Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde + Smitfraud


  • This topic is locked This topic is locked
16 replies to this topic

#1 soberoak

soberoak

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 24 January 2009 - 07:04 PM

I shall be forever grateful to anyone who can help me. Here's my DDS log:


DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 18:46:47.15 on Sat 01/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.162 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = <local>
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
BHO: {000EE3F8-B011-479F-8188-589B1DD08C50} - No File
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\compan~1\installs\cpn\ycomp5_5_7_0.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {0EAF82C9-4B30-408C-8F59-86AC5196811D} - No File
BHO: {d9a0342a-f957-de19-ad04-90b680003191}: {19130008-6b09-40da-91ed-759fa2430a9d} - c:\windows\system32\qvwjdd.dll
BHO: {2E41E917-128E-4016-9399-3FDC97B9C3BF} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5285c9c9-24f3-4253-86c5-14c4730de359} - c:\windows\system32\rqRIccDS.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoMfDT.dll
BHO: {76847EC2-B709-4ACA-9392-A11AF39C7760} - No File
BHO: {76AFF1D5-98F1-43D7-B523-D430FB5EAA81} - No File
BHO: {D1D6D039-5145-4977-8C58-E9BFD83664BC} - No File
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\ycomp5_5_7_0.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [S3TRAY2] S3tray2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.ini"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mExplorerRun: [none] c:\program files\video activex object\pmsngr.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=zuzeb004YYUS
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy
IE: {578FC4E3-151E-456c-AF8E-B63061EFE228}}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {205FF73B-CA67-11D5-99DD-444553540000} - hxxp://www.spywarestormer.com/files2/Install.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.3243287037
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: pmnoMfDT - pmnoMfDT.dll
AppInit_DLLs: honqaf.dll imvxuf.dll ugplhi.dll nhfcjd.dll oneqyq.dll hagtxu.dll saysti.dll yuvrta.dll bkzzyw.dll zmljyc.dll xoywdl.dll gjwmpj.dll fjaoje.dll jfzmwk.dll bazclg.dll qvwjdd.dll
SEH: HookRC Class: {a5780613-492e-4a2a-a7fd-549610edf6cc} - c:\program files\vcom\recovery commander\RCHOOK.DLL
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoMfDT.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRIccDS

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\u0112z7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-12-29 2560]
R4 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2004-6-3 64512]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-13 33752]

=============== Created Last 30 ================

2009-01-24 18:22 <DIR> --d----- c:\program files\Trend Micro
2009-01-24 17:10 10,520 -------- c:\windows\system32\avgrsstx.dll
2009-01-24 10:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-23 11:00 <DIR> --d----- c:\program files\AVG
2009-01-23 11:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-22 17:01 25,502 a--sh--- c:\windows\system32\SDccIRqr.ini2
2009-01-22 17:00 1,435,294 a--sh--- c:\windows\system32\mbmtulgk.ini
2009-01-21 12:27 126,464 a------- c:\windows\system32\qvwjdd.dll
2009-01-21 12:27 126,464 a------- c:\windows\system32\eiyjnaaj.dll
2009-01-20 12:28 82,944 a------- c:\windows\system32\tslyiwah.dll
2009-01-20 12:25 126,464 a------- c:\windows\system32\bazclg.dll
2009-01-20 12:25 126,464 a------- c:\windows\system32\slxgumvq.dll
2009-01-19 12:28 125,440 a------- c:\windows\system32\jfzmwk.dll
2009-01-19 12:28 125,440 a------- c:\windows\system32\wsbbexbl.dll
2009-01-19 12:25 86,016 a------- c:\windows\system32\xcwfyrxr.dll
2009-01-18 12:25 125,952 a------- c:\windows\system32\fjaoje.dll
2009-01-18 12:25 125,952 a------- c:\windows\system32\tldypjiu.dll
2009-01-18 12:24 80,896 a------- c:\windows\system32\bemcvbgf.dll
2009-01-17 11:54 81,920 a------- c:\windows\system32\bmqodcua.dll
2009-01-17 11:51 125,952 a------- c:\windows\system32\gjwmpj.dll
2009-01-17 11:51 125,952 a------- c:\windows\system32\pjnkjbgg.dll
2009-01-16 11:49 127,488 a------- c:\windows\system32\xoywdl.dll
2009-01-16 11:49 127,488 a------- c:\windows\system32\dywghrpd.dll
2009-01-15 11:51 82,432 a------- c:\windows\system32\tkaxohut.dll
2009-01-15 11:48 127,488 a------- c:\windows\system32\zmljyc.dll
2009-01-15 11:48 127,488 a------- c:\windows\system32\hhcuraer.dll
2009-01-14 11:48 125,440 a------- c:\windows\system32\bkzzyw.dll
2009-01-14 11:48 125,440 a------- c:\windows\system32\dieuqaum.dll
2009-01-13 11:48 123,904 a------- c:\windows\system32\yuvrta.dll
2009-01-13 11:48 123,904 a------- c:\windows\system32\guylenlc.dll
2009-01-13 11:48 79,872 a------- c:\windows\system32\cgwyaqtx.dll
2009-01-12 11:48 124,928 a------- c:\windows\system32\agmtlu.dll
2009-01-12 11:48 124,928 a------- c:\windows\system32\todokuxm.dll
2009-01-11 11:48 123,392 a------- c:\windows\system32\saysti.dll
2009-01-11 11:48 123,392 a------- c:\windows\system32\hdqrhcap.dll
2009-01-10 11:45 124,928 a------- c:\windows\system32\hagtxu.dll
2009-01-10 11:45 124,928 a------- c:\windows\system32\efcmwnjh.dll
2009-01-09 11:45 133,120 a------- c:\windows\system32\oneqyq.dll
2009-01-09 11:45 133,120 a------- c:\windows\system32\edftatsi.dll
2009-01-08 11:45 139,264 a------- c:\windows\system32\nhfcjd.dll
2009-01-08 11:45 139,264 a------- c:\windows\system32\jddsmdph.dll
2009-01-07 11:42 129,536 a------- c:\windows\system32\ugplhi.dll
2009-01-07 11:42 129,536 a------- c:\windows\system32\xfcmcvha.dll
2009-01-06 11:42 137,728 a------- c:\windows\system32\imvxuf.dll
2009-01-06 11:42 137,728 a------- c:\windows\system32\hunymxeg.dll
2009-01-05 11:51 133,632 a------- c:\windows\system32\honqaf.dll
2009-01-05 11:51 133,632 a------- c:\windows\system32\mojcilgg.dll
2008-12-30 19:27 25,502 a--sh--- c:\windows\system32\SDccIRqr.ini
2008-12-30 11:14 126,976 a------- c:\windows\system32\lhglhk.dll
2008-12-30 11:14 126,976 a------- c:\windows\system32\lhpnyubu.dll
2008-12-29 17:44 143 a------- c:\windows\system32\mcrh.tmp
2008-12-29 12:35 265 a------- c:\windows\wininit.ini
2008-12-29 11:14 131,584 a------- c:\windows\system32\hqcchb.dll
2008-12-29 11:14 131,584 a------- c:\windows\system32\lgllrfnb.dll
2008-12-29 11:11 287,744 a------- c:\windows\system32\rqRIccDS.dll
2008-12-29 11:05 50,176 -------- c:\windows\system32\pmnoMfDT.dll
2008-12-29 11:05 35,328 a------- c:\windows\system32\prunnet.exe

