Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WIN32.TDSS.rtk


  • Please log in to reply
11 replies to this topic

#1 Funkadelic73

Funkadelic73

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 27 December 2008 - 10:55 PM

I seem to have picked up some nasty sort of virus that makes it difficult for my machine to boot up (often times it freezes upon startup), and nails me with pop-ups that resemble legitimate software.

I run AVG, and it either freezes when I try to perform a scan, encounters an error "and needs to close," or (in safe mode) doesn't find anything. Spybot, when run in safe mode, detects 2-3 instances of WIN32.TDSS.rtk. However, it reinstalls immediately following removal.

As you might expect, looking for searches redirects my browser.

Here is my DDS.txt file (I think I did this correctly):


DDS (Version 1.1.0) - NTFSx86
Run by **** at 19:47:36.50 on 2008-12-27
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.190 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys\WUSB54GSC\WLService.exe
C:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\OSD.exe
C:\Documents and Settings\***\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.kansascity.com/mld/kansascity/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MS AntiSpyware 2009] "c:\documents and settings\all users\application data\crucialsoft ltd\ms antispyware 2009\msas2009.exe" /autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [Disc Detector] c:\program files\creative\sharedll\CtNotify.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Phosid] rundll32.exe "c:\windows\Tjucoxaxeda.dll",e
mRun: [Lsucemid] rundll32.exe "c:\windows\ixazanij.dll",e
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
uPolicies-explorer: <NO NAME> =
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: FarLsp.dll
TCP: {2CBF71A3-D92B-4325-9F20-58DFE61EC5B9} = 208.67.220.220,208.67.222.222
TCP: {71097B7B-7C4B-40DB-9D75-B72F214EFE01} = 208.67.220.220,208.67.222.222
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 IOPort;IOPort;\??\c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2004-6-16 28672]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
R2 WUSB54GSC;WUSB54GSC;"c:\program files\linksys\wusb54gsc\WLService.exe" "WUSB54GSC.exe" [2008-5-11 53307]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\msikbd2k.sys [2004-6-16 6942]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\jasonc~1\locals~1\temp\cdrmkaun.sys []
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-8-16 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-8-16 99200]
S3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2007-1-12 1252232]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [2004-1-26 728083]

=============== Created Last 30 ================

2008-12-27 19:37 <DIR> --d----- c:\program files\Cobian Backup 9
2008-12-27 19:17 <DIR> --d----- C:\Fix
2008-12-27 19:17 388,608 a------- c:\windows\system32\CF12072.exe
2008-12-26 23:33 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-26 22:33 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-26 22:33 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-26 22:33 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-26 22:33 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-26 22:33 <DIR> --d----- c:\docume~1\jasonc~1\applic~1\AVGTOOLBAR
2008-12-26 15:50 <DIR> a-dshr-- C:\cmdcons
2008-12-26 15:50 161,792 a------- c:\windows\SWREG.exe
2008-12-26 15:50 98,816 a------- c:\windows\sed.exe
2008-12-26 13:36 132,096 a------- c:\windows\ixazanij.dll
2008-12-26 13:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2008-12-26 13:23 40,448 a------- c:\windows\Tjucoxaxeda.dll

==================== Find3M ====================

2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 04:20 667,648 a------- c:\windows\system32\wininet.dll
2008-10-03 04:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2007-01-22 19:56 54,624 a------- c:\docume~1\***~1\applic~1\GDIPFONTCACHEV1.DAT
2006-01-02 13:23 205 a------- c:\documents and settings\***\3.dat

============= FINISH: 19:48:58.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:26 PM

Posted 04 January 2009 - 08:43 AM

hi,

nails me with pop-ups that resemble legitimate software.


ms antispyware 2009-- This is 'scareware' its only purpose is for you to activate or register it, for money of course. You will be handing over not only money but E-mail and credit card info for nothing.

we will get a download to use. Its called combofix. there is a guide to read through first. Lots of pictures in the guide. read through it and follow the combofix prompts. Copy/Paste the combofix log in your reply.

the guide:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?


#3 Funkadelic73

Funkadelic73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 04 January 2009 - 11:16 AM

