Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic 12. BORF


  • This topic is locked This topic is locked
8 replies to this topic

#1 ludekz

ludekz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 18 February 2009 - 01:18 AM

Unfortunately my infected PC doesn't allow me to open your web page any more, to run required steps to screen infected C drive. I am enclosing a copy of my previews post in different forum, posted by a mistake. I was redirected here. Your help is appreciated.



My PC is infected with Trojan Horse Generic 12. BORF. Trojan was recognized by AVG 8.0 software, but unfortunately canít be removed. Next check up with AVG shows same infection in same files, plus next line in AVG address.
Here is a copy of AVG 1 file:

"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\AVG\AVG8\avgnsx.exe (684)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\AVG\AVG8\avgrsx.exe (672)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\AVG\AVG8\avgui.exe (3280)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\AVG\AVG8\avgemc.exe (1584)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\AVG\AVG8\avgtray.exe (1824)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (452)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe (3672)";"Trojan horse Generic12.BORF";""
"C:\Program Files\AVG\AVG8\avgcsrvx.exe (1848)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\AVG\AVG8\avgcsrvx.exe (5792)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\AVG\AVG8\avgscanx.exe (4876)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Common Files\Command Software\dvpapi.exe (468)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS (792)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Skype\Phone\Skype.exe (3224)";"Trojan horse Generic12.BORF";""
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (4808)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe (1472)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\FolderSize\FolderSizeSvc.exe (500)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\QuickTime\QTTask.exe (480)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe (1624)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Windows Defender\MsMpEng.exe (1348)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\explorer.exe (1872)";"Trojan horse Generic12.BORF";""
"C:\Program Files\TELUS eCare\bin\mpbtn.exe (2960)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\TELUS\eProtect Advisor\TEPA.exe (884)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Windows Defender\MSASCui.exe (4088)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe (4076)";"Trojan horse Generic12.BORF";""
"C:\WINNT\GWMDMMSG.exe (3344)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\ctfmon.exe (2112)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\fxssvc.exe (1648)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\lsass.exe (960)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\MsPMSPSv.exe (1532)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\NMSSvc.Exe (624)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\nvsvc32.exe (728)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\services.exe (948)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\SK9910DM.EXE (3304)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\spoolsv.exe (2008)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\svchost.exe (1276)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\svchost.exe (1392)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\winlogon.exe (904)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\WINNT\system32\wuauclt.exe (4996)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
----------------------------------------------

Immediate next scan with AVG shoved the same infection. Here is the result of the second scan:


"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\TELUS\eProtect Advisor\TEPA.exe (564)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\AVG\AVG8\avgtray.exe (612)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe (476)";"Trojan horse Generic12.BORF";""
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe (592)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\QuickTime\QTTask.exe (576)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Windows Defender\MSASCui.exe (544)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe (536)";"Trojan horse Generic12.BORF";""
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACrwbwvjns.dll";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\AVG\AVG8\avgemc.exe (2444)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
"C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (1300)";"Trojan horse Generic12.BORF";"Moved to Virus Vault"
----------------------------------




This is going on and on. Trojan is affecting most of the search engines (Google, yahoo) in FireFox or Explorer, by disabling "live blue active click lines". By clicking on them, I am redirected to some shopping pages, or pages with list of shopping pages.

I can't start other malwares removal software too. I cold download new versions, but can't start them (open the software). It is this type:
Spybot, Malwarebytes, Windows Defender, Ad-Aware. Only AVG 8.0 could be open, it will scan all PC, it is moving infected files (aproximately75) to vault. In fact, how I mentioned before, they are still present in PC with next scan. My email are already infected too (somebody mentioned to me). PC slowed don considerably too.

When I was looking on net for some solution, I fined HijackThis from Trend Micro. On your forum somebody supply you with this list of running processes, to find his solution from you I am enclosing my too, to help you describe my problems.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:34 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: comments (such as these) may be inserted on individual
O1 - Hosts: 74.208.77.54 hcurltest1
O1 - Hosts: 82.165.161.232 hcurltest2
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/09150f8e9ca96a70bf05/...ip/RdxIE601.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://demos.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intelģ NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

--
End of file - 11708 bytes



Reading these lines and recognizing, what running program is essential or no infected, is above my computer literacy. Here I am asking for help. Apologize for my English language and computer terminology.

