Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Has Adware Generic2.TQT (Says AVG)


  • This topic is locked This topic is locked
11 replies to this topic

#1 Obfuscated

Obfuscated

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:39 PM

Posted 29 October 2008 - 08:45 PM

I have this folder under C:\Program Files\OCINS that seems to be malware
It also seems to be called idnsvr.exe
Here's the HJT log, hope you guys can help! :D

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:02 PM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HandWrite\MyNewRecog.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HandWrite\InsTalk\InsTalk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Speeditup Free\PCCheckUp\PCCheckUp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Speeditup Free\SpeedItUp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Programs - Bowei\LimeWire\LimeWire.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEAux Class - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - C:\PROGRA~1\OCINS\ieaux.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [IdnSvr] C:\Program Files\OCINS\idnsvr.exe
O4 - HKLM\..\Run: [ieup] C:\Program Files\ieup\inetsvr.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NewRecog] C:\Program Files\HandWrite\MyNewRecog.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PC-Checkup] "C:\Program Files\Speeditup Free\PCCheckUp\PCCheckUp.exe" -mini
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - Startup: LimeWire On Startup.lnk = C:\Programs - Bowei\LimeWire\LimeWire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &访问通用网址 - C:\Program Files\OCINS\cnrbtn.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: ?D???? - {B012491E-8FA4-4851-AA9B-22E33784FBAD} - C:\Program Files\OCINS\config.exe
O9 - Extra 'Tools' menuitem: ?D???? - {B012491E-8FA4-4851-AA9B-22E33784FBAD} - C:\Program Files\OCINS\config.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: 1o?? - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=86 (file missing)
O9 - Extra 'Tools' menuitem: 1o?? - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=86 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 9835 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:39 AM

Posted 31 October 2008 - 03:08 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:39 PM

Posted 01 November 2008 - 12:32 AM

I Have no Idea why the scan turned out to be in Chinese.... was it my pc?
Edit: Hold on, i copied the titles off another combofix log, should be understandable now. :thumbsup:)
I roughly translated it, tell me if you need more info!
Thanks for helping, Buckeye! :D

ComboFix 08-10-30.13 - Claire 2008-10-31 22:03:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.495 [GMT -8:00]
Running From: C:\Documents and Settings\Claire\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Claire\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Common Files\updat
C:\Program Files\Common Files\updat\update.dat
C:\Program Files\OCINS
C:\Program Files\OCINS\austr.dll
C:\Program Files\OCINS\cndsv.dll
C:\Program Files\OCINS\cnprovh.dll
C:\Program Files\OCINS\cnrbtn.html
C:\Program Files\OCINS\cnstc.ini
C:\Program Files\OCINS\config.exe
C:\Program Files\OCINS\convf.dll
C:\Program Files\OCINS\ctrcfg.ini
C:\Program Files\OCINS\cuscfg.dat
C:\Program Files\OCINS\idnaux.dat
C:\Program Files\OCINS\idnsvr.dll
C:\Program Files\OCINS\idnsvr.exe
C:\Program Files\OCINS\ieaux.dll
C:\Program Files\OCINS\kwacs.dat
C:\Program Files\OCINS\kwrep.dat
C:\Program Files\OCINS\ocinfo.dat
C:\Program Files\OCINS\path.dat
C:\Program Files\OCINS\update\idnaux.dat
C:\Program Files\OCINS\update\ocinfo.dat
C:\Program Files\OCINS\update\path.dat
C:\Program Files\OCINS\usrcfg.ini
C:\Program Files\OCINS\version.dat
C:\WINDOWS\ocinfo.dat
C:\WINDOWS\system32\cnprov.dat
C:\WINDOWS\system32\drivers\cnprov.sys
C:\WINDOWS\system32\nt.sys
C:\WINDOWS\system32\score.txt
C:\WINDOWS\system32\wbem\ocmor.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CNPROV
-------\Legacy_INDTRY
-------\Service_cnprov
-------\Service_idnaux
-------\Service_Indtry


((((((((((((((((((((((((( Files Created From 2008-10-01 to 2008-11-01 )))))))))))))))))))))))))))))))
.

