Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virusremover2008 infection (among possible others)


  • This topic is locked This topic is locked
10 replies to this topic

#1 viruskillerrr

viruskillerrr

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 13 December 2008 - 07:54 PM

This morning my computer showed the download of virusremover2008, and BitComet was also open. The computer was running slow, and eventually froze. I had to shut it down with the power switch and upon restart, Virusremover2008 was running on the task bar and notified me that I was infected, etc. When I opened Firefox, a new window would open along with a number of tabs advertising other bogus virus software. Also upon restart, the My Documents folder popped up.

So far I have deleted BitComet and run MalwareBytes. After the restart for MalwareBytes, Virusremover2008 has not popped up, and Firefox no longer opens with extra tabs, but the My Documents folder still opens and it seems as though I cannot open certain downloads from Firefox. It does seem as if the bulk of the problem is gone, but I want to be sure, because Kaspersky still shows a number of infections. My Kaspersky log is attached and my HijackThis log (the info window did not generate when I ran RSIT) is below.



Logfile of random's system information tool 1.04 (written by random/random)
Run by Super Katie at 2008-12-13 17:42:44
Microsoft Windows XP Professional Service Pack 2
System drive C: has 194 GB (83%) free of 234 GB
Total RAM: 894 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:46 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Super Katie\Desktop\RSIT(5).exe
C:\Program Files\trend micro\Super Katie.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Super Katie\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O20 - AppInit_DLLs: tkectt.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7340 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\oiwuhsfj.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-01-28 1554256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-09-26 90112]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"readericon"=C:\Program Files\Digital Media Reader\readericon45G.exe [2005-08-27 139264]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-03-09 966656]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2005-08-12 1121792]
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [2007-03-09 63712]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-17 590848]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-10 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe []
"Aim6"= []
"Vidalia"=C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe []
"SpeedRunner"=C:\Documents and Settings\Super Katie\Application Data\SpeedRunner\SpeedRunner.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Super Katie\Start Menu\Programs\Startup
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="tkectt.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Maple 12\jre\bin\maple.exe"="C:\Program Files\Maple 12\jre\bin\maple.exe:*:Disabled:Maple 12"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33be74a1-8ddf-11dd-b85a-00016cfe68b0}]
shell\AutoRun\command - .\RECYCLER\~systmp
shell\explore\command - .\RECYCLER\~systmp
shell\Open\command - .\RECYCLER\~systmp


======List of files/folders created in the last 1 months======

2008-12-13 11:08:22 ----D---- C:\Program Files\trend micro
2008-12-13 11:08:13 ----D---- C:\rsit
2008-12-13 10:46:24 ----D---- C:\Documents and Settings\Super Katie\Application Data\Malwarebytes
2008-12-13 10:46:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-13 10:46:05 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-13 00:06:36 ----D---- C:\WINDOWS\system32\DL5
2008-12-13 00:06:36 ----D---- C:\WINDOWS\system32\cap2
2008-12-13 00:06:36 ----D---- C:\WINDOWS\system32\ain
2008-12-12 23:57:36 ----A---- C:\WINDOWS\system32\57532702-.txt
2008-12-12 23:52:15 ----D---- C:\Documents and Settings\Super Katie\Application Data\Twain
2008-12-12 23:51:52 ----A---- C:\WINDOWS\system32\khfCssSl.dll
2008-12-12 03:03:12 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 03:03:07 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 03:02:54 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-12 03:00:51 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 03:00:42 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-11-27 13:58:11 ----D---- C:\Program Files\YouTube Downloader
2008-11-22 07:48:07 ----D---- C:\Program Files\Sun
2008-11-22 07:47:43 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-22 07:47:43 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-22 07:47:43 ----A---- C:\WINDOWS\system32\java.exe
2008-11-15 21:27:35 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-15 21:25:53 ----D---- C:\Program Files\Shockwave.com

