadow_bottom[1].png
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OPQ01PC4\2[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\con3[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OFYBGVQF\img2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\ODCNK3SF\managers[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\right_up_lnk[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\WH0VUXIR\body_bg[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\8H8PAZSX\load_bg[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\ballon[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OL2F8TUF\monik[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\red_btn_bg[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\KFQ1KFK3\css_land[1].css
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\QNADAVYD\styles[2].css
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OPQ01PC4\grafik[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\8H8PAZSX\load_txt[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\load_pointer[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\con2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\QNADAVYD\top_bg[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\shadow_right[1].png
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\AZABYXMV\2[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\logo[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\ODCNK3SF\top_y[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\KFQ1KFK3\main_top2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\cut2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\left_top[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\ODCNK3SF\main[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\bord_lr[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OPQ01PC4\supp_n[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\5[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\img1[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OLYBGTMV\favicon[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\K96V8DEJ\buy_n[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\cut2_4[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\right_top[1].jpg
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\K96V8DEJ\bttn[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OL2F8TUF\left_bttm[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\8H8PAZSX\cut2_2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OL2F8TUF\shadow_left[1].png
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\load_txt3[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OPQ01PC4\down_n[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\load_img2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\IR8V4NUP\cut3_4[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\bg[1].jpg
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\KFQ1KFK3\03[1].swf
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\rolik[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OL2F8TUF\Activex[1].jpg
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\cut1_4[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\li[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\IR8V4NUP\scanning[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\K96V8DEJ\load_bttn[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OL2F8TUF\main[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\K96V8DEJ\right_bttm[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\KFQ1KFK3\top_btm[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\K96V8DEJ\bord_lr2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\WH0VUXIR\bg[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\main_top[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\WH0VUXIR\hd_bg[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\QNADAVYD\bord_bttm[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OPQ01PC4\point[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\8H8PAZSX\cut4_2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\WH0VUXIR\cut4_4[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\favicon[6].ico
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\AZABYXMV\cut1_2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OX4PUHE7\con4[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\red_btn_left[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\QNADAVYD\komp[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OL2F8TUF\home_s[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\WH0VUXIR\load_slogan[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\ODCNK3SF\load_img1[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\ODCNK3SF\shadow_con_right[1].png
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OLYBGTMV\load_flash_bg[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\AZABYXMV\close[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\AZABYXMV\bar[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\common[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\down[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\bg[2].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\IR8V4NUP\bleep2[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\M5KZE1A5\params[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\WH0VUXIR\1[1].htm
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\QNADAVYD\vars[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\UZGNEX4X\activex[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\QNADAVYD\rght[1].gif
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\OFYBGVQF\index[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\IR8V4NUP\settings[2].js
D:\Documents and Settings\Kimberlin\Local Settings\Temporary Internet Files\Content.IE5\25ID274J\cut3_2[1].gif

BC AdBot (Login to Remove)

 


m

#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 03 September 2008 - 11:30 AM

Hello OrygunGal and welcome to the Bleeping Computer forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


#3 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 03 September 2008 - 04:04 PM

Step 1:
Download HostsXpert v4.1 and unzip it to your computer, somewhere where you can find it.
  • Double click on HostsXpert.exe to launch the program.
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
  • Click on Make ReadOnly to secure it against further infection.
  • Exit the program.
Visit the Website for more information.


Step 2:
We will begin with ComboFix.exe, which can be downloaded from one of the following links.
Link 1
Link 2
Link 3

Please visit this webpage for instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt


Step 3:
Run HijackThis, do a system scan and in your next reply please post:
  • The ComboFix report (C:\ComboFix.txt)
  • The new HijackThis log


#4 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 06 September 2008 - 08:16 AM

Do you need anymore assistance?

#5 OrygunGal

OrygunGal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 06 September 2008 - 11:56 PM

Rodav,

Thank you so much for responding. Sorry for taking so long to get back with you. I thought I had set up my acct. here to email me when there is a response to my thread. Since I had not heard anything, I did something on my own. I downloaded version 8 of AVG free and installed it. Had to fight with the PC abit but I was determined. I ran a slow scan and allowed it to fix all problems. I also found the repair tab on SAS and let it repair a few things. I logged in here to post an updated log and found your responses. What a relief to have control of my PC again! I know I still have some issues as IE windows are popping up with ads.

