Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HighjackThis log, Poss Virtumonde. Most gratefull for help


  • This topic is locked This topic is locked
15 replies to this topic

#1 dydor

dydor

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 17 January 2009 - 11:43 AM

Attached is my HighjackThis logfile. The name 'Virtumonde' keeps cropping up in Spybot SD.
This has defeated me, I'll be most grateful for any help.

Attached Files



BC AdBot (Login to Remove)

 


#2 dydor

dydor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 26 January 2009 - 01:56 AM

Xp with Sp3. I've used Spybot, XSoftSpySE, RegCure, Malwarebytes' Anti-Malware, Ad-aware, and have tried AVG and Zone Alarm though not at the same time. The system works fine for a short time but soon returns to the point where IE and Firefox crawl or freeze. I've been going in circles for more than a week now and would be most grateful for any help.
Here's my HighjackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:45:01, on 26/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rmctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://news.bbc.co.uk/1/hi/uk/default.stm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://news.bbc.co.uk/1/hi/uk/default.stm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/default.stm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/products/index_de...845-08456650888
O2 - BHO: (no name) - {06CC2E07-5CE0-42FE-84CD-6EF5139DF07B} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WinWSD Toolbar Helper - {AFC482CE-DC40-497A-AE10-681C072F6F6A} - (no file)
O2 - BHO: (no name) - {C4F7C826-A2AD-4CF1-8637-3D37E7A522D1} - (no file)
O2 - BHO: {fbc15063-4810-b18b-1004-5cfa5e97084d} - {d48079e5-afc5-4001-b81b-018436051cbf} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: WinWSD Toolbar - {F1273B21-0B77-4481-BFB9-0A3C399BE3FE} - (no file)
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_S128.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://*.adobe.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230460345968
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: xpebpt.dll,dmvigc.dll,bxugdh.dll
O20 - Winlogon Notify: tuvTJbyA - tuvTJbyA.dll (file missing)
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6384 bytes

Edited by Orange Blossom, 26 January 2009 - 11:11 PM.
Merged topics and put 2nd title in subtitle area. ~ OB


#3 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:13 PM

Posted 29 January 2009 - 11:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.
Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scans:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.



* Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.scr
DDS.pif

* Double click on the DDS icon, allow it to run.
* A small box will open, with an explaination about the tool. No input is needed, the scan is running.
* Notepad will open with the results, click no to the Optional_Scan
* Follow the instructions that pop up for posting the results.
* Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#4 dydor

dydor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 31 January 2009 - 02:43 PM

I'm very grateful for your help here! I followed your instructions and this is the MBAM logfile :

Malwarebytes' Anti-Malware 1.33
Database version: 1696
Windows 5.1.2600 Service Pack 3

31/01/2009 19:04:20
mbam-log-2009-01-31 (19-04-20).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 180178
Time elapsed: 2 hour(s), 27 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:13 PM

Posted 31 January 2009 - 03:26 PM

Did you ever see that particular exploit before? How is the computer running? Are you seeing any other problem or just the slowing computer?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 dydor

dydor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 01 February 2009 - 06:43 AM

Many thanks for your help. Trying to connect, the machine runs fine for a short while after randomly applying tools, regcure, XsoftSpySE etc, but soon goes back to crawl speed, if it can get to a site at all. Seems to be running ok appart from the Internet.
Here's my DDS log:

DDS (Ver_09-01-19.01) - NTFSx86
Run by Joyce Samples at 10:45:33.84 on 01/02/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.227 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rmctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joyce Samples\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/1/hi/uk/default.stm
uSearch Page = hxxp://news.bbc.co.uk/1/hi/uk/default.stm
uDefault_Page_URL = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm
mStart Page = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06CC2E07-5CE0-42FE-84CD-6EF5139DF07B} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {afc482ce-dc40-497a-ae10-681c072f6f6a} - WinWSD Toolbar Helper
BHO: {C4F7C826-A2AD-4CF1-8637-3D37E7A522D1} - No File
BHO: {d48079e5-afc5-4001-b81b-018436051cbf}: {fbc15063-4810-b18b-1004-5cfa5e97084d}
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: WinWSD Toolbar: {f1273b21-0b77-4481-bfb9-0a3c399be3fe} -
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\windows\temp\E_S128.tmp" /EF "HKCU"
mRun: [RemoteControl] c:\windows\system32\rmctrl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: adobe.com
Trusted Zone: adobe.com\www
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230460345968
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38062.5165393519
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: tuvTJbyA - tuvTJbyA.dll
AppInit_DLLs: xpebpt.dll,dmvigc.dll,bxugdh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayyYOFV

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joyces~1\applic~1\mozilla\firefox\profiles\to7o97yt.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/1/hi/uk/default.stm
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-29 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-29 27656]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 298264]
R4 CSIScanner;CSIScanner;c:\program files\prevxcsi\prevxcsi.exe [2009-1-19 4107832]
S0 jzocv;jzocv;c:\windows\system32\drivers\kagmls.sys --> c:\windows\system32\drivers\kagmls.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-4-29 16512]

=============== Created Last 30 ================

2009-01-31 10:57 230 a------- c:\windows\system32\spupdsvc.inf
2009-01-31 09:36 21,512 a------- c:\windows\system32\drivers\pxscan.sys
2009-01-30 13:43 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-29 12:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-29 12:31 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-29 12:31 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-29 12:31 <DIR> --d----- c:\docume~1\joyces~1\applic~1\AVGTOOLBAR
2009-01-28 10:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-28 10:14 1,409 a------- c:\windows\QTFont.for
2009-01-22 19:26 <DIR> --d----- c:\docume~1\joyces~1\applic~1\Malwarebytes
2009-01-22 19:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-22 19:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 19:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 19:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 19:28 <DIR> --d----- c:\program files\PrevxCSI
2009-01-19 19:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-01-17 11:45 155,648 a------- c:\windows\system32\igfxres.dll
2009-01-16 14:36 <DIR> --d----- c:\documents and settings\joyce samples\amaya
2009-01-16 14:35 <DIR> --d----- c:\program files\Amaya
2009-01-15 01:56 2,204 a------- c:\windows\oyolhpgh
2009-01-04 21:48 8,704 a------- c:\windows\system32\vidccleaner.exe
2009-01-04 21:46 217,088 a------- c:\windows\system32\skjpeg40.dll
2009-01-04 21:46 83,968 a------- c:\windows\system32\Skbase40.dll
2009-01-04 21:46 <DIR> --d----- c:\program files\Samsung

==================== Find3M ====================

2009-01-27 16:17 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-29 01:15 720,896 a------- c:\windows\iun6002ev.exe
2008-12-22 04:41 56,716 a---h--- c:\windows\system32\mlfcache.dat
2008-12-12 17:01 3,067,904 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-01-03 13:46 2,293,848 a------- c:\program files\FLV PlayerFCSetup.exe
2007-12-12 14:55 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-09-05 11:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 10:46:26.48 ===============

Attached Files



#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:13 PM

Posted 01 February 2009 - 11:40 AM

Does there seem to be lots of network activity when you are connected? Try to do the scans below, let me know if it doesn't work.

Please perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.
Follow the directions in the F-Secure page for proper Installation.

* You may receive an alert on the address bar at this point to install the ActiveX control.
* Click on that alert and then click "Install ActiveX component".
* Read the license agreement and click "Accept".
* Click "Full System Scan" to download the scanning components and begin scan and cleaning.
* When the scan completes, click the "I want to decide item by item" button.
* For each item found, Select "Disinfect" and click "Next".
* When done, click the "Show Report" button, then copy and paste the entire report into your next reply.
This scan can take several hours, so please be patient.

Please perform an AVG AS Online Malware Scan
  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner.
    Please click Yes to allow the download.
  • Click on Start Scan.
  • If any infections are found, Click on Remove Infections.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 dydor

dydor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 04 February 2009 - 03:47 PM

Thanks hoov, ran the dds and didn't find any nasties. Trying to get IE7 to let me run activeX so I can run the AVG online scan.
Thanks again for help.

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:13 PM

Posted 04 February 2009 - 04:32 PM

DDS is not a removal tool, it only gathers information. If you did the F-Secure scan please post up the log. As for the AVG problem, don't even worry about it. There is a problem with it.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 dydor

dydor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 06 February 2009 - 01:02 PM

Sorry, here's the dds scan result log:


DDS (Version 1.1.0) - NTFSx86
Run by Joyce Samples at 17:57:37.32 on 06/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.190 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Prevx Edge *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rmctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joyce Samples\My Documents\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://news.bbc.co.uk/1/hi/uk/default.stm
uDefault_Page_URL = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06CC2E07-5CE0-42FE-84CD-6EF5139DF07B} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {afc482ce-dc40-497a-ae10-681c072f6f6a} - WinWSD Toolbar Helper
BHO: {C4F7C826-A2AD-4CF1-8637-3D37E7A522D1} - No File
BHO: {d48079e5-afc5-4001-b81b-018436051cbf}: {fbc15063-4810-b18b-1004-5cfa5e97084d}
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: WinWSD Toolbar: {f1273b21-0b77-4481-bfb9-0a3c399be3fe} -
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\windows\temp\E_S128.tmp" /EF "HKCU"
mRun: [RemoteControl] c:\windows\system32\rmctrl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: adobe.com
Trusted Zone: adobe.com\www
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: tuvTJbyA - tuvTJbyA.dll
AppInit_DLLs: xpebpt.dll,dmvigc.dll,bxugdh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayyYOFV

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joyces~1\applic~1\mozilla\firefox\profiles\to7o97yt.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/1/hi/uk/default.stm
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2009-2-3 17928]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-1-31 21512]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-29 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-29 27656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 298264]
R2 CSIScanner;CSIScanner;"c:\program files\prevx\prevx.exe" /service [2009-2-3 4107832]
S0 jzocv;jzocv;c:\windows\system32\drivers\kagmls.sys []
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\system32\drivers\ASPI32.sys [2008-4-29 16512]

=============== Created Last 30 ================

2009-02-05 13:24 <DIR> --d----- c:\docume~1\joyces~1\applic~1\Ambient Design
2009-02-05 13:20 <DIR> --d----- c:\program files\Ambient Design
2009-02-03 06:19 17,928 a------- c:\windows\system32\drivers\pxrts.sys
2009-02-03 06:19 <DIR> --d----- c:\program files\Prevx
2009-02-01 17:59 <DIR> --d----- C:\fsaua.data
2009-01-31 09:36 21,512 a------- c:\windows\system32\drivers\pxscan.sys
2009-01-30 13:43 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-29 12:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-29 12:31 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-29 12:31 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-29 12:31 <DIR> --d----- c:\docume~1\joyces~1\applic~1\AVGTOOLBAR
2009-01-28 10:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-28 10:14 1,409 a------- c:\windows\QTFont.for
2009-01-22 19:26 <DIR> --d----- c:\docume~1\joyces~1\applic~1\Malwarebytes
2009-01-22 19:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-22 19:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 19:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 19:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 19:28 <DIR> --d----- c:\program files\PrevxCSI
2009-01-19 19:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-01-17 11:45 155,648 a------- c:\windows\system32\igfxres.dll
2009-01-16 14:36 <DIR> --d----- c:\documents and settings\joyce samples\amaya
2009-01-16 14:35 <DIR> --d----- c:\program files\Amaya
2009-01-15 01:56 2,204 a------- c:\windows\oyolhpgh

==================== Find3M ====================

2009-01-27 16:17 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-29 01:15 720,896 a------- c:\windows\iun6002ev.exe
2008-12-22 04:41 56,716 a---h--- c:\windows\system32\mlfcache.dat
2008-12-13 06:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-01-03 13:46 2,293,848 a------- c:\program files\FLV PlayerFCSetup.exe
2007-12-12 14:55 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-09-05 11:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 17:58:08.46 ===============

Attached Files



#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:13 PM

Posted 06 February 2009 - 01:56 PM

run ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 dydor

dydor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 17 February 2009 - 03:26 AM

Here's my Combo-Fix log hoov. Sorry for the delay in getting it back to you.