======List of files/folders modified in the last 1 months======

2008-12-13 17:42:11 ----D---- C:\WINDOWS\Prefetch
2008-12-13 15:49:19 ----D---- C:\WINDOWS\temp
2008-12-13 15:48:21 ----D---- C:\WINDOWS\system32
2008-12-13 15:48:20 ----D---- C:\Program Files\Mozilla Firefox
2008-12-13 14:20:46 ----D---- C:\WINDOWS\system32\drivers
2008-12-13 14:20:46 ----D---- C:\WINDOWS
2008-12-13 14:20:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-13 11:29:29 ----D---- C:\Katie's Stuff
2008-12-13 11:13:02 ----RD---- C:\Program Files
2008-12-13 10:57:32 ----D---- C:\Program Files\BitComet
2008-12-13 09:24:40 ----RHD---- C:\$VAULT$.AVG
2008-12-13 09:24:24 ----D---- C:\Documents and Settings\Super Katie\Application Data\AVG7
2008-12-13 00:06:38 ----D---- C:\Temp
2008-12-12 23:51:57 ----SD---- C:\WINDOWS\Tasks
2008-12-12 03:03:15 ----HD---- C:\WINDOWS\inf
2008-12-12 03:03:14 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-12 03:03:10 ----A---- C:\WINDOWS\imsins.BAK
2008-12-12 03:03:01 ----D---- C:\Program Files\Internet Explorer
2008-12-12 03:02:49 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-12 03:02:48 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-12 02:28:43 ----D---- C:\Program Files\Maple 12
2008-12-09 16:24:37 ----AC---- C:\WINDOWS\system32\MRT.exe
2008-12-08 23:36:53 ----D---- C:\Documents and Settings\Super Katie\Application Data\Mozilla
2008-12-03 00:18:50 ----D---- C:\Documents and Settings\Super Katie\Application Data\ICAClient
2008-11-27 13:51:05 ----D---- C:\Downloads
2008-11-26 10:36:03 ----AC---- C:\WINDOWS\NeroDigital.ini
2008-11-24 18:32:04 ----AC---- C:\WINDOWS\VECalc.INI
2008-11-22 07:48:23 ----SHD---- C:\WINDOWS\Installer
2008-11-22 07:47:43 ----D---- C:\Program Files\Java
2008-11-17 12:59:07 ----D---- C:\WINDOWS\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2008-02-10 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2008-02-10 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2008-02-10 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2008-02-10 10760]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-09-28 9336]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-09-28 9464]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2005-11-22 8552]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-09-26 3644800]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-06-17 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2004-06-17 220032]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-10 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-06-17 685056]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-10 42496]
S3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2001-08-17 19200]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-10 20480]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2004-07-21 176241]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2008-02-10 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2008-02-10 49664]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2006-03-30 96341]
R2 EpsonBidirectionalService;EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [2002-01-29 77824]
R2 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [2002-07-17 94208]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 NetFxUpdate_v1.0.3705;Microsoft .NET Framework v1.0.3705 Update; C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe [2007-01-15 73728]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2005-11-22 172032]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-09-19 1247600]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-10 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-10 14336]

-----------------EOF-----------------

Attached Files



BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 21 December 2008 - 12:50 PM

Hello viruskillerrr,

I apologise for the delay, the forum is extremely busy.

If you still need help, post a new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 viruskillerrr

viruskillerrr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 21 December 2008 - 02:33 PM

I do have a few updates. When a web browser is open, about every ten minutes a new window is generated and some form of antivirus advertisement pops up. Here is the new hijack this log. Again, only the log file is generating, not the info file.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Super Katie at 2008-12-21 12:30:52
Microsoft Windows XP Professional Service Pack 2
System drive C: has 194 GB (83%) free of 234 GB
Total RAM: 894 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:04 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Super Katie\Desktop\RSIT(6).exe
C:\Program Files\trend micro\Super Katie.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {774de7cf-1b0e-47df-80d9-fd6dfad9af4d} - C:\WINDOWS\system32\gavuvabu.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CPM5f43d0e0] Rundll32.exe "c:\windows\system32\pohetubu.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Super Katie\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [CPM5f43d0e0] Rundll32.exe "c:\windows\system32\pohetubu.dll",a
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2320708664-2170184291-161415585-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Gerry')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O20 - AppInit_DLLs: tkectt.dll C:\WINDOWS\system32\bejayiti.dll c:\windows\system32\pohetubu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pohetubu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pohetubu.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8143 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\oiwuhsfj.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-01-28 1554256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{774de7cf-1b0e-47df-80d9-fd6dfad9af4d}]
C:\WINDOWS\system32\gavuvabu.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-09-26 90112]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"readericon"=C:\Program Files\Digital Media Reader\readericon45G.exe [2005-08-27 139264]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-03-09 966656]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2005-08-12 1121792]
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [2007-03-09 63712]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-17 590848]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"CPM5f43d0e0"=c:\windows\system32\pohetubu.dll [2008-12-15 96882]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-10 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe []
"Aim6"= []
"Vidalia"=C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe []
"SpeedRunner"=C:\Documents and Settings\Super Katie\Application Data\SpeedRunner\SpeedRunner.exe []
"CPM5f43d0e0"=c:\windows\system32\pohetubu.dll [2008-12-15 96882]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Super Katie\Start Menu\Programs\Startup
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="tkectt.dll C:\WINDOWS\system32\bejayiti.dll c:\windows\system32\pohetubu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pohetubu.dll [2008-12-15 96882]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pohetubu.dll [2008-12-15 96882]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\bejayiti.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Maple 12\jre\bin\maple.exe"="C:\Program Files\Maple 12\jre\bin\maple.exe:*:Disabled:Maple 12"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\Program Files\Grisoft\AVG7\avgw.exe"="C:\Program Files\Grisoft\AVG7\avgw.exe:*:Enabled:avgw"
"C:\Program Files\QuickTime\qttask.exe"="C:\Program Files\QuickTime\qttask.exe:*:Enabled:qttask"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33be74a1-8ddf-11dd-b85a-00016cfe68b0}]
shell\AutoRun\command - .\RECYCLER\~systmp
shell\explore\command - .\RECYCLER\~systmp
shell\Open\command - .\RECYCLER\~systmp