I'll post the updated logs below before I follow your suggestions above considering the state of my PC has changed. Because I do not know what is OK to have HJT & SAS fix, I will eagerly await your reply before making any further changes.

Thank your so much for your time and assistance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:59 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINNT\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINNT\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\WINNT\system32\RunDll32.exe
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\VIA\RAID\raid_tool.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\PieAutoUpdater\pglite.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: QXK Olive - {26027218-80B3-40FA-9FA1-70FD56AA5328} - D:\WINNT\rodqgpvldbv.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {BE45F323-53BF-45D5-A73A-358DDFA2E3EB} - D:\WINNT\system32\pmnllMFV.dll (file missing)
O2 - BHO: {2c051747-1357-9b3b-5e54-ebeab7e9bd6c} - {c6db9e7b-aebe-45e5-b3b9-7531747150c2} - D:\WINNT\system32\vaotik.dll
O2 - BHO: (no name) - {D07E3C29-8F4D-4B18-A2CC-9BF24B577445} - D:\WINNT\system32\mlJBSMfD.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: qalkfxor - {5371FF76-9602-4029-9626-BE8CD757EB36} - D:\WINNT\QALKFXOR.DLL (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Pie Auto Updater] "D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe"
O4 - HKLM\..\Run: [ACD mPower Tools] D:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] D:\WINNT\system32\msltstsoft_updt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [c093abf1] rundll32.exe "D:\WINNT\system32\fawojurl.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.9/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://mn103.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177195986906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185381986687
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www247.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E481BAAC-19BE-4738-899A-84DA687C6D15}: NameServer = 206.26.36.34
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnllMFV - pmnllMFV.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - D:\WINNT\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 12962 bytes

_______________________________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/06/2008 at 03:59 PM

Application Version : 4.21.1004

Core Rules Database Version : 3558
Trace Rules Database Version: 1546

Scan type : Complete Scan
Total Scan Time : 04:25:41

Memory items scanned : 336
Memory threats detected : 1
Registry items scanned : 5824
Registry threats detected : 34
File items scanned : 214429
File threats detected : 8

Trojan.Downloader-NewJuan/VM
D:\WINNT\SYSTEM32\VAOTIK.DLL
D:\WINNT\SYSTEM32\VAOTIK.DLL

Trojan.Unclassified/QALKFXOR
HKLM\Software\Classes\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\InprocServer32
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\InprocServer32#ThreadingModel
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\ProgID
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\Programmable
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\TypeLib
HKCR\CLSID\{5371FF76-9602-4029-9626-BE8CD757EB36}\VersionIndependentProgID
HKCR\qalkfxor.1
HKCR\qalkfxor
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0\0
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0\0\win32
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0\FLAGS
HKCR\TypeLib\{F8377C68-4AAF-4045-9C82-3F25C0378CD3}\1.0\HELPDIR
D:\WINNT\QALKFXOR.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{5371FF76-9602-4029-9626-BE8CD757EB36}
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}\ProxyStubClsid
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}\ProxyStubClsid32
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}\TypeLib
HKCR\Interface\{45632A1F-8D26-4E09-98B7-2DE331F7832B}\TypeLib#Version

Trojan.Vundo-Variant/NextGen-Six
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6db9e7b-aebe-45e5-b3b9-7531747150c2}
HKCR\CLSID\{C6DB9E7B-AEBE-45E5-B3B9-7531747150C2}
HKCR\CLSID\{C6DB9E7B-AEBE-45E5-B3B9-7531747150C2}\InprocServer32
HKCR\CLSID\{C6DB9E7B-AEBE-45E5-B3B9-7531747150C2}\InprocServer32#ThreadingModel

Desktop Hijacker.AboutYourPrivacy
D:\WINNT\privacy_danger\images\danger.jpg
D:\WINNT\privacy_danger\images\spacer.gif
D:\WINNT\privacy_danger\images
D:\WINNT\privacy_danger

Trojan.Net-MU/Gen
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#uninstallString

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-117609710-1897051121-1417001333-1003\Software\Microsoft\rdfa
D:\WINNT\SYSTEM32\MCRH.TMP

Trojan.Downloader-Gen/Suspicious
D:\SYSTEM VOLUME INFORMATION\_RESTORE{B42D40A0-1CB4-49AA-8AFF-94AC5B94FA60}\RP498\A0093332.EXE

#6 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 08 September 2008 - 06:03 AM

Hi OrygunGal,

The email notifications from here may be going to your junk folder, if you are still not receiving any just keep checking back here.