==================== Find3M ====================

2008-12-12 12:33 3,060,224 a------- c:\windows\system32\dllcache\mshtml.dll

============= FINISH: 18:56:37.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Bio-Hazard

Bio-Hazard

  • Members
  • 258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:06:27 PM

Posted 25 January 2009 - 07:36 AM

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Absence of symptoms does not mean that everything is clear.
NOTE: Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe
MRU Master of Malware Removal University

Member of UNITE and ASAP

#3 soberoak

soberoak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 25 January 2009 - 02:23 PM

Fantastic! I'd appreciate any help you can give me, Bio-Hazard.

#4 Bio-Hazard

Bio-Hazard

  • Members
  • 258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:06:27 PM

Posted 26 January 2009 - 07:54 PM

Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.


Download HijackThis

To get things going i need you to download HijackThis see the instructions below.
  • Click HERE to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Doubleclick on the HijackThis Installer icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log

MRU Master of Malware Removal University

Member of UNITE and ASAP

#5 soberoak

soberoak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 27 January 2009 - 03:10 PM

I started ComboFix and got a warning that AVG was running. I tried installing AVG over the weekend but it rolled back every time. There is no AVG option in either my program list or my uninstall list. Is it safe to continue?

#6 soberoak

soberoak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 27 January 2009 - 03:28 PM

This is the message I got last time I tried to install AVG:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

#7 Bio-Hazard

Bio-Hazard

  • Members
  • 258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:06:27 PM

Posted 28 January 2009 - 10:03 AM

Hello!

Download this tool to uninstall AVG. Then try reinstall AVG again.

I started ComboFix and got a warning that AVG was running.


That is normal action from Combofix. You need to disable AVG before running it.

Please run the fixes according to my instructions in my last post.
MRU Master of Malware Removal University

Member of UNITE and ASAP

#8 soberoak

soberoak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 28 January 2009 - 08:24 PM

Brilliant. Thanks, Bio-Hazard. Here are the requested logs:

ComboFix 09-01-21.04 - Owner 2009-01-28 19:43:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.234 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system\oeminfo.ini
c:\windows\system32\agmtlu.dll
c:\windows\system32\bemcvbgf.dll
c:\windows\system32\bmqodcua.dll
c:\windows\system32\cgwyaqtx.dll
c:\windows\system32\dieuqaum.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\dywghrpd.dll
c:\windows\system32\edftatsi.dll
c:\windows\system32\efcmwnjh.dll
c:\windows\system32\eiyjnaaj.dll
c:\windows\system32\guylenlc.dll
c:\windows\system32\hdqrhcap.dll
c:\windows\system32\hhcuraer.dll
c:\windows\system32\hqcchb.dll
c:\windows\system32\hunymxeg.dll
c:\windows\system32\jddsmdph.dll
c:\windows\system32\lgllrfnb.dll
c:\windows\system32\lhglhk.dll
c:\windows\system32\lhpnyubu.dll
c:\windows\system32\mbmtulgk.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mojcilgg.dll
c:\windows\system32\pjnkjbgg.dll
c:\windows\system32\pmnoMfDT.dll
c:\windows\system32\Process.exe
c:\windows\system32\prunnet.exe
c:\windows\system32\qvwjdd.dll
c:\windows\system32\rqRIccDS.dll
c:\windows\system32\SDccIRqr.ini
c:\windows\SYSTEM32\SDccIRqr.ini2
c:\windows\system32\slxgumvq.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tkaxohut.dll
c:\windows\system32\tldypjiu.dll
c:\windows\system32\tmp.reg
c:\windows\system32\todokuxm.dll
c:\windows\system32\tslyiwah.dll
c:\windows\system32\wsbbexbl.dll
c:\windows\system32\xcwfyrxr.dll
c:\windows\system32\xfcmcvha.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 19:25 . 2009-01-28 19:25 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-28 19:17 . 2009-01-28 19:17 76,040 --a------ c:\windows\SYSTEM32\drivers\avgtdix.sys
2009-01-28 19:17 . 2009-01-28 19:17 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-28 19:16 . 2009-01-28 19:20 <DIR> d-------- c:\windows\SYSTEM32\drivers\Avg
2009-01-28 19:16 . 2009-01-28 19:16 97,928 --a------ c:\windows\SYSTEM32\drivers\avgldx86.sys
2009-01-25 21:17 . 2009-01-25 21:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\U3
2009-01-25 15:29 . 2009-01-25 15:30 <DIR> d-------- c:\program files\Cobian Backup 8
2009-01-25 08:05 . 2009-01-25 08:05 <DIR> d-------- c:\program files\ERUNT
2009-01-24 19:10 . 2009-01-24 19:10 <DIR> d-------- C:\rsit
2009-01-24 18:22 . 2009-01-24 18:22 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 12:17 . 2004-05-27 11:53 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-01-24 12:17 . 2004-05-27 11:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust
2009-01-24 12:17 . 2004-05-27 11:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
2009-01-24 12:17 . 2009-01-28 19:17 <DIR> d-------- c:\documents and settings\Administrator
2009-01-24 10:33 . 2009-01-24 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-23 11:08 . 2009-01-23 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-23 11:06 . 2009-01-23 11:06 <DIR> d-------- c:\program files\Alwil Software
2009-01-23 11:00 . 2009-01-23 11:00 <DIR> d-------- c:\program files\AVG
2009-01-23 11:00 . 2009-01-28 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-13 12:46 . 2009-01-13 12:46 <DIR> d-------- c:\program files\NOS
2009-01-13 12:46 . 2009-01-19 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-12-29 12:35 . 2009-01-22 17:00 265 --a------ c:\windows\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 15:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-23 15:52 --------- d-----w c:\program files\VCOM
2009-01-23 15:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-15 13:27 --------- d-----w c:\documents and settings\Owner\Application Data\Template
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 196608]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1261336]
"S3TRAY2"="S3tray2.exe" [2001-10-04 c:\windows\SYSTEM32\S3tray2.exe]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\SYSTEM32\nwiz.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
DING!.lnk.disabled [2006-10-30 1784]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RCScheduleCheck"=c:\program files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_04\bin\jusched.exe
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "c:\program files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sports Interactive\\Worldwide Soccer Manager 2006\\wsm.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\drivers\avgldx86.sys [2009-01-28 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-28 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-28 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\drivers\avgtdix.sys [2009-01-28 76040]
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-12-29 2560]
R4 PackethSvc;Virtual NIC Service;c:\windows\SYSTEM32\PackethSvc.exe [2004-06-03 64512]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-13 33752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-29 c:\windows\Tasks\dhzaqzme.job
- c:\windows\system32\cbXPiIXR.dll []

2004-05-27 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{000EE3F8-B011-479F-8188-589B1DD08C50} - (no file)
BHO-{0EAF82C9-4B30-408C-8F59-86AC5196811D} - (no file)
BHO-{19130008-6b09-40da-91ed-759fa2430a9d} - c:\windows\system32\qvwjdd.dll
BHO-{2E41E917-128E-4016-9399-3FDC97B9C3BF} - (no file)
BHO-{76847EC2-B709-4ACA-9392-A11AF39C7760} - (no file)
BHO-{76AFF1D5-98F1-43D7-B523-D430FB5EAA81} - (no file)
BHO-{C7FFD503-F7FA-4A03-9EDB-69F61873630D} - c:\windows\system32\rqRIccDS.dll
BHO-{D1D6D039-5145-4977-8C58-E9BFD83664BC} - (no file)
ShellExecuteHooks-{a5780613-492e-4a2a-a7fd-549610edf6cc} - c:\program files\VCOM\Recovery Commander\RCHOOK.DLL


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = <local>
uInternet Settings,ProxyOverride = <local>
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=zuzeb004YYUS
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
IE: {{578FC4E3-151E-456c-AF8E-B63061EFE228}}
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\u0112z7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 19:58:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \103076C71E8172E2]
"1"=hex:f3,63,02,17,10,0f,8c,72,44,b1,bf,31,22,25,c4,7d,41,89,c7,a7,5f,90,bb,
a2
"2"=hex:05,42,30,42,a7,15,e9,31,44,4c,e8,ce,26,93,4c,ff,dc,fd,7a,28,38,0d,79,
b8
"3"=hex:f3,63,02,17,10,0f,8c,72,44,b1,bf,31,22,25,c4,7d,38,a8,bc,ca,16,d6,08,
eb,9c,8b,9c,0d,35,8b,99,e4,25,24,80,ac,1f,d3,6a,72

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \103076C71E8172E2\103076C71E8172E2]
"1"=hex:ff,54,77,e8,ed,1b,3c,9f,5d,ea,3e,d4,ab,0a,f9,95,08,ec,0b,a5,12,35,40,
8f
"2"=hex:ff,46,a9,cd,53,d2,ef,98