======List of files/folders created in the last 1 months======

2008-12-15 14:06:16 ----SH---- C:\WINDOWS\system32\eliragif.ini
2008-12-15 02:05:19 ----SH---- C:\WINDOWS\system32\azovunew.ini
2008-12-13 11:08:22 ----D---- C:\Program Files\trend micro
2008-12-13 11:08:13 ----D---- C:\rsit
2008-12-13 10:46:24 ----D---- C:\Documents and Settings\Super Katie\Application Data\Malwarebytes
2008-12-13 10:46:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-13 10:46:05 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-13 00:06:36 ----D---- C:\WINDOWS\system32\DL5
2008-12-13 00:06:36 ----D---- C:\WINDOWS\system32\cap2
2008-12-13 00:06:36 ----D---- C:\WINDOWS\system32\ain
2008-12-12 23:57:36 ----AC---- C:\WINDOWS\system32\57532702-.txt
2008-12-12 23:52:15 ----D---- C:\Documents and Settings\Super Katie\Application Data\Twain
2008-12-12 03:03:12 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 03:03:07 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 03:02:54 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-12 03:00:51 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 03:00:42 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-11-27 13:58:11 ----D---- C:\Program Files\YouTube Downloader
2008-11-22 07:48:07 ----D---- C:\Program Files\Sun
2008-11-22 07:47:43 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-22 07:47:43 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-22 07:47:43 ----A---- C:\WINDOWS\system32\java.exe

======List of files/folders modified in the last 1 months======

2008-12-21 12:31:00 ----D---- C:\WINDOWS\Prefetch
2008-12-21 12:26:27 ----D---- C:\Program Files\Mozilla Firefox
2008-12-21 11:19:24 ----D---- C:\WINDOWS\temp
2008-12-21 10:26:15 ----D---- C:\Documents and Settings\Super Katie\Application Data\AVG7
2008-12-20 11:22:28 ----RHD---- C:\$VAULT$.AVG
2008-12-20 11:16:08 ----AC---- C:\WINDOWS\NeroDigital.ini
2008-12-19 14:12:16 ----D---- C:\WINDOWS\system32
2008-12-15 14:05:33 ----ASH---- C:\WINDOWS\system32\pohetubu.dll
2008-12-15 14:05:33 ----ASH---- C:\WINDOWS\system32\figarile.dll
2008-12-14 22:00:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-13 14:20:46 ----D---- C:\WINDOWS\system32\drivers
2008-12-13 14:20:46 ----D---- C:\WINDOWS
2008-12-13 11:29:29 ----D---- C:\Katie's Stuff
2008-12-13 11:13:02 ----RD---- C:\Program Files
2008-12-13 10:57:32 ----D---- C:\Program Files\BitComet
2008-12-13 00:06:38 ----D---- C:\Temp
2008-12-12 23:51:57 ----SD---- C:\WINDOWS\Tasks
2008-12-12 03:03:15 ----HD---- C:\WINDOWS\inf
2008-12-12 03:03:14 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-12 03:03:10 ----A---- C:\WINDOWS\imsins.BAK
2008-12-12 03:03:01 ----D---- C:\Program Files\Internet Explorer
2008-12-12 03:02:49 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-12 03:02:48 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-12 02:28:43 ----D---- C:\Program Files\Maple 12
2008-12-08 23:36:53 ----D---- C:\Documents and Settings\Super Katie\Application Data\Mozilla
2008-12-03 00:18:50 ----D---- C:\Documents and Settings\Super Katie\Application Data\ICAClient
2008-11-27 13:51:05 ----D---- C:\Downloads
2008-11-24 18:32:04 ----AC---- C:\WINDOWS\VECalc.INI
2008-11-22 07:48:23 ----SHD---- C:\WINDOWS\Installer
2008-11-22 07:47:43 ----D---- C:\Program Files\Java