2008-10-30 21:17 . 2008-10-30 21:21 <DIR> d-------- C:\Comp Sci Projects
2008-10-30 20:57 . 2008-10-30 20:57 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\Uniblue
2008-10-29 23:10 . 2008-07-08 13:54 148,496 --a------ C:\WINDOWS\system32\drivers\82587926.sys
2008-10-29 23:09 . 2008-10-31 22:07 11,464,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-29 23:09 . 2008-10-31 17:37 91,244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-29 23:08 . 2008-10-29 23:13 <DIR> d-------- C:\Program Files\Kaspersky Lab Tool
2008-10-29 22:47 . 2008-10-29 22:47 <DIR> d-------- C:\Program Files\Advanced WindowsCare V2
2008-10-29 17:41 . 2008-10-29 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-10-29 17:41 . 2008-10-24 15:07 12,576 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-10-29 17:20 . 2008-10-30 21:05 <DIR> d-------- C:\Program Files\Unlocker
2008-10-29 17:20 . 2008-10-29 17:20 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\Desktopicon
2008-10-28 23:38 . 2008-10-28 23:38 <DIR> d-------- C:\Program Files\Mp3tag
2008-10-28 23:38 . 2008-10-28 23:52 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\Mp3tag
2008-10-28 21:41 . 2008-10-28 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-28 21:20 . 2008-10-28 21:20 <DIR> d-------- C:\Program Files\CCleaner
2008-10-28 00:09 . 2008-10-30 23:00 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\LimeWire
2008-10-27 23:36 . 2008-10-30 21:19 <DIR> d-------- C:\!KillBox
2008-10-27 23:07 . 2008-10-27 23:07 <DIR> d-------- C:\WINDOWS\Tranquil - Waterfalls dir
2008-10-27 23:07 . 2008-10-27 23:07 606,848 --a------ C:\WINDOWS\flashax.exe
2008-10-27 23:07 . 2008-10-27 23:07 503,808 --a------ C:\WINDOWS\Tranquil - Waterfalls.scr
2008-10-27 23:07 . 2008-10-27 23:07 12,288 --a------ C:\WINDOWS\impborl.dll
2008-10-27 23:02 . 2008-10-27 23:07 <DIR> d-------- C:\Program Files\www_screensavers_com
2008-10-27 21:18 . 2008-10-27 21:18 <DIR> d-------- C:\WINDOWS\Speeditup Free
2008-10-27 21:18 . 2008-10-30 21:25 <DIR> d-------- C:\Program Files\Speeditup Free
2008-10-26 21:26 . 2008-10-26 21:29 <DIR> d-------- C:\WINDOWS\nview
2008-10-26 21:26 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-10-26 21:26 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-10-26 21:26 . 2008-10-31 17:41 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-10-26 21:26 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-10-26 21:25 . 2008-10-26 21:25 <DIR> d-------- C:\NVIDIA
2008-10-26 21:22 . 2008-10-26 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-10-26 21:22 . 2008-10-26 21:22 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\SystemRequirementsLab
2008-10-26 20:43 . 2008-10-26 20:43 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-26 16:01 . 2008-10-26 16:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-26 16:01 . 2008-10-30 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 15:37 . 2001-08-17 12:20 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys
2008-10-26 15:37 . 2001-08-17 12:20 96,256 --a--c--- C:\WINDOWS\system32\dllcache\ac97intc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find 3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 04:43 --------- d-----w C:\Program Files\Canon
2008-10-31 04:41 --------- d-----w C:\Documents and Settings\Claire\Application Data\Canon
2008-10-31 04:40 --------- d-----w C:\Program Files\Common Files\FotoWire
2008-10-31 03:31 --------- d-----w C:\Program Files\Pinnacle
2008-10-31 03:26 --------- d-----w C:\Program Files\The Learning Company
2008-10-31 03:24 --------- d-----w C:\Program Files\ItsDeductible2005
2008-10-31 03:22 --------- d-----w C:\Program Files\Common Files\Intuit
2008-10-31 03:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-30 02:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-28 08:35 --------- d-----w C:\Documents and Settings\Claire\Application Data\Skype
2008-10-28 06:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Storm
2008-10-27 07:53 --------- d-----w C:\Program Files\Google
2008-10-27 02:16 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r C:\WINDOWS\system32\nbDX.dll
.

------- Sigcheck -------

2006-01-13 09:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 04:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-04 04:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 18:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 03:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 03:51 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示 (*Note* empty entries & legit default entries are not shown )
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-29 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"SpeedItUpEX"="C:\Program Files\Speeditup Free\SpeedItUp.exe" [2008-09-09 2274816]
"Uniblue RegistryBooster 2009"="C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-02 372736]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 57344]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 184320]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"PPHIDPAD"="C:\WINPENJR\Win32\pphidpad.exe" [2001-10-02 45056]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NewRecog"="C:\Program Files\HandWrite\MyNewRecog.exe" [2007-08-30 778240]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-26 1234712]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-26 30192]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [BU]
"IESAddr"="" [BU]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-03-04 49254]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-04 113664]
IEEE 802.11g USB Wireless LAN Utility.lnk - C:\Program Files\Wireless LAN\WlanUtil.exe [2006-03-04 413696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.PIM1"= pclepim1.dll
"vidc.i420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Claire^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Claire\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC-Checkup]
C:\Program Files\Speeditup Free\PCCheckUp\PCCheckUp.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2007-10-22 12:52 75584 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 17:20 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"ccosm"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Programs - Bowei\\LimeWire\\LimeWire.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-26 97928]
R1 is-PN6PCdrv;is-PN6PCdrv;C:\WINDOWS\system32\DRIVERS\82587926.sys [2008-07-08 148496]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-26 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-26 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 76040]
R3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2005-02-04 247296]
S0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [ ]
S0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [ ]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-10-26 30192]
S3 lvdevenb;Logitech Device Enabler Filter;C:\WINDOWS\system32\DRIVERS\lvdevenb.sys [ ]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [ ]
S3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [ ]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS [2004-06-30 19200]
S4 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9d6c206-5df1-11dd-bcd6-0011a301243f}]
\Shell\AutoRun\command - F:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbb8412c-08bf-11db-94ac-0011a3013c53}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
计划任务 文件夹 里的内容 (Contents of the 'Scheduled Tasks' folder)