ComboFix 09-01-02.01 - 2009-01-04 10:00:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.261 [GMT -6:00]
Running from: c:\documents and settings\***\Desktop\Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\drivers\TDSSqaxi.sys
c:\windows\system32\TDSSflhc.dll
c:\windows\system32\TDSSkecj.dll
c:\windows\system32\TDSSkhcd.log
c:\windows\system32\TDSSkrtj.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSogon.dll
c:\windows\system32\TDSSpcpr.dll
c:\windows\system32\TDSSqksa.dll
c:\windows\system32\TDSStsks.log
c:\windows\system32\TDSSwhct.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-03 10:09 . 2009-01-03 10:09 <DIR> d-------- C:\VundoFix Backups
2009-01-03 09:38 . 2009-01-03 09:38 <DIR> d-------- c:\documents and settings\***\Application Data\Malwarebytes
2009-01-03 09:38 . 2009-01-03 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 19:37 . 2008-12-27 19:38 <DIR> d-------- c:\program files\Cobian Backup 9
2008-12-26 23:33 . 2008-12-26 23:33 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-26 22:33 . 2008-12-26 22:35 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-26 22:33 . 2008-12-26 22:39 <DIR> d-------- c:\documents and settings\***\Application Data\AVGTOOLBAR
2008-12-26 22:33 . 2008-12-26 22:33 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-26 22:33 . 2008-12-26 22:33 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-26 22:33 . 2008-12-26 22:33 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-03 16:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 16:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-26 17:08 --------- d-----w c:\program files\Steam
2007-01-23 01:56 54,624 ----a-w c:\documents and settings\***\Application Data\GDIPFONTCACHEV1.DAT
2006-01-02 19:23 205 ----a-w c:\documents and settings\***\3.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-26_15.55.59.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-26 20:25:37 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-04 15:59:24 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-26 20:25:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-04 15:59:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-26 20:25:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-04 15:59:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-27 04:33:26 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-20 98304]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-27 102400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-26 1261336]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux"= ctwdm32.dll
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
"MSVideo"= ucdvfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=c:\windows\pss\Camio Viewer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vrmonsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\parliament1973\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\parliament1973\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\parliament1973\\team fortress 2\\hl2.exe"=

R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2004-06-16 6942]
R4 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2004-06-16 28672]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R4 WUSB54GSC;WUSB54GSC;c:\program files\Linksys\WUSB54GSC\WLService.exe [2008-05-11 53307]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\JASONC~1\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\JASONC~1\LOCALS~1\Temp\cdrmkaun.sys [?]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-05-19 142169]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-08-16 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-08-16 99200]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [2004-01-26 728083]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0115f29f-cd0c-11dd-b5e0-001ee52cd787}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4284df07-e54a-11db-b55d-444553544200}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Lsucemid - c:\windows\ixazanij.dll
HKLM-Run-Phosid - c:\windows\Tjucoxaxeda.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kansascity.com/mld/kansascity/
LSP: FarLsp.dll
TCP: {2CBF71A3-D92B-4325-9F20-58DFE61EC5B9} = 208.67.220.220,208.67.222.222
TCP: {71097B7B-7C4B-40DB-9D75-B72F214EFE01} = 208.67.220.220,208.67.222.222

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 10:09:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???r???????????? C?????Disc Detector?B???A???????A???????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@???????????A~??????????@?9?????????????????B?????? ???????????????????p????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1336601894-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*NULL*]
"??"=hex:e5,6f,53,71,e7,6a,71,2b,ba,c2,72,d2,2c,0b,47,55,17,92,77,bf,6a,6a,99,\
75,95,5f,c7,6b,16,cf,d0,14,9d,fd,1b,9d,7b,30,bf,65,be,26,fd,85,9c,0c,29,05,\
08,9c,35,36,9c,de,b4,2b,9a,7a,dd,9c,55,5a,12,53,2d,82,47,0f,ae,62,df,54,e2,\
53,67,a1,9d,ce,2d,06,37,b8,22,96,70,dc,c4,be,52,de,7c,d7,df,24,54,41,f2,e4,\
1b,97,95,d4,8e,f1,8e,3e,84,ec,de,56,c9,d8,20,92,6e,c0,8a,fd,6f,13,50,e6,40,\
e7,a1,5a,ac,a5,f2,ed,39,b5,24,9f,48,dc,db,59,58,a7,19,56,14,78,7b,73,06,30,\
12,a4,9a,f1,7e,07,5c,55,4b,3f,ed,e4,66,7d,20,f8,36,2b,fc,f4,33,f2,a9,01,a1,\
0a,d1,0e,20,b9,fc,af,6e,d7,fc,f9,4b,87,6a,81,f7,41,55,fd,03,fd,f4,36,77,8d,\
7d,20,90,ed,d2,68,00,cd,75,fb,ec,ff,a5,95,55,be,a9,fa,22,9f,42,de,50,8a,67,\
7d,d9,e5,7f,57,7b,d7,73,c3,d1,22,cc,35,99,24,bb,7d,6e,d0,93,72,c2,f2,5e,b1,\
8f,e3,9b,a3,96,bb,d9,c1,9f,44,8c,bd,93,18,79,41,21,00,3a,7c,b5,f3,99,ca,51,\
18,22,e2,9e,b4,ca,6f,4e,ff,39,e1,88,7b,7b,9a,d5,f5,49,c5,54,b9,42,3e,4b,75,\
52,14,83,f8,12,04,7c,45,ea,83,c0,47,a7,63,e9,c6,92,5c,24,84,26,fa,d1,ff,0e,\
36,61,32,89,59,19,7a,1c,bb,03,ed,eb,f5,bc,10,0a,4d,1e,dc,6a,17,cf,b8,91,31,\
79,83,1f,9d,da,b9,ab,db,62,6b,44,e8,f6,6b,46,29,26,1d,7f,be,e6,08,66,59,8d,\
65,58,58,2d,2e,d4,e6,86,8f,ae,b2,54,cd,a0,c7,49,57,c6,66,e8,0e,3c,87,45,2e,\
a1,19,29,b3,65,0b,6f,eb,99,53,64,82,f7,4b,44,db,24,d8,25,e3,ff,0f,f9,1b,6b,\
53,7e,73,7a,c2,45,9b,30,a0,c1,15,d5,db,41,0d,ed,db,41,35,f5,cb
"??"=hex:16,51,b1,dd,3d,0d,cd,1b,ef,c9,32,ed,e2,d1,74,07
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Linksys\WUSB54GSC\WUSB54GSC.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
c:\program files\Creative\ShareDLL\Mediadet.exe
c:\program files\Netropa\OSD.exe
.
**************************************************************************
.
Completion time: 2009-01-04 10:12:33 - machine was rebooted [***]
ComboFix-quarantined-files.txt 2009-01-04 16:12:31
ComboFix2.txt 2008-12-27 02:31:17
ComboFix3.txt 2008-12-26 21:56:36