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2008-02-10 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2008-02-10 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2008-02-10 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2008-02-10 10760]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-09-28 9336]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-09-28 9464]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2005-11-22 8552]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-09-26 3644800]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-06-17 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2004-06-17 220032]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-10 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-06-17 685056]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-10 42496]
S3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2001-08-17 19200]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-10 20480]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2004-07-21 176241]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2008-02-10 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2008-02-10 49664]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2006-03-30 96341]
R2 EpsonBidirectionalService;EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [2002-01-29 77824]
R2 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [2002-07-17 94208]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 NetFxUpdate_v1.0.3705;Microsoft .NET Framework v1.0.3705 Update; C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe [2007-01-15 73728]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2005-11-22 172032]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-09-19 1247600]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-10 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-10 14336]

-----------------EOF-----------------

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 21 December 2008 - 02:55 PM

Hello viruskillerrr,

You posted RSIT report.

It seems you don't have HijackThis on your pc, and we are going to need it.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Close Hijackthis for now.
Do not run HijackThis now.
----------------------------------------------
I will need you to run it later, so here are the additional instructions to run it:
  • Double-click to open HijackThis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
----------------------------------------------
Remove your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:

Symantec
AVG7


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove Symantec for now. See how to remove it below. *
(AVG7 updates stopped at 1.12.2008 so you are not protected anymore.
We'll replace this later.)
----------------------------------------------
*You will need a tool to completely remove Norton-Symantec.

REMOVE NORTON

ONLY if you don't have an active subscription, use below link to uninstall Norton.

Please click HERE and follow the instructions to download and run the norton removal tool for your own version.
----------------------------------------------
Download and run Combofix

Please visit this webpage for download links, and instructions for running the tool:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
* IMPORTANT !!! Save ComboFix.exe to your Desktop

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this topic if you need help to disable your protection programs.
Please include the C:\ComboFix.txt and a HijackThis log in your next reply for further review.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 viruskillerrr

viruskillerrr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 21 December 2008 - 04:16 PM

I removed the extra virus program and have posted the combofix log and hijackthis log below:



ComboFix 08-12-21.01 - Super Katie 2008-12-21 14:06:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.379 [GMT -7:00]
Running from: c:\documents and settings\Super Katie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Super Katie\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Super Katie\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\azovunew.ini
c:\windows\system32\eliragif.ini
c:\windows\system32\figarile.dll
c:\windows\system32\pohetubu.dll
c:\windows\Tasks\oiwuhsfj.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 13:35 . 2008-12-21 13:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-13 11:08 . 2008-12-13 11:08 <DIR> d-------- C:\rsit
2008-12-13 11:08 . 2008-12-21 13:31 <DIR> d-------- c:\program files\trend micro
2008-12-13 10:46 . 2008-12-13 10:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-13 10:46 . 2008-12-13 10:46 <DIR> d-------- c:\documents and settings\Super Katie\Application Data\Malwarebytes
2008-12-13 10:46 . 2008-12-13 10:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-13 10:46 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-13 10:46 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 00:06 . 2008-12-13 09:24 <DIR> d-------- c:\windows\system32\DL5
2008-12-13 00:06 . 2008-12-13 09:24 <DIR> d-------- c:\windows\system32\cap2
2008-12-13 00:06 . 2008-12-13 09:24 <DIR> d-------- c:\windows\system32\ain
2008-12-13 00:06 . 2008-12-13 00:06 <DIR> d-------- c:\temp\REX81
2008-12-12 23:52 . 2008-12-13 09:24 <DIR> d-------- c:\documents and settings\Super Katie\Application Data\Twain
2008-11-27 13:58 . 2008-11-27 13:58 <DIR> d-------- c:\program files\YouTube Downloader
2008-11-27 13:49 . 2008-11-27 13:56 <DIR> d-------- c:\documents and settings\Gerry\Application Data\Orbit
2008-11-22 07:48 . 2008-11-22 07:48 <DIR> d-------- c:\program files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 20:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 19:48 --------- d-----w c:\documents and settings\Gerry\Application Data\AVG7
2008-12-21 17:26 --------- d-----w c:\documents and settings\Super Katie\Application Data\AVG7
2008-12-21 15:38 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2008-12-13 17:57 --------- d-----w c:\program files\BitComet
2008-12-12 09:28 --------- d-----w c:\program files\Maple 12
2008-12-03 07:18 --------- d-----w c:\documents and settings\Super Katie\Application Data\ICAClient
2008-11-22 14:47 --------- d-----w c:\program files\Java
2008-11-16 05:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-16 04:28 --------- d-----w c:\documents and settings\Owner\Application Data\iWin
2008-11-16 04:26 --------- d-----w c:\program files\Shockwave.com
2008-11-12 08:21 --------- d-----w c:\program files\MSECache
2008-11-01 22:32 --------- d-----w c:\program files\Coupons
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 20:29 47,232 -c--a-w c:\documents and settings\Super Katie\Application Data\GDIPFONTCACHEV1.DAT
2008-07-19 15:00 38,424 ----a-w c:\documents and settings\Gerry\Application Data\GDIPFONTCACHEV1.DAT
2008-06-17 00:02 135,328 ----a-w c:\program files\dfield7.m
2008-06-17 00:02 1,589 ----a-w c:\program files\euler.m
2008-03-04 02:31 38,424 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-12-15 01:45 602 -c--a-w c:\documents and settings\Gerry\Application Data\wklnhst.dat
2007-06-22 01:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 01:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 01:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 01:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 01:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 01:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 01:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 01:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 01:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2005-09-18 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-10 219136]

c:\documents and settings\Super Katie\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-04-15 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-04-15 221295]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Maple 12\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgw.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15839:TCP"= 15839:TCP:BitComet 15839 TCP
"15839:UDP"= 15839:UDP:BitComet 15839 UDP

R2 NetFxUpdate_v1.0.3705;Microsoft .NET Framework v1.0.3705 Update;c:\windows\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe [2004-09-29 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
- - - - ORPHANS REMOVED - - - -

BHO-{774de7cf-1b0e-47df-80d9-fd6dfad9af4d} - c:\windows\system32\gavuvabu.dll
HKCU-Run-H/PC Connection Agent - c:\program files\Microsoft ActiveSync\wcescomm.exe
HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
HKCU-Run-CPM5f43d0e0 - c:\windows\system32\pohetubu.dll
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZU
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
FF - ProfilePath - c:\documents and settings\Super Katie\Application Data\Mozilla\Firefox\Profiles\pjt8ghre.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 14:09:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-21 14:12:16 - machine was rebooted [Super Katie]
ComboFix-quarantined-files.txt 2008-12-21 21:12:13

Pre-Run: 203,962,576,896 bytes free
Post-Run: 205,684,666,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

193 --- E O F --- 2008-12-21 21:11:44




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:57 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6798 bytes

#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 22 December 2008 - 04:06 AM

Hello viruskillerrr,

I want you to uninstall AVG7 and download one from the 3 free Anti-Virus i posted below.
I am explaning how to do it, so you will not be in danger untill you install the new one.
----------------------------------------------
INSTALLING & RUNNING AN ANTIVIRUS

Please follow below details regarding to Antivirus installation-see my post below:
  • download the installer << New Anti-Virus-see links below*
  • disconnect from internet
  • remove old one << AVG7
  • install new one
  • reconnect, immediately update, and
  • run the Anti-virus and let it quarantine all its findings.
You might need to reboot to complete the uninstallation.
----------------------------------------------
* Anti-Virus links
1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O8 - Extra context menu item: &Search - ?p=ZU
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitComet

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Folder::
    c:\windows\system32\DL5
    c:\windows\system32\cap2
    c:\windows\system32\ain
    c:\temp\REX81
    c:\documents and settings\Super Katie\Application Data\Twain
    c:\program files\Coupons
    c:\progra~1\Grisoft\AVG7
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Grisoft\\AVG7\\avgw.exe"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Combofix report.
Malwarebytes\Malwarebytes' Anti-Malware report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 viruskillerrr

viruskillerrr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 22 December 2008 - 10:33 PM

Alright, I followed all of the steps and the logs are shown below:

ComboFix 08-12-21.01 - Super Katie 2008-12-22 18:55:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.560 [GMT -7:00]
Running from: c:\documents and settings\Super Katie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Super Katie\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Super Katie\Application Data\Twain
c:\progra~1\Grisoft\AVG7
c:\progra~1\Grisoft\AVG7\avgamsvr.dmp
c:\progra~1\Grisoft\AVG7\avgamsvr.err
c:\program files\Coupons
c:\program files\Coupons\Coupons.com.url
c:\program files\Coupons\uninstall.exe
c:\program files\Coupons\Uninstall\IRIMG1.JPG
c:\program files\Coupons\Uninstall\IRIMG2.JPG
c:\program files\Coupons\Uninstall\IRIMG3.JPG
c:\program files\Coupons\Uninstall\IRIMG4.JPG
c:\program files\Coupons\Uninstall\IRIMG5.JPG
c:\program files\Coupons\Uninstall\IRIMG6.JPG
c:\program files\Coupons\Uninstall\IRIMG7.JPG
c:\program files\Coupons\Uninstall\IRIMG8.JPG
c:\program files\Coupons\Uninstall\uninstall.dat
c:\program files\Coupons\Uninstall\uninstall.xml
c:\temp\REX81
c:\temp\REX81\BDF.log
c:\windows\system32\ain
c:\windows\system32\cap2
c:\windows\system32\DL5

.
((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-22 17:57 . 2008-12-22 17:57 <DIR> d-------- c:\program files\Avira
2008-12-22 17:57 . 2008-12-22 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-22 17:53 . 2008-12-22 17:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-21 13:35 . 2008-12-21 13:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-13 11:08 . 2008-12-13 11:08 <DIR> d-------- C:\rsit
2008-12-13 11:08 . 2008-12-21 13:31 <DIR> d-------- c:\program files\trend micro
2008-12-13 10:46 . 2008-12-13 10:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-13 10:46 . 2008-12-13 10:46 <DIR> d-------- c:\documents and settings\Super Katie\Application Data\Malwarebytes
2008-12-13 10:46 . 2008-12-13 10:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-13 10:46 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-13 10:46 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-27 13:58 . 2008-11-27 13:58 <DIR> d-------- c:\program files\YouTube Downloader
2008-11-27 13:49 . 2008-11-27 13:56 <DIR> d-------- c:\documents and settings\Gerry\Application Data\Orbit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 20:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-13 17:57 --------- d-----w c:\program files\BitComet
2008-12-12 09:28 --------- d-----w c:\program files\Maple 12
2008-12-03 07:18 --------- d-----w c:\documents and settings\Super Katie\Application Data\ICAClient
2008-11-22 14:48 --------- d-----w c:\program files\Sun
2008-11-22 14:47 --------- d-----w c:\program files\Java
2008-11-16 05:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-16 04:28 --------- d-----w c:\documents and settings\Owner\Application Data\iWin
2008-11-16 04:26 --------- d-----w c:\program files\Shockwave.com
2008-11-12 08:21 --------- d-----w c:\program files\MSECache
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-17 20:29 47,232 -c--a-w c:\documents and settings\Super Katie\Application Data\GDIPFONTCACHEV1.DAT
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 10:20 667,648 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 05:06 40,960 ----a-w c:\windows\system32\maplec.dll
2008-10-01 05:06 212,992 ----a-w c:\windows\system32\WMIMPLEX.dll
2008-10-01 05:06 20,480 ----a-w c:\windows\system32\maplecompat.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-07-19 15:00 38,424 ----a-w c:\documents and settings\Gerry\Application Data\GDIPFONTCACHEV1.DAT
2008-06-17 00:02 135,328 ----a-w c:\program files\dfield7.m
2008-06-17 00:02 1,589 ----a-w c:\program files\euler.m
2008-03-04 02:31 38,424 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-12-15 01:45 602 -c--a-w c:\documents and settings\Gerry\Application Data\wklnhst.dat
2007-06-22 01:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 01:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 01:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 01:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 01:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 01:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 01:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 01:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 01:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-21_14.11.50.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-07-15 16:49:16 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_aspnet_isapi.dll
+ 2004-07-15 15:32:22 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_CORPerfMonExt.dll
+ 2004-07-15 15:24:30 282,624 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_fusion.dll
+ 2004-07-15 15:25:06 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_mscorjit.dll
+ 2004-07-16 05:29:02 2,138,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_mscorlib.dll
+ 2003-02-21 10:09:18 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_mscorsn.dll
+ 2004-07-15 15:26:52 2,510,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_mscorsvr.dll
+ 2004-07-15 15:28:34 2,502,656 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_mscorwks.dll
+ 2003-02-21 19:42:22 348,160 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_msvcr71.dll
+ 2004-07-15 15:34:50 94,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW1516\_PerfCounter.dll
+ 2004-07-15 16:49:16 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_aspnet_isapi.dll
+ 2004-07-15 15:32:22 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_CORPerfMonExt.dll
+ 2004-07-15 15:24:30 282,624 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_fusion.dll
+ 2004-07-15 15:25:06 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_mscorjit.dll
+ 2004-07-16 05:29:02 2,138,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_mscorlib.dll
+ 2003-02-21 10:09:18 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_mscorsn.dll
+ 2004-07-15 15:26:52 2,510,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_mscorsvr.dll
+ 2004-07-15 15:28:34 2,502,656 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_mscorwks.dll
+ 2003-02-21 19:42:22 348,160 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_msvcr71.dll
+ 2004-07-15 15:34:50 94,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2496\_PerfCounter.dll
- 2008-10-16 10:20:56 3,067,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-05-09 19:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-22 00:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 17:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 16:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2008-10-16 10:20:56 3,067,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 ----a-w c:\windows\system32\mshtml.dll
- 2007-07-27 16:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2005-09-18 c:\windows\system32\nwiz.exe]