ComboFix 09-02-15.01 - Joyce Samples 2009-02-17 8:10:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.243 [GMT 0:00]
Running from: c:\documents and settings\Joyce Samples\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Prevx Edge *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\windows\system32\imvalid.ico
c:\windows\system32\imvalid.ico.bak0
c:\windows\system32\u2g.f
c:\windows\twain_16.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-16 15:50 . 2009-02-16 15:51 2,324 --a------ C:\output.dat
2009-02-16 15:48 . 2009-02-16 15:48 <DIR> d-------- c:\program files\cheapestsoft
2009-02-14 23:53 . 2009-02-16 15:43 <DIR> d-------- c:\documents and settings\Joyce Samples\.dvdcss
2009-02-14 23:51 . 2009-02-14 23:51 <DIR> d-------- c:\documents and settings\Joyce Samples\mplayer
2009-02-14 23:51 . 2009-02-14 23:51 <DIR> d-------- c:\documents and settings\Joyce Samples\Application Data\dvdcss
2009-02-14 23:25 . 2006-11-01 15:52 765,952 --a------ c:\windows\SYSTEM32\xvidcore.dll
2009-02-14 23:25 . 2006-11-01 15:54 180,224 --a------ c:\windows\SYSTEM32\xvidvfw.dll
2009-02-14 23:25 . 2006-11-01 16:26 77,824 --a------ c:\windows\SYSTEM32\xvid.ax
2009-02-14 23:24 . 2009-02-14 23:24 <DIR> d-------- c:\program files\Samsung
2009-02-14 23:24 . 1998-07-09 20:41 217,088 --a------ c:\windows\SYSTEM32\skjpeg40.dll
2009-02-14 23:24 . 1998-03-04 11:40 83,968 --a------ c:\windows\SYSTEM32\Skbase40.dll
2009-02-14 23:10 . 2009-02-14 23:10 736 --a------ c:\windows\SamsungMaster.INI
2009-02-14 22:54 . 2009-02-14 22:54 <DIR> d-------- c:\program files\freestar
2009-02-11 23:38 . 2009-02-11 23:38 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-11 23:38 . 2009-02-11 23:38 1,409 --a------ c:\windows\QTFont.for
2009-02-05 13:24 . 2009-02-05 13:24 <DIR> d-------- c:\documents and settings\Joyce Samples\Application Data\Ambient Design
2009-02-05 13:20 . 2009-02-05 13:20 <DIR> d-------- c:\program files\Ambient Design
2009-02-01 17:59 . 2009-02-01 17:59 <DIR> d-------- C:\fsaua.data
2009-01-30 13:43 . 2009-02-15 12:24 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-29 12:31 . 2009-02-17 07:40 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-01-29 12:31 . 2009-01-31 11:02 <DIR> d-------- c:\documents and settings\Joyce Samples\Application Data\AVGTOOLBAR
2009-01-29 12:31 . 2009-01-30 08:06 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-01-29 12:31 . 2009-01-30 08:06 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-25 21:03 . 2009-01-25 21:05 <DIR> d-------- c:\program files\RegCure
2009-01-22 19:26 . 2009-01-22 19:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 19:26 . 2009-01-22 19:26 <DIR> d-------- c:\documents and settings\Joyce Samples\Application Data\Malwarebytes
2009-01-22 19:26 . 2009-01-22 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-22 19:26 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-22 19:26 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-19 19:28 . 2009-01-19 19:28 <DIR> d-------- c:\program files\PrevxCSI
2009-01-17 11:45 . 2003-04-07 00:05 155,648 --a------ c:\windows\SYSTEM32\igfxres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 23:24 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 19:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-02 19:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 10:46 --------- d-----w c:\program files\WebSite Downloader for Windows
2009-01-30 08:06 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-28 20:05 --------- d-----w c:\program files\XoftSpySE
2009-01-18 13:55 --------- d-----w c:\program files\OLYMPUS
2009-01-17 10:50 --------- d-----w c:\program files\FREE Hi-Q Recorder
2009-01-16 14:35 --------- d-----w c:\program files\Amaya
2009-01-11 15:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-02 13:45 --------- d-----w c:\program files\Dell
2009-01-02 13:44 --------- d-----w c:\documents and settings\Joyce Samples\Application Data\Lavasoft
2008-12-31 09:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-30 19:20 --------- d-----w c:\documents and settings\Joyce Samples\Application Data\NCH Swift Sound
2008-12-30 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-12-30 19:11 --------- d-----w c:\program files\NCH Software
2008-12-30 11:03 --------- d-----w c:\program files\PC Tune-Up
2008-12-29 21:49 --------- d-----w c:\program files\Trend Micro
2008-12-29 01:15 720,896 ----a-w c:\windows\iun6002ev.exe
2008-12-28 21:17 --------- d-----w c:\program files\Alwil Software
2008-12-23 17:05 --------- d-----w c:\program files\FreeCDRipper
2008-12-22 04:41 --------- d-----w c:\documents and settings\Joyce Samples\Application Data\Apple Computer
2008-12-22 04:39 --------- d-----w c:\program files\Apple Software Update
2008-12-22 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-18 11:24 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-18 11:23 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-18 11:23 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-18 11:23 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-01-03 13:46 2,293,848 ----a-w c:\program files\FLV PlayerFCSetup.exe
2007-12-12 14:55 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-05 11:46 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EPSON Stylus DX4400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE" [2007-03-01 180736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\windows\system32\rmctrl.exe" [2000-10-16 32768]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 08:06 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xpebpt.dll,dmvigc.dll,bxugdh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 01:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 10:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
--a------ 2006-05-16 17:51 57344 c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 19:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlay]
--a------ 2008-03-24 16:17 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-03-24 16:17 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\skynetave]
--a------ 2008-03-24 16:17 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 01:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-29 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
S0 jzocv;jzocv;c:\windows\system32\drivers\kagmls.sys --> c:\windows\system32\drivers\kagmls.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\SYSTEM32\DRIVERS\ASPI32.SYS [2008-04-29 16512]
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2009-01-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]
.
- - - - ORPHANS REMOVED - - - -

