Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help with a logger.FZC trogan


  • This topic is locked This topic is locked
17 replies to this topic

#1 sandslinger

sandslinger

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 15 January 2009 - 08:32 PM

AVG pops up with a treat, but when it moves it to the vault, it pops back up. Running a scan does not find anything. The file name seems to be "C"\Program Files\Microsoft Tools\Hide.dll". Process name is "C:\Windows\system32\scvhost.exe" and "C:\Program Files\Internet Explorer\iexplore.exe". Here is a copy of the Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:48 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgupd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero BackItUp 4\NBKeyScan.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [svhost] C:\Program Files\Microsoft Tools\svchost.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/a...ntent/AcpIR.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9825 bytes



Thanks in advance for any help you can provide!

BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:39 PM

Posted 29 January 2009 - 11:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.
Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scans:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.



* Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.scr
DDS.pif

* Double click on the DDS icon, allow it to run.
* A small box will open, with an explaination about the tool. No input is needed, the scan is running.
* Notepad will open with the results, click no to the Optional_Scan
* Follow the instructions that pop up for posting the results.
* Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 sandslinger

sandslinger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 29 January 2009 - 11:36 PM

More details.......AVG's Resident Shield pops up with a "Potentially Unwanted Program" window. It says the file name"C:\Program Files\Microsoft Tools\Hide.dll" and threat name "Potentially Harmful Program Logger.FZC Detected On Open" It also shows a process ID:3780. Shortly after this window pops up, Internet Explorer pops up with an error report on why ielporer.exe had to close.

When you hit "Move To Vault" on the AVG pop up, it just pops up again with addition errors including C:\Windows\system32\svchost.exe with process ID:3548.....C:\Program Files\Internet Explorer\iexplore.exe with process ID:1112 and so on.

When I run a full scan with AVG nothing comes up. I have tried some of the online scans with no luck. I had tried the Malwarebytes scan before with no luck, but did not turn the Resident Shield off. When I downloaded the slightly newer version and ran it, I turned RS off and it did find it. Letting it "fix" it didn't really fix it. It popped back up on the next startup.

Here is the new info........

Malwarebytes' Anti-Malware 1.33
Database version: 1705
Windows 5.1.2600 Service Pack 3

1/29/2009 3:25:01 PM
mbam-log-2009-01-29 (15-25-01).txt

Scan type: Quick Scan
Objects scanned: 68240
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Microsoft Tools\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.






DDS (Ver_09-01-19.01) - NTFSx86
Run by user at 15:40:44.39 on Thu 01/29/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1583 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
"C:\WINDOWS\system32\svchost.exe"
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\user\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\4.bin\ASKTBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [svhost] c:\program files\microsoft tools\svchost.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [NBKeyScan] "c:\program files\nero\nero backitup 4\NBKeyScan.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Nero MediaHome 4] "c:\program files\nero\nero mediahome 4\NeroMediaHome.exe" /AUTORUN
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5501/mcfscan.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-27 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-27 26824]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-5-27 4442]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2007-12-5 46656]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-5-27 57344]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-5-27 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-27 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-27 76040]
R4 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-24 935208]
R4 NeroMediaHomeService.4;Nero MediaHome 4 Service;c:\program files\nero\nero mediahome 4\NMMediaServerService.exe [2008-10-1 427304]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-12-5 520192]
R4 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2007-12-5 249856]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-19 24652]
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\drivers\el574nd4.sys [2008-5-27 24653]