Please carry out the instructions I gave you earlier, there is still a a lot of work to do. :thumbsup:

#7 OrygunGal

OrygunGal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 08 September 2008 - 09:19 PM

Hi Rodav. Below are the logs you requested.

I'll await your reply.

Many thanks!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:01 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINNT\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\WINNT\system32\wuauclt.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\RUNDLL32.EXE
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\PieAutoUpdater\pglite.exe
D:\Program Files\VIA\RAID\raid_tool.exe
D:\WINNT\system32\wuauclt.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Pie Auto Updater] "D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.9/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177195986906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185381986687
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www247.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E481BAAC-19BE-4738-899A-84DA687C6D15}: NameServer = 206.26.36.34
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - D:\WINNT\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7968 bytes

____________________________________

ComboFix 08-09-05.10 - Kimberlin 2008-09-08 18:36:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.221 [GMT -7:00]
Running from: D:\Documents and Settings\Kimberlin\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Kimberlin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Kimberlin\Cookies\kimberlin@classmates[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@live[1].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@track.bestbuy[2].txt
D:\Documents and Settings\Kimberlin\Cookies\kimberlin@visit.kodak[2].txt
D:\WINNT\cookies.ini
D:\WINNT\Downloaded Program Files\setup.inf
D:\WINNT\privacy_danger
D:\WINNT\privacy_danger\images\danger.jpg
D:\WINNT\privacy_danger\images\spacer.gif
D:\WINNT\system32\DfMSBJlm.ini
D:\WINNT\system32\DfMSBJlm.ini2
D:\WINNT\system32\icrfxkei.dll
D:\WINNT\system32\jklcwfou.ini
D:\WINNT\system32\lrujowaf.ini
D:\WINNT\system32\mcrh.tmp
D:\WINNT\system32\msltstsoft_updt.exe
D:\WINNT\system32\vaotik.dll
D:\WINNT\system32\yoleqhbx.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-02 16:59 . 2008-09-08 03:43 <DIR> d--h----- D:\$AVG8.VAULT$
2008-09-02 16:50 . 2008-09-04 08:18 <DIR> d-------- D:\Documents and Settings\Administrator.SASSY
2008-09-01 08:27 . 2008-09-01 08:27 <DIR> d-------- D:\Documents and Settings\All Users.WINNT\Application Data\SUPERAntiSpyware.com
2008-09-01 08:26 . 2008-09-04 21:59 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-09-01 08:26 . 2008-09-01 08:26 <DIR> d-------- D:\Documents and Settings\Kimberlin\Application Data\SUPERAntiSpyware.com
2008-09-01 08:21 . 2008-09-01 08:21 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 08:16 . 2008-09-04 08:18 97,928 --a------ D:\WINNT\system32\drivers\avgldx86.sys
2008-09-01 08:16 . 2008-09-01 08:16 76,040 --a------ D:\WINNT\system32\drivers\avgtdix.sys
2008-09-01 08:16 . 2008-09-01 08:16 10,520 --a------ D:\WINNT\system32\avgrsstx.dll
2008-09-01 08:15 . 2008-09-08 17:35 <DIR> d-------- D:\WINNT\system32\drivers\Avg
2008-09-01 08:15 . 2008-09-01 08:15 <DIR> d-------- D:\Program Files\AVG
2008-09-01 08:15 . 2008-09-04 08:19 <DIR> d-------- D:\Documents and Settings\All Users.WINNT\Application Data\avg8
2008-08-31 22:53 . 2008-09-01 08:03 <DIR> d-------- D:\Documents and Settings\Kimberlin\.housecall6.6
2008-08-31 22:49 . 2008-08-31 22:49 <DIR> d-------- D:\WINNT\Sun
2008-08-31 22:48 . 2008-06-10 02:32 73,728 --a------ D:\WINNT\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 00:28 --------- d-----w D:\Documents and Settings\Kimberlin\Application Data\uTorrent
2008-09-08 10:28 --------- d-----w D:\Program Files\Mp3Doctor
2008-09-03 11:57 --------- d-----w D:\Program Files\MySecretCodes Toolbar
2008-09-01 15:09 --------- d-----w D:\Program Files\Trend Micro
2008-09-01 05:48 --------- d-----w D:\Program Files\Java
2008-08-10 23:37 --------- d-----w D:\Program Files\WM Recorder
2008-08-02 05:25 --------- d-----w D:\Program Files\Common Files\Adobe
2008-07-28 00:38 --------- d-----w D:\Documents and Settings\Kimberlin\Application Data\Ahead
2008-07-19 05:15 --------- d-----w D:\Documents and Settings\Kimberlin\Application Data\ZoomBrowser EX
2008-07-19 05:11 --------- d-----w D:\Documents and Settings\All Users.WINNT\Application Data\ZoomBrowser
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="D:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-04 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINNT\system32\NvCpl.dll" [2005-08-02 7110656]
"NvMediaCenter"="D:\WINNT\system32\NvMcTray.dll" [2005-08-02 86016]
"HPDJ Taskbar Utility"="D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-03 196608]
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Pie Auto Updater"="D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe" [2006-09-27 77824]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="D:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-04 1235736]

D:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - D:\Program Files\VIA\RAID\raid_tool.exe [2007-06-25 581632]
VPN Client.lnk - D:\WINNT\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-04-21 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\WinMX\\WinMX.exe"=
"D:\\Program Files\\uTorrent\\utorrent.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 viaraid;viaraid;D:\WINNT\system32\DRIVERS\viaraid.sys [2003-10-30 72192]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;D:\WINNT\system32\Drivers\avgldx86.sys [2008-09-04 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;D:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-04 875288]
R2 avg8wd;AVG Free8 WatchDog;D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-04 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;D:\WINNT\system32\Drivers\avgtdix.sys [2008-09-01 76040]
R3 cmudax;C-Media High Definition Audio Interface;D:\WINNT\system32\drivers\cmudax.sys [2004-10-21 1275584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c0aae3b-79a6-11dd-9f9d-000feaec6563}]
\Shell\AutoRun\command - I:\WDSetup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{BE45F323-53BF-45D5-A73A-358DDFA2E3EB} - D:\WINNT\system32\pmnllMFV.dll
BHO-{c6db9e7b-aebe-45e5-b3b9-7531747150c2} - D:\WINNT\system32\vaotik.dll
BHO-{D07E3C29-8F4D-4B18-A2CC-9BF24B577445} - D:\WINNT\system32\mlJBSMfD.dll
HKLM-Run-ACD mPower Tools - D:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe
HKLM-Run-Microsoft WinUpdate - D:\WINNT\system32\msltstsoft_updt.exe
HKLM-Run-c093abf1 - D:\WINNT\system32\fawojurl.dll
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-NWEReboot - (no file)
ShellExecuteHooks-{BE45F323-53BF-45D5-A73A-358DDFA2E3EB} - D:\WINNT\system32\pmnllMFV.dll
Notify-pmnllMFV - pmnllMFV.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://cm.my.yahoo.com
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 -: E&xport to Microsoft Excel - D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 -: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O17 -: HKLM\CCS\Interface\{E481BAAC-19BE-4738-899A-84DA687C6D15}: NameServer = 206.26.36.34

O16 -: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
D:\WINNT\Downloaded Program Files\Dldrv.ocx

O16 -: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} - hxxp://www247.rockyou.com/RockYouImageUploader.cab
D:\WINNT\Downloaded Program Files\RockYouImageUploader.inf
D:\WINNT\system32\unicows.dll
D:\WINNT\Downloaded Program Files\RockYouImageUploader.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 18:45:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINNT\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINNT\system32\wscntfy.exe
D:\WINNT\system32\rundll32.exe
D:\WINNT\system32\rundll32.exe
D:\Program Files\PieAutoUpdater\pglite.exe
.
**************************************************************************
.
Completion time: 2008-09-08 18:53:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-09 01:53:14

Pre-Run: 68,999,741,440 bytes free
Post-Run: 69,796,737,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
D:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional 1st" /fastdetect /noexecute=optin

175 --- E O F --- 2008-08-14 10:20:01

#8 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 09 September 2008 - 03:04 AM

P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent
WinMX


References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you wish to keep them, please do not use them until your computer is cleaned.


Step 1:
Go to Control Panel > Add/Remove Programs and uninstall if present:
MySecretCodes Toolbar

Then using explorer (right click Start > Explore) delete the folder D:\Program Files\MySecretCodes Toolbar


Step 2:
Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Step 3:
Run HijackThis, do a system scan and in your next reply please post:
  • The NOD32 results
  • The new HijackThis log
Also let me know how your computer is running.