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \103076C71E8172E2\81B8EBE4B3EADF39]
"1"=hex:ff,54,77,e8,ed,1b,3c,9f,5d,ea,3e,d4,ab,0a,f9,95,08,ec,0b,a5,12,35,40,
8f
"2"=hex:3b,ec,52,ae,03,c1,6c,47
"3"=hex:ff,ee,ab,53,23,fc,11,e0,af,d8,97,1c,6a,44,02,37,93,61,13,0a,59,58,16,
49,14,5d,89,c6,46,88,59,9d,79,68,be,a3,03,9c,c1,7f,86,a4,44,7c,eb,4b,25,5d,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:ff,54,77,e8,ed,1b,3c,9f,5d,ea,3e,d4,ab,0a,f9,95,30,e2,b8,b9,2b,a6,64,
ea,fa,8f,25,49,70,33,08,3d,04,17,e7,07,e3,67,20,68,eb,21,5e,76,47,c3,16,e0,\
"7"=hex:ff,54,77,e8,ed,1b,3c,9f,5d,ea,3e,d4,ab,0a,f9,95,d2,45,cf,99,11,98,fa,
46,a4,f6,07,e1,38,8e,05,57,57,0b,2c,39,df,50,f1,3b,ec,af,7b,78,2e,50,67,d6,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,86,15,ba,ba,a8,7c,30,
6e,e7,be,f3,4e,5c,b8,67,18,78,3c,24,95,ee,55,28,a8,1d,3e,ed,e7,a1,3b,b2,53,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:c5,6a,a3,c9,e0,c6,fe,36,80,c1,19,a0,3f,1a,b4,db,81,5d,cd,08,39,83,fb,
11,93,a7,9a,f0,de,d3,6e,55,cb,b7,07,60,4e,cf,89,a9,ca,aa,f6,79,e4,f9,7d,11,\
"13"=hex:ef,2c,f9,6d,a4,a2,59,81,d9,65,c2,a2,59,80,99,97,07,56,04,c3,b6,70,c0,
f8
"14"=hex:cc,1e,df,0f,ee,ea,6a,d9,af,5b,33,30,eb,73,e0,84,63,3c,c6,d3,a9,48,49,
25
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:ae,69,54,5e,49,df,c3,4e,ec,04,c2,af,eb,ae,86,e5
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:87,d3,40,f8,a8,60,36,9d,b5,75,bc,92,40,83,9a,03,d5,03,19,79,1e,d7,b0,
e5,d8,f6,af,fd,79,92,81,89,97,13,5f,16,ff,75,77,52,5c,da,00,3b,33,80,99,e3,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cobian Backup 8\cbService.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-28 20:05:52 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-29 01:05:49

Pre-Run: 55,972,782,080 bytes free
Post-Run: 55,892,668,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

280 --- E O F --- 2008-12-18 08:02:00


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:03 PM, on 1/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: DING!.lnk.disabled (User 'SYSTEM')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: DING!.lnk.disabled (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: DING!.lnk.disabled
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=zuzeb004YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 7235 bytes

#9 Bio-Hazard

Bio-Hazard

  • Members
  • 258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:06:27 PM

Posted 30 January 2009 - 08:30 PM

Remove HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=zuzeb004YYUS
    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)


  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.
Run CFScript
  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:
Folder::
c:\program files\MarketBrowser

File::
c:\windows\Tasks\dhzaqzme.job
c:\windows\system32\cbXPiIXR.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe

Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.


Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.Alternate download link 1
Alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • Malwarebytes Antimalware log
  • New HijackThis log
  • A description of how your computer is behaving

MRU Master of Malware Removal University

Member of UNITE and ASAP

#10 soberoak

soberoak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 31 January 2009 - 12:39 PM

Just finished running Malwarebytes Antimalware. No browser problems and the computer seems to be running faster/smoother than it has in a long while. I'll let you know if that changes. My logs, meanwhile:

ComboFix 09-01-21.04 - Owner 2009-01-31 9:50:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.239 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
c:\windows\system32\cbXPiIXR.dll
c:\windows\Tasks\dhzaqzme.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
c:\program files\MarketBrowser
c:\program files\MarketBrowser\lmt\bigfont.cnf
c:\program files\MarketBrowser\lmt\expo.cnf
c:\program files\MarketBrowser\lmt\expo.mac
c:\program files\MarketBrowser\lmt\exposrv.cnf
c:\program files\MarketBrowser\lmt\Exposrv.dll
c:\program files\MarketBrowser\lmt\expowin.cnf
c:\program files\MarketBrowser\lmt\favorits.txt
c:\program files\MarketBrowser\lmt\feat.mac
c:\program files\MarketBrowser\lmt\featdesc.txt
c:\program files\MarketBrowser\lmt\feathlp.txt
c:\program files\MarketBrowser\lmt\featprd.mnu
c:\program files\MarketBrowser\lmt\featreq.txt
c:\program files\MarketBrowser\lmt\featsrc.mnu
c:\program files\MarketBrowser\lmt\lmtdlg.exe
c:\program files\MarketBrowser\lmt\lmtunzip.dll
c:\program files\MarketBrowser\lmt\lmtzip.dll
c:\program files\MarketBrowser\lmt\macros\matype.mac
c:\program files\MarketBrowser\lmt\macros\mov.mac
c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
c:\program files\MarketBrowser\lmt\mbappver.txt
c:\program files\MarketBrowser\lmt\mbaustrt.txt
c:\program files\MarketBrowser\lmt\mbauth.xpl
c:\program files\MarketBrowser\lmt\mbclick.xpl
c:\program files\MarketBrowser\lmt\mbiecolr.ico
c:\program files\MarketBrowser\lmt\mbiegray.ico
c:\program files\MarketBrowser\lmt\mbiname.txt
c:\program files\MarketBrowser\lmt\mbprep.txt
c:\program files\MarketBrowser\lmt\mbreset.mac
c:\program files\MarketBrowser\lmt\mbsmfav.xpl
c:\program files\MarketBrowser\lmt\mbterms.txt
c:\program files\MarketBrowser\lmt\mbweb.fld
c:\program files\MarketBrowser\lmt\mbwebcon.xpl
c:\program files\MarketBrowser\lmt\mbwebsvc.xpl
c:\program files\MarketBrowser\lmt\mktbrws.cnf
c:\program files\MarketBrowser\lmt\mktbrws.exe
c:\program files\MarketBrowser\lmt\msvcrt.dll
c:\program files\MarketBrowser\lmt\msvcrt40.dll
c:\program files\MarketBrowser\lmt\nsget.mac
c:\program files\MarketBrowser\lmt\oncrpc.dll
c:\program files\MarketBrowser\lmt\palette.mac
c:\program files\MarketBrowser\lmt\pdc.mac
c:\program files\MarketBrowser\lmt\pdsite.xpl
c:\program files\MarketBrowser\lmt\pdwebmk.xpl
c:\program files\MarketBrowser\lmt\pickd.mac
c:\program files\MarketBrowser\lmt\pickd.xpl
c:\program files\MarketBrowser\lmt\pickdcfg.xpl
c:\program files\MarketBrowser\lmt\pickdint
c:\program files\MarketBrowser\lmt\pickdmk.xpl
c:\program files\MarketBrowser\lmt\pickdqq.xpl
c:\program files\MarketBrowser\lmt\pickdsrc
c:\program files\MarketBrowser\lmt\pickdtfm
c:\program files\MarketBrowser\lmt\rotate3d.scr
c:\program files\MarketBrowser\lmt\rover.cnf
c:\program files\MarketBrowser\lmt\semenus\advpref.mnu
c:\program files\MarketBrowser\lmt\semenus\bandhilo.mnu
c:\program files\MarketBrowser\lmt\semenus\bandpct.mnu
c:\program files\MarketBrowser\lmt\semenus\bandstd.mnu
c:\program files\MarketBrowser\lmt\semenus\business.mnu
c:\program files\MarketBrowser\lmt\semenus\cpi.mnu
c:\program files\MarketBrowser\lmt\semenus\custcomp.mnu
c:\program files\MarketBrowser\lmt\semenus\delfave.mnu
c:\program files\MarketBrowser\lmt\semenus\dmov.mnu
c:\program files\MarketBrowser\lmt\semenus\emailopt.mnu
c:\program files\MarketBrowser\lmt\semenus\employ.mnu
c:\program files\MarketBrowser\lmt\semenus\exchange.mnu
c:\program files\MarketBrowser\lmt\semenus\expwma.mnu
c:\program files\MarketBrowser\lmt\semenus\faststoc.mnu
c:\program files\MarketBrowser\lmt\semenus\frbstls1.mnu
c:\program files\MarketBrowser\lmt\semenus\ftpid.mnu
c:\program files\MarketBrowser\lmt\semenus\gdp.mnu
c:\program files\MarketBrowser\lmt\semenus\getemail.mnu
c:\program files\MarketBrowser\lmt\semenus\irates.mnu
c:\program files\MarketBrowser\lmt\semenus\loans.mnu
c:\program files\MarketBrowser\lmt\semenus\macd.mnu
c:\program files\MarketBrowser\lmt\semenus\mbactiv.mnu
c:\program files\MarketBrowser\lmt\semenus\mbautop.mnu
c:\program files\MarketBrowser\lmt\semenus\mbbmadd.mnu
c:\program files\MarketBrowser\lmt\semenus\mblongnm.mnu
c:\program files\MarketBrowser\lmt\semenus\medprc.mnu
c:\program files\MarketBrowser\lmt\semenus\mfdx.mnu
c:\program files\MarketBrowser\lmt\semenus\mktmon2.mnu
c:\program files\MarketBrowser\lmt\semenus\mom.mnu
c:\program files\MarketBrowser\lmt\semenus\monetary.mnu
c:\program files\MarketBrowser\lmt\semenus\mov1.mnu
c:\program files\MarketBrowser\lmt\semenus\mov1s.mnu
c:\program files\MarketBrowser\lmt\semenus\mov2.mnu
c:\program files\MarketBrowser\lmt\semenus\mov3.mnu
c:\program files\MarketBrowser\lmt\semenus\newfave.mnu
c:\program files\MarketBrowser\lmt\semenus\numcols.mnu
c:\program files\MarketBrowser\lmt\semenus\pctr.mnu
c:\program files\MarketBrowser\lmt\semenus\pdatt.mnu
c:\program files\MarketBrowser\lmt\semenus\pdatt2.mnu
c:\program files\MarketBrowser\lmt\semenus\pdatt3.mnu
c:\program files\MarketBrowser\lmt\semenus\pdattdef.mnu
c:\program files\MarketBrowser\lmt\semenus\pdcustm2.mnu
c:\program files\MarketBrowser\lmt\semenus\pdcustom.mnu
c:\program files\MarketBrowser\lmt\semenus\pdreret.mnu
c:\program files\MarketBrowser\lmt\semenus\ppi.mnu
c:\program files\MarketBrowser\lmt\semenus\prefport.mnu
c:\program files\MarketBrowser\lmt\semenus\prefprt2.mnu
c:\program files\MarketBrowser\lmt\semenus\prntpref.mnu
c:\program files\MarketBrowser\lmt\semenus\pv.mnu
c:\program files\MarketBrowser\lmt\semenus\pvolx.mnu
c:\program files\MarketBrowser\lmt\semenus\removewn.mnu
c:\program files\MarketBrowser\lmt\semenus\reserves.mnu
c:\program files\MarketBrowser\lmt\semenus\roc.mnu
c:\program files\MarketBrowser\lmt\semenus\rsi.mnu
c:\program files\MarketBrowser\lmt\semenus\sar.mnu
c:\program files\MarketBrowser\lmt\semenus\shutpref.mnu
c:\program files\MarketBrowser\lmt\semenus\simpcht.mnu
c:\program files\MarketBrowser\lmt\semenus\slowstoc.mnu
c:\program files\MarketBrowser\lmt\semenus\sprd.mnu
c:\program files\MarketBrowser\lmt\semenus\stdcomp.mnu
c:\program files\MarketBrowser\lmt\semenus\studydat.mnu
c:\program files\MarketBrowser\lmt\semenus\trend.mnu
c:\program files\MarketBrowser\lmt\semenus\ultos.mnu
c:\program files\MarketBrowser\lmt\semenus\usrcustm.mnu
c:\program files\MarketBrowser\lmt\semenus\vol.mnu
c:\program files\MarketBrowser\lmt\semenus\volume.mnu
c:\program files\MarketBrowser\lmt\semenus\webpref.mnu
c:\program files\MarketBrowser\lmt\semenus\weekly.mnu
c:\program files\MarketBrowser\lmt\semenus\winbox.mnu
c:\program files\MarketBrowser\lmt\semenus\winipref.mnu
c:\program files\MarketBrowser\lmt\semenus\wksprop.mnu
c:\program files\MarketBrowser\lmt\smalfont.cnf
c:\program files\MarketBrowser\lmt\start.bmp
c:\program files\MarketBrowser\lmt\support.mac
c:\program files\MarketBrowser\lmt\system.mac
c:\program files\MarketBrowser\lmt\system.xpl
c:\program files\MarketBrowser\lmt\tech.mac
c:\program files\MarketBrowser\lmt\tech3.mac
c:\program files\MarketBrowser\lmt\techovl.mac
c:\program files\MarketBrowser\lmt\touch.exe
c:\program files\MarketBrowser\lmt\try.bmp
c:\program files\MarketBrowser\lmt\urllist.txt
c:\program files\MarketBrowser\lmt\winbox.mac
c:\program files\MarketBrowser\lmt\xpl\corrmat.xpl
c:\program files\MarketBrowser\lmt\xpl\matype.xpl
c:\program files\MarketBrowser\lmt\xpl\mov.xpl
c:\program files\MarketBrowser\lmt\xpl\nsget.xpl
c:\program files\MarketBrowser\lmt\xpl\tech.xpl
c:\program files\MarketBrowser\lmt\xpl\winbox.xpl
c:\program files\MarketBrowser\lmt\xpwfile.ico
c:\windows\Tasks\dhzaqzme.job