=============== Created Last 30 ================

2009-01-29 14:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-29 14:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 14:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 20:23 <DIR> --d----- c:\program files\NewsMan Pro
2009-01-27 20:09 <DIR> --d----- c:\documents and settings\user\Downloads
2009-01-27 20:09 <DIR> --d----- c:\docume~1\user\applic~1\NewsLeecher
2009-01-21 14:42 <DIR> --d----- c:\windows\McAfee.com
2009-01-20 14:34 22,016 ac------ c:\windows\system32\dllcache\msircomm.sys
2009-01-20 14:34 22,016 a------- c:\windows\system32\drivers\MSIRCOMM.sys
2009-01-07 16:55 <DIR> --d----- C:\ComboFix
2009-01-07 16:53 <DIR> a-dshr-- C:\cmdcons
2009-01-07 16:05 <DIR> --d----- C:\HijackThis
2009-01-07 15:38 <DIR> --d----- c:\windows\pss
2009-01-07 15:34 161,792 a------- c:\windows\SWREG.exe
2009-01-07 15:34 98,816 a------- c:\windows\sed.exe
2009-01-07 11:43 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-07 11:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-07 10:14 <DIR> --dshr-- c:\program files\Microsoft Tools
2009-01-07 10:00 132,880 a------- c:\windows\system32\MSINET.OCX
2009-01-06 13:38 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-01-06 13:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-01-29 15:27 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-01-29 15:27 47,104 a------- c:\windows\system32\rpcnet.dll
2009-01-07 15:11 47,104 a------- c:\windows\system32\rpcnet.exe
2009-01-07 15:09 17,408 a------- c:\windows\system32\rpcnetp.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\drivers\srv.sys
2008-11-03 18:20 68,965 a------- c:\windows\hpoins05.dat
2008-11-02 19:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-10-27 08:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat

============= FINISH: 15:41:10.31 ===============


Let me know if you need any more info. I really appreciate the help!!!!!

#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:39 PM

Posted 30 January 2009 - 12:58 AM

reboot to safe mode and We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 sandslinger

sandslinger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 January 2009 - 09:31 AM