#9 OrygunGal

OrygunGal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 10 September 2008 - 07:13 PM

Hi Rodav,

I'm going to keep the P2P programs. The PC seems to be running much better than it was. I honestly haven't used it much though. I have been leaving it alone as much as possible until it has been given a clean bill of health. I am posting the logs you requested below. I hope it is looking much better to you. FYI - The second item listed as a potential virus by NOD32 has been in my system for a few years and never caused an issue and it never was recognized as a threat until recently. False positive maybe? Also I ran another SAS scan that came out completely clean. Yay! Let me know if there is anything else to fix that SAS didn't catch. Thanks!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:16 AM, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINNT\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINNT\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\VIA\RAID\raid_tool.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\uTorrent\utorrent.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINNT\system32\notepad.exe
D:\Program Files\PieAutoUpdater\pglite.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Pie Auto Updater] "D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.9/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177195986906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185381986687
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www247.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E481BAAC-19BE-4738-899A-84DA687C6D15}: NameServer = 206.26.36.34
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - D:\WINNT\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 11717 bytes

_________________________________________________

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3431 (20080910)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=a9d69a041f9eea4a91e9c2c77a4892cf
# end=stopped
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-09-10 02:17:59
# local_time=2008-09-10 07:17:59 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1582598
# found=2
# scan_time=14602
D:\Documents and Settings\Kim\.jpi_cache\file\1.0\Dummy.class-70dda463-19b0d322.class Java/ClassLoader.B trojan 05B561531A97EE7A3BB4523761BA29B6
D:\Program Files\Mp3Doctor\este.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000

Edited by OrygunGal, 11 September 2008 - 01:11 AM.


#10 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 11 September 2008 - 06:15 PM

Hi OrygunGal,

There are a number of entries from winmx added to your Hosts file, if you didn't add them or allow them to be added you can remove them by running HijackThis, doing a system scan and checking all the 01 entries such as
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
Then click fix checked and reboot your computer.

The MP3Doctor file may well be a false positive but we can take a closer look at it, MP3Doctor is a legit program providing you downloaded it from a reputable source.

Step 1:
Please download ATF cleaner
Make sure that all browser windows are closed.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Deselect Cookies
Click the Empty Selected button.
You can select cookies but you will have to re enter your login details to websites you frequent.
If you use Firefox browserClick Firefox at the top and choose: Select All
Deselect Firefox Cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Deselect Opera Cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Step 2:
Please visit Virustotal

Copy/paste this file and path into the white box at the top:

D:\Program Files\Mp3Doctor\este.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If Virustotal is busy, try the same at Jotti


Step 3:
Run HijackThis, do a system scan and post the Virustotal results along with a new HijackThis log.

#11 OrygunGal

OrygunGal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 12 September 2008 - 04:25 PM

Hi Rodav,

WinMX has a patch that creates host files in order to connect to the network so those are OK. I'm not sure what to think about the MP3Doctor\este.exe file so I'll wait for your opinion. Like I said though, it has been installed for a few years and has only recently begun coming up as a potential threat. I copied the results into a txt file and took some time to make it easier for you to read through. Under that is the usual requested HJT log. I've been using the PC more and have experienced no issues. Is there anything else that I need to do or that you would recommend?

As usual, thanks much!


Log from Virustotal.com

File este.exe received on 09.12.2008 02:22:20 (CET)
Current status: finished
Result: 16/36 (44.45%)