Thank you

Ludek

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 February 2009 - 06:27 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 ludekz

ludekz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 19 February 2009 - 12:44 AM

Hi,
thanks for your advice. Unfortunately infected PC, on my request to show web pages Links 1 Ė 3, posted:
Internet Explorer cannot display the web page.

On infected PC I can't access your web page, webpages most of download pages with antivirus software, most of computers forums dealing with this mater. I could type any other address of webpage to known me, and I am connected. The same apply for FireFox. When I try to start any antivirus or contact a page connected to antivirus, I am rejected or stopped. I try to install a small innocent program from web, for fun of it, and it is working fine.

Exception is only AVG, for displaying infected files only, and HijackThis. How I previously mention, this communication is from independent other computer.

I am not able to download and run ConboFix on infected computer from web or other device( I try to run it from reinserted CD.

Here is today HijackThis report:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:47 PM, on 2/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: comments (such as these) may be inserted on individual
O1 - Hosts: 74.208.77.54 hcurltest1
O1 - Hosts: 82.165.161.232 hcurltest2
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/09150f8e9ca96a70bf05/...ip/RdxIE601.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://demos.webex.com/client/v_mywebex-t2...bex/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 19 February 2009 - 03:07 AM

Delete that ComboFix and do below :thumbup2:


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 ludekz

ludekz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 21 February 2009 - 02:29 PM

ComboFix 09-02-19.01 - Owner 2009-02-21 11:12:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.479 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: TELUS Security service Anti-Virus *On-access scanning disabled* (Updated)
FW: TELUS Security service Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\err.log
c:\winnt\Downloaded Program Files\Temp
c:\winnt\jestertb.dll
c:\winnt\system32\drivers\UACbeycmyjr.sys
c:\winnt\system32\sirenacm(2).dll
c:\winnt\system32\sirenacm(3).dll
c:\winnt\system32\UACbrpjexyb.log
c:\winnt\system32\UACewcqlrmt.dat
c:\winnt\system32\UACftewjcbx.log
c:\winnt\system32\UAClamvqvdk.dll
c:\winnt\system32\UAClxmeppxl.log
c:\winnt\system32\UACobvxtuwq.dll
c:\winnt\system32\UACrwbwvjns.dll
c:\winnt\system32\UACtpixllrm.dll
c:\winnt\system32\winsrc.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