Pre-Run: 41,417,121,792 bytes free
Post-Run: 41,403,744,256 bytes free

220 --- E O F --- 2009-01-03 15:41:14

#4 Funkadelic73

Funkadelic73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 04 January 2009 - 11:25 AM

I should add that although it looks like AVG was running, AVG currently has no active components installed. Uninstalling/reinstalling has been unsuccessful since I've been hit with the scareware. After combofix, I was able to uninstall the program, and I will reinstall once you tell me it is okay to do so.

I am now able to access bleepingcomputer.com and similar web sites. Do we need another HJT log to verify my machine is clear?

#5 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:26 PM

Posted 04 January 2009 - 04:45 PM

we will get one more download to use. after it is finished running post the log from it. then rescan and post a new hjt log.
link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

How Can I Reduce My Risk to Malware?


#6 Funkadelic73

Funkadelic73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 05 January 2009 - 09:58 AM

MBAM found nothing:

Malwarebytes' Anti-Malware 1.31
Database version: 1612
Windows 5.1.2600 Service Pack 2

1/5/2009 8:55:42 AM
mbam-log-2009-01-05 (08-55-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 110892
Time elapsed: 35 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is my HJT log:

DDS (Version 1.1.0) - NTFSx86
Run by *** at 8:56:18.12 on Mon 01/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.174 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys\WUSB54GSC\WLService.exe
C:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\***\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.kansascity.com/mld/kansascity/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [Disc Detector] c:\program files\creative\sharedll\CtNotify.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
uPolicies-explorer: <NO NAME> =
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: FarLsp.dll
TCP: {2CBF71A3-D92B-4325-9F20-58DFE61EC5B9} = 208.67.220.220,208.67.222.222
TCP: {71097B7B-7C4B-40DB-9D75-B72F214EFE01} = 208.67.220.220,208.67.222.222
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-4 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-4 26824]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2004-6-16 6942]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-4 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-4 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-4 76040]
R4 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2004-6-16 28672]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R4 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gsc\WLService.exe [2008-5-11 53307]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\jasonc~1\locals~1\temp\cdrmkaun.sys --> c:\docume~1\jasonc~1\locals~1\temp\cdrmkaun.sys [?]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-8-16 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-8-16 99200]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-12 1252232]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [2004-1-26 728083]

=============== Created Last 30 ================

2009-01-04 14:23 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-04 14:23 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-04 14:23 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-04 14:23 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-04 14:23 <DIR> --d----- c:\program files\AVG
2009-01-04 14:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 14:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 14:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 10:09 <DIR> --d----- C:\VundoFix Backups
2009-01-03 09:38 <DIR> --d----- c:\docume~1\jasonc~1\applic~1\Malwarebytes
2009-01-03 09:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 19:37 <DIR> --d----- c:\program files\Cobian Backup 9
2008-12-26 23:33 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-26 15:50 <DIR> a-dshr-- C:\cmdcons
2008-12-26 15:50 161,792 a------- c:\windows\SWREG.exe
2008-12-26 15:50 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 04:20 667,648 a------- c:\windows\system32\wininet.dll
2007-01-22 19:56 54,624 a------- c:\docume~1\jasonc~1\applic~1\GDIPFONTCACHEV1.DAT
2006-01-02 13:23 205 a------- c:\documents and settings\***\3.dat

============= FINISH: 8:57:00.20 ===============

Attached Files



#7 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:26 PM

Posted 05 January 2009 - 05:57 PM

hi,

ok thanks for the info. yes you can post another hjt log. Is AVG functioning yet?
If not I wouldnt go very much longer without a active antivirus. i can point you to some free ones, or you could look around there web site for FAQ/troubleshooting.