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-28 19:25 . 2009-01-30 04:51 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-28 19:17 . 2009-01-28 19:17 76,040 --a------ c:\windows\SYSTEM32\drivers\avgtdix.sys
2009-01-28 19:17 . 2009-01-28 19:17 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-28 19:16 . 2009-01-31 00:49 <DIR> d-------- c:\windows\SYSTEM32\drivers\Avg
2009-01-28 19:16 . 2009-01-28 19:16 97,928 --a------ c:\windows\SYSTEM32\drivers\avgldx86.sys
2009-01-25 21:17 . 2009-01-25 21:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\U3
2009-01-25 15:29 . 2009-01-25 15:30 <DIR> d-------- c:\program files\Cobian Backup 8
2009-01-25 08:05 . 2009-01-25 08:05 <DIR> d-------- c:\program files\ERUNT
2009-01-24 19:10 . 2009-01-24 19:10 <DIR> d-------- C:\rsit
2009-01-24 18:22 . 2009-01-24 18:22 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 12:17 . 2004-05-27 11:53 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-01-24 12:17 . 2004-05-27 11:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust
2009-01-24 12:17 . 2004-05-27 11:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
2009-01-24 12:17 . 2009-01-28 19:17 <DIR> d-------- c:\documents and settings\Administrator
2009-01-24 10:33 . 2009-01-24 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-23 11:08 . 2009-01-23 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-23 11:06 . 2009-01-23 11:06 <DIR> d-------- c:\program files\Alwil Software
2009-01-23 11:00 . 2009-01-23 11:00 <DIR> d-------- c:\program files\AVG
2009-01-23 11:00 . 2009-01-28 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-13 12:46 . 2009-01-13 12:46 <DIR> d-------- c:\program files\NOS
2009-01-13 12:46 . 2009-01-19 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-12-29 12:35 . 2009-01-22 17:00 265 --a------ c:\windows\wininit.ini
2008-12-15 08:27 . 2008-12-15 08:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\Template