ComboFix 09-01-21.04 - user 2009-01-30 8:58:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1525 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-29 14:33 . 2009-01-29 14:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 14:33 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 14:33 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-27 20:23 . 2009-01-27 20:23 <DIR> d-------- c:\program files\NewsMan Pro
2009-01-27 20:09 . 2009-01-27 20:09 <DIR> d-------- c:\documents and settings\user\Downloads
2009-01-27 20:09 . 2009-01-27 20:12 <DIR> d-------- c:\documents and settings\user\Application Data\NewsLeecher
2009-01-23 15:07 . 2009-01-23 18:24 <DIR> d-------- C:\movies
2009-01-21 14:42 . 2009-01-21 14:42 <DIR> d-------- c:\windows\McAfee.com
2009-01-21 13:05 . 2009-01-21 14:35 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-20 14:34 . 2008-04-13 14:54 22,016 --a------ c:\windows\system32\drivers\MSIRCOMM.sys
2009-01-20 14:34 . 2008-04-13 14:54 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys
2009-01-07 16:05 . 2009-01-26 11:34 <DIR> d-------- C:\HijackThis
2009-01-07 15:04 . 2009-01-07 15:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 13:39 . 2009-01-07 13:39 <DIR> d-------- c:\documents and settings\Administrator
2009-01-07 11:43 . 2009-01-07 11:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-07 11:43 . 2009-01-07 13:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 10:14 . 2009-01-29 22:09 <DIR> dr-hs---- c:\program files\Microsoft Tools
2009-01-07 10:00 . 2009-01-07 10:00 132,880 --a------ c:\windows\system32\MSINET.OCX
2009-01-06 13:38 . 2009-01-06 13:38 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-06 13:38 . 2009-01-06 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 19:53 . 2009-01-04 19:53 <DIR> d-------- c:\documents and settings\user\Application Data\Viewpoint
2008-12-14 19:15 . 2008-12-14 19:15 <DIR> d--h----- c:\windows\PIF
2008-12-10 10:11 . 2008-04-13 20:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-10 10:11 . 2008-04-13 20:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-10 10:11 . 2008-04-13 14:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-10 10:11 . 2008-04-13 14:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-10 10:11 . 2008-04-13 14:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-10 10:11 . 2008-04-13 14:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-08 11:26 . 2008-12-08 11:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-03 15:59 . 2008-12-03 15:59 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-03 15:58 . 2008-12-03 15:58 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-03 15:56 . 2008-12-04 09:06 <DIR> d-------- c:\program files\NOS
2008-12-03 15:56 . 2008-12-04 09:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-12-02 11:03 . 2008-12-02 11:03 <DIR> d-------- c:\program files\Xilisoft
2008-12-02 11:03 . 2008-12-02 11:03 <DIR> d-------- c:\documents and settings\user\Application Data\Xilisoft Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 19:17 --------- d-----w c:\program files\DVDFab 5
2009-01-23 23:18 --------- d-----w c:\program files\Agent
2009-01-21 21:33 --------- d-----w c:\documents and settings\Guest\Application Data\Nero
2009-01-16 01:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-08 16:20 --------- d-----w c:\program files\Common Files\AVSMedia
2008-12-04 18:39 --------- d-----w c:\documents and settings\user\Application Data\Vso
2008-10-27 13:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102720081028\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_15.48.47.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-21 18:05:51 45,056 ----a-w c:\windows\BDOSCAN8\avxdisk.dll
+ 2009-01-21 18:05:51 10,240 ----a-w c:\windows\BDOSCAN8\avxs.dll
+ 2009-01-21 18:05:52 27,136 ----a-w c:\windows\BDOSCAN8\avxt.dll
+ 2009-01-21 18:05:55 102,400 ----a-w c:\windows\BDOSCAN8\bdcore.dll
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2009-01-21 18:05:56 142,848 ----a-w c:\windows\BDOSCAN8\libfn.dll
+ 2009-01-21 18:05:52 86,016 ----a-w c:\windows\BDOSCAN8\librtvr.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-12-12 14:25:57 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-16 01:05:03 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-12-12 14:25:58 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-16 01:05:04 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-12 14:25:58 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-16 01:05:03 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-12-12 14:25:58 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-16 01:05:03 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-12-12 14:25:58 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-16 01:05:04 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-12 14:25:58 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-16 01:05:04 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-12 14:25:58 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-16 01:05:04 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-12 14:25:58 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-16 01:05:03 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-12 14:25:58 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-16 01:05:04 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-12 14:25:58 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-16 01:05:04 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-12 14:25:58 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-16 01:05:04 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-12 14:25:57 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-16 01:05:03 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-07-13 15:54:40 24,576 ----a-w c:\windows\McAfee.com\FreeScan\avdat.exe
+ 2008-07-09 09:30:00 5,444 ----a-w c:\windows\McAfee.com\FreeScan\config.dat
+ 2009-01-20 17:57:34 156,936 ----a-w c:\windows\McAfee.com\FreeScan\mcfscan.dll
+ 2008-07-09 09:30:00 3,092,646 ----a-w c:\windows\McAfee.com\FreeScan\mcscan32.dll
+ 2009-01-20 10:30:00 976,224 ----a-w c:\windows\McAfee.com\FreeScan\names.DAT
+ 2006-12-18 15:03:00 7,449 ----a-w c:\windows\McAfee.com\FreeScan\rwabs16.dll
+ 2006-12-18 15:03:10 16,921 ----a-w c:\windows\McAfee.com\FreeScan\rwabs32.dll
+ 2009-01-20 10:30:00 68,197,116 ----a-w c:\windows\McAfee.com\FreeScan\scan.DAT
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2008-06-20 17:46:57 147,968 -c----w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 -c----w c:\windows\system32\dllcache\mswsock.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-06-20 11:51:12 361,600 -c----w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 11:08:27 225,856 -c----w c:\windows\system32\dllcache\tcpip6.sys
- 2008-04-14 00:11:52 147,968 ------w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w c:\windows\system32\dnsapi.dll
- 2008-04-13 19:20:16 361,344 ------w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 11:51:12 361,600 ------w c:\windows\system32\drivers\tcpip.sys
- 2008-04-13 19:00:02 225,664 ------w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 ------w c:\windows\system32\drivers\tcpip6.sys
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-04-14 00:12:01 245,248 ------w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:46:57 245,248 ----a-w c:\windows\system32\mswsock.dll
- 2008-11-03 04:24:42 71,652 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-28 02:24:34 72,496 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-03 04:24:42 441,752 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-28 02:24:34 444,656 ----a-w c:\windows\system32\perfh009.dat
- 2009-01-07 15:30:24 154,616 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-01-07 21:55:27 141,924 ----a-w c:\windows\system32\Restore\rstrlog.dat
- 2009-01-07 20:41:28 47,104 ----a-w c:\windows\system32\rpcnet.dll
+ 2009-01-30 14:02:50 47,104 ----a-w c:\windows\system32\rpcnet.dll
- 2009-01-07 20:41:31 17,408 ----a-w c:\windows\system32\rpcnetp.exe
+ 2009-01-30 14:02:52 17,408 ----a-w c:\windows\system32\rpcnetp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-31 39408]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"svhost"="c:\program files\Microsoft Tools\svchost.exe" [2006-05-29 537202]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 66928]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-05 122880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-05 524288]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-11 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-11 208896]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-12-05 487424]
"NBKeyScan"="c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe" [2008-09-24 2254120]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-10-01 3622184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-05-27 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 18:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2007-12-14 18:36 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-27 97928]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-05-27 4442]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2007-12-05 46656]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-05-22 30336]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-05-27 57344]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-05-27 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-27 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-27 76040]
R4 NeroMediaHomeService.4;Nero MediaHome 4 Service;c:\program files\Nero\Nero MediaHome 4\NMMediaServerService.exe [2008-10-01 427304]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-12-05 520192]
R4 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2007-12-05 249856]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-19 24652]
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\drivers\el574nd4.sys [2008-05-27 24653]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98e52312-bb6b-11dd-898e-00166f1bcb0b}]
\Shell\AutoRun\command - F:\tcauto.exe
\Shell\VERB\COMMAND - F:\tcauto.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-11 00:30]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 09:03:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Nero\Nero BackItUp 4\IoctlSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-01-30 9:06:52 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2009-01-30 14:06:49
ComboFix2.txt 2009-01-07 21:44:35
ComboFix3.txt 2009-01-07 20:49:40