BHO-{06CC2E07-5CE0-42FE-84CD-6EF5139DF07B} - (no file)
BHO-{C4F7C826-A2AD-4CF1-8637-3D37E7A522D1} - (no file)
BHO-{d48079e5-afc5-4001-b81b-018436051cbf} - (no file)
Notify-tuvTJbyA - tuvTJbyA.dll
MSConfigStartUp-skynetave - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
Trusted Zone: adobe.com
Trusted Zone: adobe.com\www
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Joyce Samples\Application Data\Mozilla\Firefox\Profiles\to7o97yt.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/1/hi/uk/default.stm
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 08:13:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-17 8:18:36 - machine was rebooted [Joyce Samples]
ComboFix-quarantined-files.txt 2009-02-17 08:18:16

Pre-Run: 50,427,498,496 bytes free
Post-Run: 50,378,190,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

210 --- E O F --- 2009-02-11 04:07:02

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:13 PM

Posted 17 February 2009 - 05:37 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 dydor

dydor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 20 February 2009 - 03:19 PM

Hi Hoov, here's the SDFix report:

SDFix: Version 1.240
Run by Joyce Samples on 20/02/2009 at 19:46

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 19:57:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"="C:\\WINDOWS\\SYSTEM32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"="C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe:*:Enabled:Veoh Web Player "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Tue 6 Dec 2005 32,768 A..H. --- "C:\Catherine\SWAP files\~WRL0001.tmp"
Sun 12 Mar 2006 37,376 A..H. --- "C:\Catherine\SWAP files\~WRL0219.tmp"
Mon 27 Feb 2006 21,504 A..H. --- "C:\Catherine\SWAP files\~WRL0701.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\SWAP files\~WRL1164.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\SWAP files\~WRL1297.tmp"
Thu 23 Mar 2006 50,688 A..H. --- "C:\Catherine\SWAP files\~WRL1372.tmp"
Mon 27 Feb 2006 34,816 A..H. --- "C:\Catherine\SWAP files\~WRL2564.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\SWAP files\~WRL3347.tmp"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Mon 19 Mar 2007 352,256 A.SH. --- "C:\Catherine\Finlay\Catherine Paul visit 020108\SIVF8.tmp"
Mon 19 Mar 2007 2,031,616 A.SH. --- "C:\Catherine\Finlay\Catherine Paul visit 020108\SIVFA.tmp"
Tue 6 Dec 2005 32,768 A..H. --- "C:\Catherine\JOURNALISM\SWAP files\~WRL0001.tmp"
Sun 12 Mar 2006 37,376 A..H. --- "C:\Catherine\JOURNALISM\SWAP files\~WRL0219.tmp"
Mon 27 Feb 2006 21,504 A..H. --- "C:\Catherine\JOURNALISM\SWAP files\~WRL0701.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\JOURNALISM\SWAP files\~WRL1164.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\JOURNALISM\SWAP files\~WRL1297.tmp"
Thu 23 Mar 2006 50,688 A..H. --- "C:\Catherine\JOURNALISM\SWAP files\~WRL1372.tmp"
Mon 27 Feb 2006 34,816 A..H. --- "C:\Catherine\JOURNALISM\SWAP files\~WRL2564.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\JOURNALISM\SWAP files\~WRL3347.tmp"
Tue 6 Dec 2005 32,768 A..H. --- "C:\Catherine\Temp\SWAP files\~WRL0001.tmp"
Sun 12 Mar 2006 37,376 A..H. --- "C:\Catherine\Temp\SWAP files\~WRL0219.tmp"
Mon 27 Feb 2006 21,504 A..H. --- "C:\Catherine\Temp\SWAP files\~WRL0701.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\Temp\SWAP files\~WRL1164.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\Temp\SWAP files\~WRL1297.tmp"
Thu 23 Mar 2006 50,688 A..H. --- "C:\Catherine\Temp\SWAP files\~WRL1372.tmp"
Mon 27 Feb 2006 34,816 A..H. --- "C:\Catherine\Temp\SWAP files\~WRL2564.tmp"
Sun 12 Mar 2006 36,352 A..H. --- "C:\Catherine\Temp\SWAP files\~WRL3347.tmp"
Tue 9 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 21 Jan 2002 78,336 A..H. --- "C:\Program Files\Final Draft 6\System\Rslibw32.dll"