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 15:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-23 15:52 --------- d-----w c:\program files\VCOM
2009-01-23 15:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-12 17:33 3,060,224 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\SYSTEM32\dllcache\srv.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-15 09:45 18,432 ----a-w c:\windows\SYSTEM32\dllcache\iedw.exe
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\dllcache\strmdll.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_20.04.04.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\ERDNT.EXE
+ 2009-01-29 13:06:50 6,582,272 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\Users\00000001\NTUSER.DAT
+ 2009-01-29 13:06:50 2,732,032 ----a-w c:\windows\ERDNT\AutoBackup\1-29-2009\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 196608]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1261336]
"S3TRAY2"="S3tray2.exe" [2001-10-04 c:\windows\SYSTEM32\S3tray2.exe]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\SYSTEM32\nwiz.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
DING!.lnk.disabled [2006-10-30 1784]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RCScheduleCheck"=c:\program files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_04\bin\jusched.exe
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "c:\program files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sports Interactive\\Worldwide Soccer Manager 2006\\wsm.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\drivers\avgldx86.sys [2009-01-28 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-28 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-28 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\drivers\avgtdix.sys [2009-01-28 76040]
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-12-29 2560]
R4 PackethSvc;Virtual NIC Service;c:\windows\SYSTEM32\PackethSvc.exe [2004-06-03 64512]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-13 33752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2004-05-27 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2004-05-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = <local>
uInternet Settings,ProxyOverride = <local>
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\u0112z7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 09:51:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \103076C71E8172E2]
"1"=hex:f3,63,02,17,10,0f,8c,72,44,b1,bf,31,22,25,c4,7d,41,89,c7,a7,5f,90,bb,
a2
"2"=hex:05,42,30,42,a7,15,e9,31,44,4c,e8,ce,26,93,4c,ff,dc,fd,7a,28,38,0d,79,
b8
"3"=hex:f3,63,02,17,10,0f,8c,72,44,b1,bf,31,22,25,c4,7d,38,a8,bc,ca,16,d6,08,
eb,9c,8b,9c,0d,35,8b,99,e4,25,24,80,ac,1f,d3,6a,72

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \103076C71E8172E2\103076C71E8172E2]
"1"=hex:ff,54,77,e8,ed,1b,3c,9f,5d,ea,3e,d4,ab,0a,f9,95,08,ec,0b,a5,12,35,40,
8f
"2"=hex:ff,46,a9,cd,53,d2,ef,98

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \103076C71E8172E2\81B8EBE4B3EADF39]
"1"=hex:ff,54,77,e8,ed,1b,3c,9f,5d,ea,3e,d4,ab,0a,f9,95,08,ec,0b,a5,12,35,40,
8f
"2"=hex:3b,ec,52,ae,03,c1,6c,47
"3"=hex:ff,ee,ab,53,23,fc,11,e0,af,d8,97,1c,6a,44,02,37,93,61,13,0a,59,58,16,
49,14,5d,89,c6,46,88,59,9d,79,68,be,a3,03,9c,c1,7f,86,a4,44,7c,eb,4b,25,5d,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:ff,54,77,e8,ed,1b,3c,9f,5d,ea,3e,d4,ab,0a,f9,95,30,e2,b8,b9,2b,a6,64,
ea,fa,8f,25,49,70,33,08,3d,04,17,e7,07,e3,67,20,68,eb,21,5e,76,47,c3,16,e0,\
"7"=hex:ff,54,77,e8,ed,1b,3c,9f,5d,ea,3e,d4,ab,0a,f9,95,d2,45,cf,99,11,98,fa,
46,a4,f6,07,e1,38,8e,05,57,57,0b,2c,39,df,50,f1,3b,ec,af,7b,78,2e,50,67,d6,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,86,15,ba,ba,a8,7c,30,
6e,e7,be,f3,4e,5c,b8,67,18,78,3c,24,95,ee,55,28,a8,1d,3e,ed,e7,a1,3b,b2,53,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:c5,6a,a3,c9,e0,c6,fe,36,80,c1,19,a0,3f,1a,b4,db,81,5d,cd,08,39,83,fb,
11,93,a7,9a,f0,de,d3,6e,55,cb,b7,07,60,4e,cf,89,a9,ca,aa,f6,79,e4,f9,7d,11,\
"13"=hex:ef,2c,f9,6d,a4,a2,59,81,d9,65,c2,a2,59,80,99,97,07,56,04,c3,b6,70,c0,
f8
"14"=hex:cc,1e,df,0f,ee,ea,6a,d9,af,5b,33,30,eb,73,e0,84,63,3c,c6,d3,a9,48,49,
25
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:ae,69,54,5e,49,df,c3,4e,ec,04,c2,af,eb,ae,86,e5
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:87,d3,40,f8,a8,60,36,9d,b5,75,bc,92,40,83,9a,03,d5,03,19,79,1e,d7,b0,
e5,d8,f6,af,fd,79,92,81,89,97,13,5f,16,ff,75,77,52,5c,da,00,3b,33,80,99,e3,\
.
Completion time: 2009-01-31 9:56:06
ComboFix-quarantined-files.txt 2009-01-31 14:55:13
ComboFix2.txt 2009-01-29 01:05:54

Pre-Run: 55,717,232,640 bytes free
Post-Run: 55,747,022,848 bytes free

373 --- E O F --- 2009-01-29 08:03:43


Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 2

1/31/2009 12:29:14 PM
mbam-log-2009-01-31 (12-29-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 132102
Time elapsed: 1 hour(s), 28 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:38 PM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {000EE3F8-B011-479F-8188-589B1DD08C50} - (no

file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-

7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1

\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EAF82C9-4B30-408C-8F59-86AC5196811D} - (no

file)
O2 - BHO: (no name) - {19130008-6b09-40da-91ed-759fa2430a9d} - (no

file)
O2 - BHO: (no name) - {2E41E917-128E-4016-9399-3FDC97B9C3BF} - (no

file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53

-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-

206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7288B387-9546-4474-9ACA-0BB2FB8C122F} - (no

file)
O2 - BHO: (no name) - {76847EC2-B709-4ACA-9392-A11AF39C7760} - (no

file)
O2 - BHO: (no name) - {76AFF1D5-98F1-43D7-B523-D430FB5EAA81} - (no

file)
O2 - BHO: (no name) - {D1D6D039-5145-4977-8C58-E9BFD83664BC} - (no

file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1

\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -

C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32

\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian

Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program

Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search

& Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: DING!.lnk.disabled (User 'SYSTEM')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program

Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: DING!.lnk.disabled (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program

Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: DING!.lnk.disabled
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program

Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List -

res://C:\Program Files\Canon\Easy-

WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -

res://C:\Program Files\Canon\Easy-

WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04

\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD}

- C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-

AD55-00010333D0AD} - C:\Program Files\Yahoo!