Pre-Run: 10,845,786,112 bytes free
Post-Run: 11,063,410,688 bytes free

262 --- E O F --- 2009-01-16 01:05:08

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:39 PM

Posted 30 January 2009 - 10:04 AM

Are you still seeing the same same problem? Also did you have a Office update that didn't install smoothly?

Run an online virus scan called Kaspersky from HERE.1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.

Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 sandslinger

sandslinger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 January 2009 - 01:26 PM

Nothing seems to have changed yet. I ran the online scan that you requested and it came up with the same threat. I do not recall an update going wrong, but maybe I missed it. Here is a copy of the log....

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 30, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 30, 2009 14:28:17
Records in database: 1728662
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 58088
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:11:02


File name / Threat name / Threats count
C:\Program Files\Microsoft Tools\Hide.dll Infected: not-a-virus:Monitor.Win32.ActualSpy.27 1

The selected area was scanned.


Thanks again for your time in respoding to my problem.

#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:39 PM

Posted 30 January 2009 - 07:11 PM

I would like you to do something that may shed some light on this. Upload C:\Program Files\Microsoft Tools\Hide.dll to VirusTotal It will do a scan of the file with 38 antivirus engines. Also right click on it and select properties and find out who the author is. Post the log from Virus total up here as well as who the author is. I think I have been over troubleshooting this problem.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 sandslinger

sandslinger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 January 2009 - 10:39 PM

All there only a general tab in the properties. Here is the log......

