Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

General Log Analysis


  • This topic is locked This topic is locked
14 replies to this topic

#1 mrmarcdee

mrmarcdee

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 13 March 2009 - 10:48 AM

I may or may not be infected with anything. I don't really know. Just looking for a general analysis of my logs. Thanks

DDS.txt:




DDS (Ver_09-02-01.01) - NTFSx86
Run by Marc at 11:43:13.73 on Fri 03/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1322 [GMT -4:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synergy\synergys.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3c77b4ee-1f27-4785-9343-2f2633142be2} - c:\windows\system32\ssqrp.dll
BHO: {3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} - c:\windows\system32\ssqpoli.dll
BHO: {706c68e9-3647-4793-b9c7-fa320070a377} - c:\windows\system32\jkhff.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge]
uRun: [EPSON Stylus CX6400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
uRun: [BackgroundSwitcher] "c:\program files\johnsadventures.com\john's background switcher\BackgroundSwitcher.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
mRun: [BM4bf43010] Rundll32.exe "c:\windows\system32\hddyoifc.dll",s
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Broadcom Wireless Manager] c:\windows\system32\wltray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EPSON Stylus CX6400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dynexw~1.lnk - c:\program files\dynex g desktop card adapter\DynexWCUI.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: ssqpoli - ssqpoli.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} - c:\windows\system32\ssqpoli.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkhff

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marc\applic~1\mozilla\firefox\profiles\wr873voz.default\
FF - plugin: c:\documents and settings\marc\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\joost plugin\npjoost.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-3-15 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-3-15 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-3-15 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-3-15 10760]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2008-3-15 179584]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2008-3-15 49536]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-3-15 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-3-15 49664]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\bcmwlnpf.sys [2009-1-12 33664]
R2 Synergy Server;Synergy Server;c:\program files\synergy\synergys.exe [2006-4-2 733184]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 krdpdre;krdpdre;c:\docume~1\marc\locals~1\temp\krdpdre.sys [2007-11-19 31744]

=============== Created Last 30 ================

2009-03-13 09:38 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-12 22:40 118 a------- c:\windows\system32\MRT.INI
2009-03-12 20:52 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-12 20:45 <DIR> --d----- c:\program files\Trend Micro
2009-03-12 20:35 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-12 19:40 <DIR> --d----- c:\docume~1\marc\applic~1\johnsadventures.com
2009-03-12 19:40 <DIR> --d----- c:\program files\johnsadventures.com
2009-03-11 10:59 144,896 -c------ c:\windows\system32\dllcache\schannel.dll
2009-03-09 22:48 <DIR> --d----- c:\documents and settings\marc\Paulo Coelho
2009-03-09 22:46 <DIR> --d----- c:\documents and settings\marc\Hunter S Thompson
2009-03-09 22:42 <DIR> --d----- c:\documents and settings\marc\Robert M. Pirsig
2009-03-09 22:37 <DIR> --d----- c:\documents and settings\marc\Jeff Jarvis
2009-03-09 17:56 <DIR> --d----- c:\documents and settings\marc\Leo Tolstoy
2009-03-09 11:05 512,000 -c------ c:\windows\system32\dllcache\jscript.dll
2009-03-09 11:05 430,080 -c------ c:\windows\system32\dllcache\vbscript.dll
2009-03-09 11:05 180,224 -c------ c:\windows\system32\dllcache\scrobj.dll
2009-03-09 11:05 172,032 -c------ c:\windows\system32\dllcache\scrrun.dll
2009-03-09 11:05 155,648 -c------ c:\windows\system32\dllcache\wscript.exe
2009-03-09 11:05 135,168 -c------ c:\windows\system32\dllcache\cscript.exe
2009-03-09 11:05 90,112 -c------ c:\windows\system32\dllcache\wshext.dll
2009-03-08 18:53 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-08 18:48 <DIR> --d----- c:\windows\system32\scripting
2009-03-08 18:48 <DIR> --d----- c:\windows\system32\en
2009-03-08 18:48 <DIR> --d----- c:\windows\system32\bits
2009-03-08 18:47 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-08 18:10 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-03-08 17:59 <DIR> --d----- c:\program files\Rockstar Games
2009-03-03 18:49 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-03-03 18:49 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-03-03 18:49 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-03-03 18:49 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-03-03 18:49 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-03-03 18:49 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-02-25 19:03 9,662 a------- c:\windows\EPISME00.SWB
2009-02-25 19:02 98,304 a------- c:\windows\system32\E_SAGSET.DLL
2009-02-25 19:02 79,622 a------- c:\windows\system32\EBPMON24.DLL
2009-02-25 19:02 64,000 a------- c:\windows\system32\ECBTEG.DLL
2009-02-25 19:02 34,304 a------- c:\windows\system32\EBPCHP.DLL
2009-02-25 18:58 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-02-25 18:24 46,080 a------- c:\windows\system32\escimgd.dll
2009-02-25 18:24 29,696 a------- c:\windows\system32\escwiad.dll
2009-02-25 18:24 22,528 a------- c:\windows\system32\esccmd.dll
2009-02-25 18:24 <DIR> --d----- c:\program files\epson
2009-02-25 17:21 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-02-25 09:58 8,461,312 -c------ c:\windows\system32\dllcache\shell32.dll
2009-02-24 17:35 <DIR> --d----- c:\program files\Pidgin
2009-02-21 21:58 <DIR> --d----- c:\documents and settings\marc\k
2009-02-19 18:58 <DIR> --d----- c:\program files\common files\xing shared
2009-02-19 18:58 <DIR> --d----- c:\program files\common files\Real
2009-02-19 16:50 <DIR> --d----- c:\documents and settings\marc\cogsci
2009-02-14 20:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2DBoy
2009-02-14 20:53 <DIR> --d----- c:\program files\WorldOfGoo