Mon 21 Jan 2002 129,024 A..H. --- "C:\Program Files\Final Draft 6\System\Scpbw32.dll"
Mon 21 Jan 2002 157,184 A..H. --- "C:\Program Files\Final Draft 6\System\Scpw32.dll"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\SDHelper.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\Tools.dll"
Sat 14 Oct 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 16 Mar 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 16 Mar 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Thu 20 Mar 2008 28,160 ...H. --- "C:\Documents and Settings\Joyce Samples\Application Data\Microsoft\Word\~WRL0910.tmp"
Thu 20 Mar 2008 19,456 ...H. --- "C:\Documents and Settings\Joyce Samples\Application Data\Microsoft\Word\~WRL1016.tmp"
Thu 20 Mar 2008 23,552 ...H. --- "C:\Documents and Settings\Joyce Samples\Application Data\Microsoft\Word\~WRL2707.tmp"
Thu 20 Mar 2008 20,992 ...H. --- "C:\Documents and Settings\Joyce Samples\Application Data\Microsoft\Word\~WRL2709.tmp"
Thu 20 Mar 2008 20,480 ...H. --- "C:\Documents and Settings\Joyce Samples\Application Data\Microsoft\Word\~WRL2805.tmp"
Sun 5 Oct 2008 92,672 A..H. --- "C:\Documents and Settings\Joyce Samples\Desktop\SWAP 08\Applications\~WRL0246.tmp"
Sun 5 Oct 2008 92,672 A..H. --- "C:\Documents and Settings\Joyce Samples\Desktop\SWAP 08\Applications\~WRL2295.tmp"
Sun 5 Oct 2008 92,672 A..H. --- "C:\Documents and Settings\Joyce Samples\Desktop\SWAP 08\Applications\~WRL3679.tmp"
Sat 21 Oct 2006 48,128 A..H. --- "C:\Documents and Settings\Joyce Samples\My Documents\Catherine Desktop\Limerick\~WRL2884.tmp"
Sat 21 Oct 2006 47,616 A..H. --- "C:\Documents and Settings\Joyce Samples\My Documents\Catherine Desktop\Limerick\~WRL3247.tmp"
Sat 21 Oct 2006 33,280 A..H. --- "C:\Documents and Settings\Joyce Samples\My Documents\Catherine Desktop\Limerick\~WRL3861.tmp"
Mon 19 Mar 2007 352,256 A.SH. --- "C:\Documents and Settings\Joyce Samples\My Documents\Catherine Desktop\PAULS_PHOTOS\2007\SIVF8.tmp"
Mon 19 Mar 2007 2,031,616 A.SH. --- "C:\Documents and Settings\Joyce Samples\My Documents\Catherine Desktop\PAULS_PHOTOS\2007\SIVFA.tmp"
Mon 15 Oct 2007 222,208 A..H. --- "C:\Documents and Settings\Joyce Samples\My Documents\Catherine Desktop\WSP\media\~WRL2278.tmp"
Mon 15 Oct 2007 202,752 A..H. --- "C:\Documents and Settings\Joyce Samples\My Documents\Catherine Desktop\WSP\media\~WRL2646.tmp"

Finished!

And here's the HJT log, I've attached it too in case that's better for reading it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:12:23, on 20/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rmctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: WinWSD Toolbar Helper - {AFC482CE-DC40-497A-AE10-681C072F6F6A} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: WinWSD Toolbar - {F1273B21-0B77-4481-BFB9-0A3C399BE3FE} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_S128.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://*.adobe.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230460345968
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: xpebpt.dll,dmvigc.dll,bxugdh.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 5956 bytes

Many thanks again.

Attached Files



#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:13 PM

Posted 20 February 2009 - 04:04 PM

Update Spybot and do a scan. Once it is done and you have removed the malware if any. Right click on the results and select save full report to a file. Then save it wherever, but remember where. Then attach it to your next response. Don't post it because it will probably be long.

Also once it is done surf around and see if there is still the problem with the browsers. Also can you think of anything else the computer is doing out of the ordinary? Do you have an external HD or thumbdrive that you occasionally hook to the computer?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users