Antivirus Version Last Update Result
AhnLab-V3 2008.9.12.0 2008.09.11 -
AntiVir 7.8.1.28 2008.09.11 -
Authentium 5.1.0.4 2008.09.12 W32/Downloader-Sml-based!Maximus
Avast 4.8.1195.0 2008.09.11 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.09.11 Generic9.BAVZ
BitDefender 7.2 2008.09.11 -
CAT-QuickHeal 9.50 2008.09.11 -
ClamAV 0.93.1 2008.09.11 -
DrWeb 4.44.0.09170 2008.09.12 -
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6085 2008.09.12 -
Ewido 4.0 2008.09.11 Trojan.Agent
F-Prot 4.4.4.56 2008.09.12 W32/Downloader-Sml-based!Maximus
F-Secure 8.0.14332.0 2008.09.11 Suspicious:W32/Malware!Gemini
Fortinet 3.113.0.0 2008.09.11 PossibleThreat!013266
GData 19 2008.09.12 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.09.12 Trojan-Downloader.Win32.Small.czv
K7AntiVirus 7.10.452 2008.09.11 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.09.12 -
McAfee 5382 2008.09.11 -
Microsoft 1.3903 2008.09.11 -
NOD32v2 3436 2008.09.12 probably unknown NewHeur_PE virus
Norman 5.80.02 2008.09.11 -
Panda 9.0.0.4 2008.09.11 Suspicious file
PCTools 4.4.2.0 2008.09.11 -
Prevx1 V2 2008.09.12 -
Rising 20.61.32.00 2008.09.11 -
Sophos 4.33.0 2008.09.12 -
Sunbelt 3.1.1628.1 2008.09.11 Trojan-Downloader.Win32.Small!cobra (v)
Symantec 10 2008.09.12 Backdoor.Trojan
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.11 -
VBA32 3.12.8.5 2008.09.10 suspected of Win32.Trojan-Downloader
ViRobot 2008.9.11.1373 2008.09.11 -
VirusBuster 4.5.11.0 2008.09.11 -
Webwasher-Gateway 6.6.2 2008.09.11 Worm.Win32.Malware.gen!80 (suspicious)

Additional information
File size: 7168 bytes
MD5...: 6ab9b39cf0fe3e31b97562b6c9e766c4
SHA1..: 3eef82bb51d1248009978aa30feed8f6ee2a99c1
SHA256: d21715781a37e928513611b837a2d3885f206dfda7fa213eafe668bc3921651b
SHA512: 6fb1b85f44f6bec65ed7e612c1649f73f6057a8024d44a13e2c4a4788b20fe7b
9f406d2d8d262779b655205ea1f294f88186e2eccf40afc5fc0dd4c195a5af0d
PEiD..: -
TrID..: File type identification
WIN32 Executable PureBasic (generic) (84.3%)
Win32 Executable Generic (6.6%)
Win32 Dynamic Link Library (generic) (5.8%)
Generic Win/DOS Executable (1.5%)
DOS Executable Generic (1.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x449b8333 (Fri Jun 23 05:59:15 2006)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x100c 0x1200 5.59 847ca76f242e054c9fca6c2128342717
.data 0x3000 0x518 0x600 4.02 7dcb23aad383945c9dba7b399ae3385c
.flat 0x4000 0x67 0x200 1.57 2dc2f5bf32eed5a41db38a1b58a381cd

( 6 imports )
> CRTDLL.dll: memset, strcpy, strlen, strncpy
> USER32.dll: wsprintfA, wvsprintfA, MessageBoxA, GetWindowThreadProcessId, IsWindowVisible, IsWindowEnabled, GetForegroundWindow, EnableWindow, EnumWindows
> WININET.dll: InternetOpenA, InternetOpenUrlA, InternetReadFile, InternetCloseHandle
> urlmon.dll: URLDownloadToFileA
> COMCTL32.dll: InitCommonControls
> KERNEL32.DLL: GetModuleHandleA, GetCommandLineA, ExitProcess, HeapCreate, GetModuleFileNameA, HeapDestroy, HeapAlloc, HeapFree, Sleep, CreateThread, GetCurrentThreadId, GetCurrentProcessId

( 0 exports )


____________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:32 PM, on 9/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINNT\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINNT\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\VIA\RAID\raid_tool.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\uTorrent\utorrent.exe
D:\Program Files\PieAutoUpdater\pglite.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Pie Auto Updater] "D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.9/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177195986906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185381986687
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www247.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E481BAAC-19BE-4738-899A-84DA687C6D15}: NameServer = 206.26.36.34
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - D:\WINNT\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 11686 bytes

#12 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 13 September 2008 - 04:19 PM

Hi OrygunGal,

I did a test install of MP3Doctor and there was no sign of a file called este.exe. I suggest you delete it, then try using MP3Doctor as you normally would and see if it is ok. If it isn't then try uninstalling it and reinstalling the latest version from the MP3Doctor website: http://www.mp3doctor.com/

It may be a false positive but with so many security vendors flagging it, it;s probably best to err on the side of caution. Let me know how you get on. Other than that things are looking good. :)


Step 1:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
You can also delete any logs we have produced, and empty your Recycle bin.