7051-02-22 18:36 . 7051-02-22 18:36 6 --ah----- C:\rasmon.bin
7051-02-22 18:36 . 7051-02-22 18:36 4 --ah----- C:\ddefact.bin
2009-02-20 20:00 . 2009-02-20 20:42 <DIR> d-------- C:\Backup
2009-02-20 14:59 . 2009-02-20 14:59 <DIR> d-------- c:\program files\Runtime Software
2009-02-20 13:46 . 2009-02-20 13:47 <DIR> d-------- c:\program files\Cobian Backup 8
2009-02-16 22:32 . 2009-02-16 22:33 <DIR> d-------- c:\program files\Google
2009-02-14 21:35 . 2009-02-14 21:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-14 20:12 . 2009-02-14 20:12 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 07:12 . 2009-02-18 21:55 <DIR> d-------- c:\program files\NexGen Software Services
2009-02-12 15:20 . 2009-02-21 10:44 5,184 --a------ c:\winnt\system32\uacinit.dll
2009-02-11 20:25 . 2009-02-11 20:26 198,260 --------- c:\program files\Nexgen-Kasj651ejc.exe
2009-02-02 22:00 . 2009-02-02 22:10 <DIR> d-------- c:\program files\ODL MetaTrader 4x
2009-01-26 15:17 . 2009-01-26 15:17 <DIR> d-------- c:\program files\NinjaTrader 6.5
2009-01-23 13:31 . 2009-01-23 13:31 8,020 --a------ c:\winnt\system32\1.cht
2009-01-22 22:27 . 2009-01-22 22:27 56,996 --ah----- c:\winnt\system32\mlfcache.dat
2009-01-22 22:17 . 2009-01-22 22:17 <DIR> d-------- c:\winnt\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 18:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-21 18:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 18:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 18:46 --------- d-----w c:\program files\PC-Doctor for Windows
2009-02-21 18:43 --------- d-----w c:\program files\Lavasoft
2009-02-17 00:47 --------- d-----w c:\program files\CrossLoop
2009-02-16 06:44 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-02-16 01:33 71,272 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2009-02-16 00:39 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-02-15 11:35 --------- d-----w c:\program files\Conference
2009-02-14 05:02 --------- d-----w c:\program files\Yahoo!
2009-02-13 16:25 --------- d-----w c:\program files\eSignal
2009-02-06 20:28 --------- d-----w c:\documents and settings\Owner\Application Data\Canon
2009-02-01 19:53 325,128 ----a-w c:\winnt\system32\drivers\avgldx86.sys
2009-02-01 19:53 10,520 ----a-w c:\winnt\system32\avgrsstx.dll
2009-02-01 19:53 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-01 19:52 107,272 ----a-w c:\winnt\system32\drivers\avgtdix.sys
2009-01-24 06:45 --------- d-----w c:\program files\Radialpoint
2009-01-24 06:45 --------- d-----w c:\program files\Common Files\PestPatrol
2009-01-23 05:16 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-01-19 21:18 --------- d-----w c:\program files\TradeStation 8.4 (Build 1693)
2009-01-19 21:13 --------- d-----w c:\program files\Common Files\TradeStation Technologies
2009-01-19 19:29 --------- d-----w c:\program files\1stWORKS
2009-01-19 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\1stWorks
2009-01-17 05:35 3,594,752 ----a-w c:\winnt\system32\dllcache\mshtml.dll
2009-01-05 16:29 --------- d-----w c:\program files\CCleaner
2009-01-05 05:57 --------- d-----w c:\program files\MetaTrader - ForexMeta
2009-01-01 05:39 --------- d-----w c:\documents and settings\Owner\Application Data\Eyeblaster
2009-01-01 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2009-01-01 05:38 --------- d-----w c:\program files\GameHouse
2009-01-01 05:38 --------- d-----w c:\documents and settings\Owner\Application Data\GameHouse
2008-12-31 05:18 --------- d-----w c:\program files\AVG
2008-12-30 22:10 --------- d-----w c:\program files\ODL MetaTrader 4 new
2008-12-19 09:10 70,656 ----a-w c:\winnt\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\winnt\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\winnt\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\winnt\system32\dllcache\ieakui.dll
2008-12-12 21:47 3,751,995 ----a-w c:\winnt\system32\GPhotos.scr
2008-12-11 18:32 98,304 ----a-w c:\winnt\system32\NtDirect.dll
2008-12-11 10:57 333,952 ------w c:\winnt\system32\dllcache\srv.sys
2008-08-20 15:53 60,744 ----a-w c:\documents and settings\Owner\g2mdlhlpx.exe
2007-12-13 01:35 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-11-12 06:31 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2007-07-16 05:28 8 ---h--r c:\program files\ss6la.log
2007-07-16 05:27 0 ----a-w c:\program files\T_Symbol.lst
2007-03-31 05:42 4,689,408 ------w c:\program files\StudioTaxInstall.msi
2004-10-04 17:13 290,816 ----a-w c:\documents and settings\Owner\ctapshr.dll
2003-03-03 04:14 243,877 ----a-w c:\program files\surfplan36.zip
2003-02-11 18:11 894,528 ----a-w c:\program files\pal_install.exe
2003-02-09 05:54 8,359,978 ----a-w c:\program files\RealOnePlayerV2GOLD.exe
2003-03-12 02:35 139,776 ----a-w c:\program files\mozilla firefox\plugins\al2np.dll
2009-01-01 06:55 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-01 06:55 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-01 06:55 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-01 06:55 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-01 06:55 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-29 05:41 32,768 --sha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"Motive SmartBridge"="c:\progra~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2006-10-19 393216]
"TELUS Security service"="c:\program files\Zero Knowledge\TELUS Security service\Freedom.exe" [2004-11-25 172086]
"TEPA.exe"="c:\program files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 2061816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 c:\winnt\system32\SK9910DM.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 c:\winnt\GWMDMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TELUS eCare.lnk - c:\program files\TELUS eCare\bin\matcli.exe [2004-07-29 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 11:53 10520 c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\winnt\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-03 16:50 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-06-01 13:32 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]
--------- 2001-11-07 14:25 20480 c:\program files\PhoneTools\capFax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\winnt\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2003-08-18 17:46 53248 c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-06-07 03:32 50688 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2002-07-17 09:00 200767 c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 11:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-r------- 2008-09-23 14:17 21755688 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2006-07-10 17:33 675840 c:\winnt\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 03:28 144784 c:\program files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2009-02-16 22:33 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-22 20:56 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2006-07-07 15:04 258048 c:\winnt\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--------- 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Omega Research\\Program\\Server.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINNT\\system32\\rtcshare.exe"=
"c:\\Program Files\\eSignal\\winsig.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\Program Files\\Games\\marias2005.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Conference\\Conference.dll"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\1stWORKS\\hotCommLite\\BIN\\HotComm.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\NinjaTrader 6.5\\bin\\NinjaTrader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2008-12-30 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2008-12-30 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-30 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-30 298264]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2002-12-20 6736]
R2 SSIPDDP;SSIPDDP Parallel port device driver;c:\winnt\system32\drivers\SSIPDDP.SYS [2005-01-19 53248]
S3 dwusbdnt;dwusbdnt;c:\winnt\system32\drivers\dwusbdnt.sys [2003-12-26 10368]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28d36ac0-561c-11dd-8667-0007e9cbbb6c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-02-15 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-02-21 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
MSConfigStartUp-KallOut - c:\program files\KallOut\KallOut.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\Gateway\Do More\DoMoreRunExe.CAB
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/09150f8e9ca96a70bf05/netzip/RdxIE601.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jkmqz4wv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 11:16:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2164437007-4208999851-595104399-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-21 11:19:40
ComboFix-quarantined-files.txt 2009-02-21 19:19:23