2008-10-31 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
.
------- 而外的扫描 (other scans?)-------
.
FireFox -: Profile - C:\Documents and Settings\Claire\Application Data\Mozilla\Firefox\Profiles\024eezi0.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 22:07:59
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程。。。 ... (Scanning Hidden Processes)

扫描被隐藏的启动组。。。(scanning hidden autostart entries)

扫描被隐藏的文件。。。 (scanning hidden files)

扫描完成 (Scan Complete)
被隐藏的档案: 0 (Hidden archives)

**************************************************************************
.
完成时间: 2008-10-31 22:11:12
ComboFix-quarantined-files.txt 2008-11-01 06:10:59

Pre-Run: 25,641,484,288 bytes free
Post-Run: 25,630,105,600 bytes free

245

Edited by Obfuscated, 01 November 2008 - 12:37 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:39 AM

Posted 01 November 2008 - 12:59 AM

I'm not sure why it showed up in Chinese, but your log shows progress being made. :thumbsup:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:39 PM

Posted 01 November 2008 - 05:50 PM

Here, I have the MBAM log as an attachment. (I'm not sure that it detected my problem, but it sure found some other ones! :thumbsup:)
And the updated HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:34 PM, on 11/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Speeditup Free\SpeedItUp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NewRecog] C:\Program Files\HandWrite\MyNewRecog.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &访问通用网址 - C:\Program Files\OCINS\cnrbtn.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8184 bytes

Attached Files


Edited by Obfuscated, 01 November 2008 - 05:51 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:39 AM

Posted 02 November 2008 - 10:47 AM

It looks like you missed a step with Malwarebytes.

Make sure that everything is checked, and click Remove Selected.



Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: (no name) - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - (no file)
O8 - Extra context menu item: &访问通用网址 - C:\Program Files\OCINS\cnrbtn.html
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)



==================


You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u10-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Please post a new hijackthis log.
How are things working for you now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:39 PM

Posted 02 November 2008 - 11:53 PM

Here is the HJT log, post - fix selected and pre - j2se update.
Things are pretty :thumbsup:, for now, (i think) :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:43 PM, on 11/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\HandWrite\MyNewRecog.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Speeditup Free\SpeedItUp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\HandWrite\InsTalk\InsTalk.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NewRecog] C:\Program Files\HandWrite\MyNewRecog.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10084 bytes


Oh, and For the MBAM program, I selected Delete All in the Quarantine section.

That's right, right? :)

Edit: Attached new MBAM log. :)

Attached Files


Edited by Obfuscated, 03 November 2008 - 01:15 AM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:39 AM

Posted 03 November 2008 - 07:47 AM

Looks good! :)

Follow this process to uninstall Combofix. It will also restore a few settings and remove quarantined items.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image

================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:39 PM

Posted 03 November 2008 - 07:57 PM

Whoa, whoa, whoa!

First off, big thanks to you, Buckeye Sam, and your HJT genius. :)

Also, doesn't Spybot S&D cover both the abilities of SpywareBlaster and Ad-aware?

Another One: I'm having some trouble installing Kasperksy Virus Removal AVP. When I open the program, it says
(Quote Error Signature)

AppName: is-5q6cu.exe AppVer: 7.0.0.242 ModName: ntdll.dll
ModVer: 5.1.2600.2180 Offset: 000114b6


Do you know how to fix this?

And When did the OCINS folder suddenly disappear? (I don't remember clicking delete on that folder!) :)

Finally, is Windows' own Firewall a good enough protection?

And Do all of you HJT members have pre-made advice paragraphs that look really nice? :thumbsup:

Thanks again,
Obfuscated

Edit: Attached Screenshot. :)

Attached Files


Edited by Obfuscated, 03 November 2008 - 09:23 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:39 AM

Posted 04 November 2008 - 10:35 AM

Spybot and Adaware provide similar advantages, but each have been known to catch something that the other missed. It's a good idea to layer in that type of protection. Now Spyware Blaster is a completely different type of program. It will block certain malicious sites from ever loading onto your computer. It's a tremendous tool and I wouldn't be surfing around the net without it.

I don't really know about that Kaspersky problem. I'd check with their support site.

http://usa.kaspersky.com/support/


Combofix got rid of the OCINS folder for us on it's first run. :thumbsup:


Windows firewall is adequate, but I'd recommend a third party firewall such as Zone Alarm for optimum protection.


And to answer your last question, yes most of us use preformatted speeches/directions. That way they are clear and easy to understand and read. :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Obfuscated

Obfuscated
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:39 PM

Posted 04 November 2008 - 04:03 PM

Oh Cool! Thanks Again for your big help! :thumbsup: :)

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:39 AM

Posted 04 November 2008 - 04:29 PM

I'm glad I could help you out! :thumbsup:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users