Your logs are now clean. :thumbsup:
If you still feel you are having any issues please let me know now, otherwise read through and proceed with the following:


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install a Hosts File
    I recommend MVPS Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
    If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
    Malware changes on a day to day basis. You should update every week at the very least.
Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please reply to this topic one more time so I know you have read through it or with any questions you may have.

#13 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 15 September 2008 - 03:02 AM

Glad we could be of some assistance. :thumbsup:

Since this issue appears resolved ... this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

#14 OrygunGal

OrygunGal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 16 September 2008 - 10:25 PM

Hi and thanks for getting back to me. What I described to you (copied below for convenience) happened before I began following any of the instructions in your last post. I still have not installed any host files. The only thing I've done so far is go to Windows update and install a few updates. The only high priority one I didn't install was IE7. I had heard it was buggy but maybe they've worked out the kinks by now. Anyway, some of the updates required a restart. It again hung up in the same place as described below. I pushed the reset button and that time it booted up. It hung up initially for only a few seconds (doesn't usually hang at all). I have not restarted it since. That was yesterday after I wrote to you. Avg ran a scheduled scan overnight and came up with no infections or spyware.

The requested HJT log follows the 2nd solid line.

_______________________________

Hi,

If you installed a Hosts file and didn't change the setting on the DNS Client service, it can cause significant issues especially at start times. The instructions are in my earlier post to do that.
I've reopened your thread, if you run HijackThis again I will take another look and let me know if you still have issues.


QUOTE
Hi Rodav,

My thread was closed less than 36 hours after your last post. I had not yet had the chance to follow through with your last instructions. Had a busy weekend and was not on the computer. I did just now uninstall combofix as you directed and will read through the tips for avoiding reinfestation. Although I want to let you know what happened before I was able to get to the site to read your final instructions.

I hit restart as I left for work this morning. When I got home it was stuck on a black pre-boot screen that gave me a choice of going into the BIOS or express recover. This surprised me and I opted to hit the reset button. It stalled at the same point. I then turned the power off and waited a minute to turn it back on. Windows booted all the way up but no drives or folders would open. The start menu opened but it just hung there after I made a selection. Nothing was responding. I couldn't get into the Task Manager either. I tried another restart and FINALLY got something to open and was able to log in here and uninstall ComboFix. The system was a bit sluggish. Before the restart it seemed to be running just fine and it seems fine now. Is there anything I should be concerned about, watch for, or report back on?

Thank you so much for your assistance.

Here is a link to my closed thread as a refresher: http://www.bleepingcomputer.com/forums/top...tml#entry944914

OrygunGal

______________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:54 PM, on 9/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\SearchIndexer.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\WINNT\system32\RunDll32.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\VIA\RAID\raid_tool.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\uTorrent\utorrent.exe
D:\Program Files\AVG\AVG8\avgui.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\PieAutoUpdater\pglite.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Pie Auto Updater] "D:\Program Files\PieAutoUpdater\PieAutoUpdater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Search.lnk = D:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.9/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177195986906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185381986687
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www247.rockyou.com/RockYouImageUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E481BAAC-19BE-4738-899A-84DA687C6D15}: NameServer = 206.26.36.34
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - D:\WINNT\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 12153 bytes

_________________________________

One additional question: AVG sends a lot of files to it's vault that are executables from System Volume Information\_restore{a long string of numbers and letters}\ashort string of letteres and numbers\executable that begins with A01 and some more numbers.exe

I hope that makes sense. I was just wondering if that was anything to be concerned about because it finds these files and sends them to the vault often. I don't know where they come from or how to view the folder they come from.

Thanks

#15 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 17 September 2008 - 05:44 AM

SP3 for Windows XP has been out a couple of months which you are due to receive, this has been known to cause some issues on some computers when first installing especially if there are active security programs running. It may have been related but I will take a further look. Here's more info on installing SP3:
http://www.bleepingcomputer.com/forums/t/146857/windows-xp-service-pack-3-sp3-information/

One additional question: AVG sends a lot of files to it's vault that are executables from System Volume Information\_restore{a long string of numbers and letters}\ashort string of letteres and numbers\executable that begins with A01 and some more numbers.exe

These are restore points, providing you don't use system restore to go back, any infections in it are completely harmless. Uninstalling combofix should have removed all these and created a new clean one. Is combofix.exe gone now from your computer?

I don't think it's malware but let's have a look.


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here along with a new HijackThis log.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users