Antivirus;Version;Last Update;Result
AntiVir;7.9.0.60;2009.01.30;SPR/ActualSpy.27.21
AVG;8.0.0.229;2009.01.30;Logger.FZC
BitDefender;7.2;2009.01.31;Application.Generic.23936
eSafe;7.0.17.0;2009.01.29;Suspicious File
eTrust-Vet;31.6.6335;2009.01.29;Win32/ProcHide.C
F-Secure;8.0.14470.0;2009.01.31;Monitor.Win32.ActualSpy.27
Fortinet;3.117.0.0;2009.01.31;PossibleThreat
GData;19;2009.01.31;Application.Generic.23936
K7AntiVirus;7.10.611;2009.01.30;not-a-virus:Monitor.Win32.ActualSpy.27
Kaspersky;7.0.0.125;2009.01.31;not-a-virus:Monitor.Win32.ActualSpy.27
McAfee;5511;2009.01.30;potentially unwanted program Generic PUP
McAfee+Artemis;5511;2009.01.30;potentially unwanted program Generic PUP
NOD32;3814;2009.01.31;a variant of Win32/HideProc.NA
Norman;6.00.02;2009.01.30;W32/ActualSpy.GH
nProtect;2009.1.8.0;2009.01.30;Application.Generic.23936
Panda;9.5.1.2;2009.01.30;Trj/Agent.DPE
Prevx1;V2;2009.01.31;Worm
SecureWeb-Gateway;6.7.6;2009.01.30;Riskware.ActualSpy.27.21
TrendMicro;8.700.0.1004;2009.01.30;PAK_Generic.005
VBA32;3.12.8.12;2009.01.30;suspected of Malware.Delf.61
ViRobot;2009.1.30.1582;2009.01.30;Not_a_virus:Monitor.ActualSpy.7168

Additional information
File size: 7168 bytes
MD5...: acbc9db01545b279a324ec1ede63d9cd
SHA1..: fd6ba9f2e7c6e805193fc453169a9819e37cafab
SHA256: e8e483e1f6bb9ce3616bf6c9edb22c39134f960f2fdcba94c994f740b238b832
SHA512: 66724c5dac23000d6ca1fac3951625962d5df9ab28b6fcaf304f189a845cd1ff<BR>e6f59f052b76b09a54c71af6710ae325afda50315fbbee266b941f4029f8faab<BR>
ssdeep: 96:nPA3jQ7hCydwL55MzMMZWNdq9ZvZuQA4A5qPxeYYaJl5F1Goo:nW0wyHzMMo8<BR>u9Lq9YaJ/F1Go<BR>
PEiD..: -
TrID..: File type identification<BR>UPX compressed Win32 Executable (42.6%)<BR>Win32 EXE Yoda's Crypter (37.0%)<BR>Win32 Executable Generic (11.8%)<BR>Win16/32 Executable Delphi generic (2.8%)<BR>Generic Win/DOS Executable (2.7%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0xa0b0<BR>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x9000 0x2000 0x1400 7.43 9a0036207edfbef96224d29d80d1d583<BR>.rsrc 0xb000 0x1000 0x400 2.28 32f0231626ed62234309c26cf57c96e2<BR><BR>( 3 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree<BR>&gt; IMAGEHLP.DLL: ImageDirectoryEntryToData<BR>&gt; user32.dll: SetWindowsHookExA<BR><BR>( 1 exports ) <BR>HideProcess<BR>
packers (Kaspersky): PE_Patch.UPX, UPX
Prevx info: &lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=77C0BEAD0013D4121C6500A8379E9F00A9009AF0' target='_blank'&gt;http://info.prevx.com/aboutprogramtext.asp?PX5=77C0BEAD0013D4121C6500A8379E9F00A9009AF0&lt;/a&gt;
CWSandbox info: &lt;a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=acbc9db01545b279a324ec1ede63d9cd' target='_blank'&gt;http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=acbc9db01545b279a324ec1ede63d9cd&lt;/a&gt;
packers (F-Prot): UPX

#10 sandslinger

sandslinger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 January 2009 - 10:54 PM

There is only one other file in that folder. It's svchost.exe. It also shows noauthor, but t does show that it is has a project name "Project1" and the original file being "project1.exe". I ran the same scan on that, but only received a few results. Maybe it will shed some light since it shows it being a "Trojan.Dropper". I did a search for the file "project1.exe", but came up with nothing.