How Can I Reduce My Risk to Malware?


#8 Funkadelic73

Funkadelic73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 January 2009 - 09:34 AM

AVG is now working.


DDS (Version 1.1.0) - NTFSx86
Run by *** at 8:33:08.87 on Tue 01/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.97 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys\WUSB54GSC\WLService.exe
C:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\***\Local Settings\Temporary Internet Files\Content.IE5\WHMZCP03\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [Disc Detector] c:\program files\creative\sharedll\CtNotify.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
uPolicies-explorer: <NO NAME> =
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: FarLsp.dll
TCP: {2CBF71A3-D92B-4325-9F20-58DFE61EC5B9} = 208.67.220.220,208.67.222.222
TCP: {71097B7B-7C4B-40DB-9D75-B72F214EFE01} = 208.67.220.220,208.67.222.222
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-4 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-4 26824]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2004-6-16 6942]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-4 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-4 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-4 76040]
R4 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2004-6-16 28672]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R4 WUSB54GSC;WUSB54GSC;c:\program files\linksys\wusb54gsc\WLService.exe [2008-5-11 53307]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\jasonc~1\locals~1\temp\cdrmkaun.sys --> c:\docume~1\jasonc~1\locals~1\temp\cdrmkaun.sys [?]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-8-16 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-8-16 99200]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-12 1252232]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [2004-1-26 728083]

=============== Created Last 30 ================

2009-01-04 14:23 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-04 14:23 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-04 14:23 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-04 14:23 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-04 14:23 <DIR> --d----- c:\program files\AVG
2009-01-04 14:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 14:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 14:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 10:09 <DIR> --d----- C:\VundoFix Backups
2009-01-03 09:38 <DIR> --d----- c:\docume~1\jasonc~1\applic~1\Malwarebytes
2009-01-03 09:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 19:37 <DIR> --d----- c:\program files\Cobian Backup 9
2008-12-26 23:33 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-26 15:50 <DIR> a-dshr-- C:\cmdcons
2008-12-26 15:50 161,792 a------- c:\windows\SWREG.exe
2008-12-26 15:50 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 04:20 667,648 a------- c:\windows\system32\wininet.dll
2007-01-22 19:56 54,624 a------- c:\docume~1\jasonc~1\applic~1\GDIPFONTCACHEV1.DAT
2006-01-02 13:23 205 a------- c:\documents and settings\***\3.dat

============= FINISH: 8:33:52.28 ===============

Attached Files



#9 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:26 PM

Posted 06 January 2009 - 06:34 PM

hi,

ok thanks for the info. You can get the traditional HTJ like this;

download HJTInstall.exe

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in your next reply.

How Can I Reduce My Risk to Malware?


#10 Funkadelic73

Funkadelic73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 07 January 2009 - 03:25 PM

Sorry for the confusion:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:08 PM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys\WUSB54GSC\WLService.exe
C:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\***\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093881192328
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...805/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CBF71A3-D92B-4325-9F20-58DFE61EC5B9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{71097B7B-7C4B-40DB-9D75-B72F214EFE01}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSC\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JASONC~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9781 bytes

#11 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:26 PM

Posted 07 January 2009 - 06:58 PM

hi,

ok thanks for the info. To remove combofix you can do this;
start>run and type in:
combofix /u
click ok or enter
Note: There is a space after the x and before the /

Keep MBAM and always check for updates before scanning. The paid version offers auto updates and real time protection.


start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - (no file)
O2 - BHO: (no name) - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - (no file)

Two things you can do: Java and system restore:

Java:

Vulnerabilities in versions of Sun Java may be responsible for some malware installs via your browser.

It is important to keep Sun Java up to date and also to remove older versions.

* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.

to check if you have the latest version of Java and to download the latest version:

http://www.java.com/en/download/help/testvm.xml?ff3

System restore:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

if all is good on your end, some tips for you:

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS,(Windows) browser (IE, FireFox) and other Software up to date to "patch" vulnerabilities. Always install Service Packs.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.You may be installing more than you think.

3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install a third party software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#12 Funkadelic73

Funkadelic73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 11 January 2009 - 11:52 AM

Thanks for your help! Everything seems to be running smoothly now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users