c:\documents and settings\Super Katie\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-04-15 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-04-15 221295]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Maple 12\\jre\\bin\\maple.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15839:TCP"= 15839:TCP:BitComet 15839 TCP
"15839:UDP"= 15839:UDP:BitComet 15839 UDP

R2 NetFxUpdate_v1.0.3705;Microsoft .NET Framework v1.0.3705 Update;c:\windows\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe [2004-09-29 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CPM5f43d0e0 - c:\windows\system32\pohetubu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Super Katie\Application Data\Mozilla\Firefox\Profiles\pjt8ghre.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 18:57:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-22 18:57:58
ComboFix-quarantined-files.txt 2008-12-23 01:57:47
ComboFix2.txt 2008-12-21 21:12:16

Pre-Run: 205,547,204,608 bytes free
Post-Run: 205,530,931,200 bytes free

211 --- E O F --- 2008-12-22 10:00:52




Malwarebytes' Anti-Malware 1.31
Database version: 1533
Windows 5.1.2600 Service Pack 2

12/22/2008 8:31:59 PM
mbam-log-2008-12-22 (20-31-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 142310
Time elapsed: 29 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:36 PM, on 12/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6200 bytes

#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 23 December 2008 - 08:22 AM

Hello viruskillerrr,

Good job. :thumbsup:
----------------------------------------------
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader, you can download Foxit PDF Reader from here.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.)
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 11.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 11
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u11-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 viruskillerrr

viruskillerrr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 23 December 2008 - 07:04 PM

My computer seems to be behaving just fine. There are no longer any sort of pop-ups, and a few other strange things that were happening have all been resolved as well. Thank you so much!!!

The two logs:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 23, 2008 11:50:22
Records in database: 1504397
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 84066
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:47:32


File name / Threat name / Threats count
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:37 PM, on 12/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6366 bytes

#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 24 December 2008 - 03:23 AM

Hello viruskillerrr,

My computer seems to be behaving just fine. There are no longer any sort of pop-ups, and a few other strange things that were happening have all been resolved as well. Thank you so much!!!

You are welcome, i am glad! :thumbsup:

Is D:\ an external drive?
Please remove this:

D:\i386\Apps\App00577\comps\toolbar
----------------------------------------------
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Posted Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.
----------------------------------------------
Congratulations your machine appears to be clean!

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 and newer versions should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 25 December 2008 - 04:09 AM

I'm glad I could help you out! :thumbsup:
Now that your problem appears to be resolved, this thread will be closed.
In case you have any problems, please Start a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users