\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}

- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}

- c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload

Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: pmnoMfDT - C:\WINDOWS\
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies

CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ,

s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian -

C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program

Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner -

C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc.

- C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 7759 bytes

#11 Bio-Hazard

Bio-Hazard

  • Members
  • 258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:06:27 PM

Posted 31 January 2009 - 01:26 PM

Spybot S&D Teatimer

We need to disable Spybot S&D's TeaTimer. TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running. In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on
    Advanced Mode

    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
  • Reboot your machine for the changes to take effect.
Remove HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: (no name) - {000EE3F8-B011-479F-8188-589B1DD08C50} - (no file)
    O2 - BHO: (no name) - {0EAF82C9-4B30-408C-8F59-86AC5196811D} - (no file)
    O2 - BHO: (no name) - {19130008-6b09-40da-91ed-759fa2430a9d} - (no file)
    O2 - BHO: (no name) - {2E41E917-128E-4016-9399-3FDC97B9C3BF} - (no file)
    O2 - BHO: (no name) - {7288B387-9546-4474-9ACA-0BB2FB8C122F} - (no file)
    O2 - BHO: (no name) - {76847EC2-B709-4ACA-9392-A11AF39C7760} - (no file)
    O2 - BHO: (no name) - {76AFF1D5-98F1-43D7-B523-D430FB5EAA81} - (no file)
    O2 - BHO: (no name) - {D1D6D039-5145-4977-8C58-E9BFD83664BC} - (no file)
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} -
    O20 - Winlogon Notify: pmnoMfDT - C:\WINDOWS\


  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.
Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 11.
  • Go to HERE
  • Click on the link named Java Runtime Environment (JRE) 6 Update 11
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file and follow the on-screen instructions.
  • Reboot your computer
ATF-Cleaner

Please download ATF Cleaner by Atribune.
  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.
Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving

MRU Master of Malware Removal University

Member of UNITE and ASAP

#12 soberoak

soberoak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 31 January 2009 - 06:07 PM

New problem. After uninstalling the old Java and rebooting, AVG did not autostart. When I try to start it from the programs menu, nothing happens. And the computer seems a tad sluggish again.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 31, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 31, 2009 15:48:35
Records in database: 1732766
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 87345
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:16:59


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpkw_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:53 PM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\Local Settings\temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - S-1-5-18 Startup: DING!.lnk.disabled (User 'SYSTEM')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: DING!.lnk.disabled (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: DING!.lnk.disabled
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 7416 bytes

#13 Bio-Hazard

Bio-Hazard

  • Members
  • 258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:06:27 PM

Posted 01 February 2009 - 11:12 AM

Hello!

Download this tool(if you have already deleted one you used earlier) to uninstall AVG. Then try reinstall AVG again.


Read this artcile about Slow Computer/browser? if that helps with the computer beeing sluggish.


From you ADD/emover list i can see that you have old version of Spybot - Search & Destroy 1.3 installed. I would uninstalled it. Current version is Spybot - Search & Destroy 1.6.2.




Update Adobe Reader

Please uninstall older version of Adobe Reader before installing the latest version
  • Click Start
  • Control Panel
  • Double clicking on Add/Remove Programs
  • Locate older version of Adobe Reader and click on Change/Remove to uninstall it
  • Click HERE to download the latest version of Adobe Acrobat Reader.
  • Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • Close your Internet browser and open it again.
Optional Fix

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself.

To uninstall the the Viewpoint components :
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.


    How to prevent it from being recreated every time you run the AOL software:
  • Open AOL
  • Go to Help on the toolbar
  • Select About AOL
  • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving

Edited by Bio-Hazard, 01 February 2009 - 11:12 AM.

MRU Master of Malware Removal University

Member of UNITE and ASAP

#14 soberoak

soberoak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 01 February 2009 - 06:44 PM

Haven't done everything in the "slow computer" article, but did everything you suggested and the computer seems to be running fine again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:47 PM, on 2/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\RunOnce: [Uninstall getPlus® for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - S-1-5-18 Startup: DING!.lnk.disabled (User 'SYSTEM')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: DING!.lnk.disabled (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: DING!.lnk.disabled
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 8472 bytes

#15 Bio-Hazard

Bio-Hazard

  • Members
  • 258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornwall, UK
  • Local time:06:27 PM

Posted 02 February 2009 - 08:41 AM

Firewall

Looking over your log it seems you don't have any evidence of a third party FIREWALL. As the term conveys a firewall is an extra layer of security installed onto computers which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders.

If you are using the built-in Windows XP firewall it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to phone home for more instructions. Simply put Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

I would recommend to install install a free firewall for personal use from one of these excellent vendors. Choice is yours:Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • DDS (You can just delete the exe file from your desktop)
  • ATF cleaner (You can just delete the exe file from your desktop)
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.
  • Delete ComboFix and Clean Up
    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
    Posted Image
    Please advise if this step is missed for any reason as it performs some important actions.

    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

    You can now re-enable Spybots Teatimer

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    NOTE:You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.
  • Make Internet Explorer More Secure
    You are using Internet Explorer v.6.
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.
[/list]Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:Firefox or Opera
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
MRU Master of Malware Removal University

Member of UNITE and ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users