Antivirus;Version;Last Update;Result
a-squared;4.0.0.93;2009.01.31;-
AhnLab-V3;5.0.0.2;2009.01.30;-
AntiVir;7.9.0.60;2009.01.30;TR/Dropper.Gen
Authentium;5.1.0.4;2009.01.31;-
Avast;4.8.1281.0;2009.01.30;-
AVG;8.0.0.229;2009.01.30;-
BitDefender;7.2;2009.01.31;-
CAT-QuickHeal;10.00;2009.01.31;-
ClamAV;0.94.1;2009.01.31;-
Comodo;954;2009.01.30;-
DrWeb;4.44.0.09170;2009.01.31;-
eSafe;7.0.17.0;2009.01.29;Win32.TRDropper
eTrust-Vet;31.6.6335;2009.01.29;-
F-Prot;4.4.4.56;2009.01.30;-
F-Secure;8.0.14470.0;2009.01.31;-
Fortinet;3.117.0.0;2009.01.31;-
GData;19;2009.01.31;-
Ikarus;T3.1.1.45.0;2009.01.31;-
K7AntiVirus;7.10.611;2009.01.30;-
Kaspersky;7.0.0.125;2009.01.31;-
McAfee;5511;2009.01.30;-
McAfee+Artemis;5511;2009.01.30;-
Microsoft;1.4306;2009.01.31;-
NOD32;3814;2009.01.31;-
Norman;6.00.02;2009.01.30;-
nProtect;2009.1.8.0;2009.01.30;-
Panda;9.5.1.2;2009.01.30;-
PCTools;4.4.2.0;2009.01.30;-
Prevx1;V2;2009.01.31;-
Rising;21.13.42.00;2009.01.23;-
SecureWeb-Gateway;6.7.6;2009.01.30;Trojan.Dropper.Gen
Sophos;4.38.0;2009.01.31;-
Sunbelt;3.2.1835.2;2009.01.16;-
TheHacker;6.3.1.5.240;2009.01.31;-
TrendMicro;8.700.0.1004;2009.01.30;-
VBA32;3.12.8.12;2009.01.30;-
ViRobot;2009.1.30.1582;2009.01.30;-
VirusBuster;4.5.11.0;2009.01.30;-

#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:39 PM

Posted 30 January 2009 - 11:45 PM

OK, reboot to safe mode and then delete hide.dll, empty your recycle bin, and then reboot back into normal windows and run a full AVG scan again. Post the results. Zip up svchost.exe and attach it to your next post. Then delete it when you delete hide.dll. I am going to let some guys smarter than me tear into it.

Edited by Hoov, 30 January 2009 - 11:48 PM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 sandslinger

sandslinger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 31 January 2009 - 12:06 AM

Okay. Here is the zip file. I will reboot in safe mode and delete both files.......reboot in normal mode and run AVG......and post the results. Thanks again for your help.

Attached Files



#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:39 PM

Posted 31 January 2009 - 12:15 AM

I hope you don't mind I am calling it a night. I will look at the logs in the wee hours of the morning, or sometime around breakfast.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 sandslinger

sandslinger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 31 January 2009 - 09:39 AM

The AVG scan produced nothing. After a short time after reboot, another threat popped up via AVG Resident Shield. This time it's file name
"C:\System Volume Information\_restore{AAD1B1BA-2FBC-4424-BBE1-DC7A93E878C6}\RP109\A0005866.dll" At the bottom it shows "Process name: C:\WINDOWS\System32\svchost.exe" "Process ID: 1604".

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:39 PM

Posted 31 January 2009 - 12:26 PM

This is actually a different aspect of the same problem. This one is in your system restore files.

Disable and Enable System Restore.
If you are using Windows Vista or XP, then I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.

Here are some good tutorials for that.
Windows Vista Restore Guide
or
Windows XP System Restore Guide
Reboot
Re-enable system restore with instructions from tutorial above

Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

Do a full system scan with AVG after the reboot. Post up the log.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users