Pre-Run: 39,047,622,656 bytes free
Post-Run: 39,088,553,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

279 --- E O F --- 2009-02-20 02:14:53



Here it is, thanks for your help.

Now I am typing from infected PC.
Ludek

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 21 February 2009 - 04:24 PM

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: TELUS Security service Anti-Virus *On-access scanning disabled* (Updated)



You have two antivirus.. Uninstall one of them.. only use ONE antivirus for each computer :thumbup2:



Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :files
    c:\winnt\system32\uacinit.dll
    c:\winnt\system32\1.cht
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post these logs in your next reply..

1. OTMoveIT3
2. ESET Online
3. How's the computer now? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 ludekz

ludekz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 23 February 2009 - 11:03 AM

Hi,

Results is 00000000000000000000000000000000!!!!!!!!!!!!!!!!!!!!!

You are the genius. The computer is running smoooothly. Could I have a last question, please?
I am 61 years old. I need clean my memory and speed my body too. Some suggestions??

Thank you
Ludek

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 23 February 2009 - 12:12 PM

I am 61 years old. I need clean my memory and speed my body too. Some suggestions??


:) :step4:

Uh.. I think I have to ask for HJT and Fitness Team group from Admin.. And add a "Health and Fitness" forum here..

Ermm.. not sure how to do that :thumbup2:



Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware



Read these links about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm



Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :step1:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 ludekz

ludekz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 26 February 2009 - 12:23 AM

Hi fenzodahl512


Thank you for your help. My computer is running flawlessly ( by my opinion). It was very educational experience for me too. The world will be a beautiful place, when people will be helpful as you are.

Thank you and good luck to you.

Best regards

Ludek




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users