==================== Find3M ====================

2009-03-08 18:49 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-24 22:00 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-05 11:54 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-16 19:24 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-01-05 18:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-20 19:56 827,904 a------- c:\windows\system32\wininet.dll
2008-12-17 20:09 17,509 a------- c:\windows\svchost.exe
2008-04-02 16:50 277,536 a--sh--- c:\windows\system32\ffhkj.ini2
2008-04-01 18:12 270,036 a--sh--- c:\windows\system32\prqss.ini2

============= FINISH: 11:43:26.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:43 PM

Posted 18 March 2009 - 01:44 PM

Hello mrmarcdee,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
    You want the 32-bit version, not the 64 bit version :!:
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12".
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language, then press Continue Selecting Windows give you the 32 bit version.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u12-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 11
    Java™ 6 Update 7
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mrmarcdee

mrmarcdee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 19 March 2009 - 01:29 PM

MBAM Log:

Malwarebytes' Anti-Malware 1.34
Database version: 1871
Windows 5.1.2600 Service Pack 3

3/19/2009 2:27:54 PM
mbam-log-2009-03-19 (14-27-54).txt

Scan type: Full Scan (C:\|I:\|J:\|K:\|)
Objects scanned: 416182
Time elapsed: 1 hour(s), 30 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqpoli (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm4bf43010 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marc\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ssqpoli.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marc\Local Settings\Temp\tmp2C.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marc\Local Settings\Temp\FlashPlayer.v3.193.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{3414FEC7-D873-4952-A3D3-D99D2583BB27}\RP203\A0033291.exe (Trojan.Hacktool) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{89D68ED2-3660-4F5E-9781-17E955C99FD9}\RP121\A0013386.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
K:\OldStuff\apps\PowerISO v3.2 + Keygen\PowerISO 3.2 keygen.exe (Trojan.Hacktool) -> Quarantined and deleted successfully.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4bf43010.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4bf43010.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-75F.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.


HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:22 PM, on 3/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20978)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synergy\synergys.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3C77B4EE-1F27-4785-9343-2F2633142BE2} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {706C68E9-3647-4793-B9C7-FA320070A377} - C:\WINDOWS\system32\jkhff.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [BackgroundSwitcher] "C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10445 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:43 PM

Posted 19 March 2009 - 01:41 PM

Hi mrmarcdee,

Your AVG version is old.
Upgrading to AVG 8.5 is free and it contains the Anti-Spyware engine which is not present in the 7.5 version ).
  • Download the latest version from AVG'S Website
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the your olde AVG or Ewido Security suite (Ewido's was bought by AVG so the 8.5 will have its anti-spyware engine)
  • Run the installation file downloaded before and proceed with the installation. At one point it will warn you that to install AVG 8.5 it will remove previous versions, accept and go forward with the installation.
After AVG 7 is uninstalled and AVG 8.5 installed, update it and do a complete scan
Once the complete scan is finished post the results in the forum this way:
  • Double click AVG's icon near the watch
  • Select from the menu History -> Scan Results
  • Double click the last scan results
  • Click on Export overview to file... and save the file somewhere you'll be able to find
  • Open the saved file with notepad and copy and paste the results here

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mrmarcdee

mrmarcdee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 19 March 2009 - 09:17 PM

"Scan ""Scan whole computer"" was finished."
"Spyware";"2";"2";"0"
"Information";"5"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Thursday, March 19, 2009, 8:25:26 PM"
"Scan finished:";"Thursday, March 19, 2009, 10:12:10 PM (1 hour(s) 46 minute(s) 44 second(s))"
"Total object scanned:";"996519"
"User who launched the scan:";"Marc"

"Spyware"
"File";"Infection";"Result"
"C:\Program Files\DAEMON Tools Lite\uninst.exe";"Adware Generic3.BHV";"Moved to Virus Vault"
"C:\Program Files\DAEMON Tools Lite\uninst.exe:\$JK\setuphlp.dll";"Adware Generic3.BHV";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\89\d\89d999b34ab8b4110aa613d6488fe46f4056e3a5";"May be infected by unknown virus Exploit.Flash";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\8d\1\8d1af52de9b88b0719790c8d32ab9bb392542dd5";"May be infected by unknown virus Exploit.Flash";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\ab\2\ab29ee29a2e30dea84ecb9fa45eab4f4e19158b0";"May be infected by unknown virus Exploit.Flash";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\c1\e\c1ec7b5667f02421f7ac037a9247a19ed4959bcf";"May be infected by unknown virus Exploit.Flash";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\c2\8\c2896b9521878984ff4e1ac414e3207843a04ea4";"May be infected by unknown virus Exploit.Flash";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Flock\Browser\Profiles\qoajknlu.default\cookies.sqlite";"Found Tracking cookie.Atdmt";"Healed"
"C:\Documents and Settings\Marc\Application Data\Flock\Browser\Profiles\qoajknlu.default\cookies.sqlite:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Flock\Browser\Profiles\qoajknlu.default\cookies.sqlite:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Flock\Browser\Profiles\qoajknlu.default\cookies.sqlite:\doubleclick.net.1d39bd48";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite";"Found Tracking cookie.2o7";"Healed"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.1f5891ae";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.1fd2efb0";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.3639522a";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.484dbb69";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.50ba3882";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.7919062b";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.83c62d13";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.95e64c93";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.41207ad0";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.4ceb623c";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.7815c7ab";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.ac9296d1";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.dc3d664d";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\2o7.net.dabd330a";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\stat.dealtime.com.f58c396a";"Found Tracking cookie.Dealtime";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\statcounter.com.1b380792";"Found Tracking cookie.Statcounter";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\hitbox.com.2b95f8a3";"Found Tracking cookie.Hitbox";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\statcounter.com.2349a550";"Found Tracking cookie.Statcounter";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\statcounter.com.7e1b943c";"Found Tracking cookie.Statcounter";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\statcounter.com.8abac5d6";"Found Tracking cookie.Statcounter";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\statcounter.com.e0ebdba8";"Found Tracking cookie.Statcounter";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\cookies.sqlite:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.87a9ab5d";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@atdmt[2].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.cfb9f79a";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.e762f029";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@ad.yieldmanager[2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@atdmt[2].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@atdmt[2].txt:\atdmt.com.ce59db3e";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@doubleclick[1].txt";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@doubleclick[1].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@doubleclick[1].txt:\doubleclick.net.ce59db3e";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@m.webtrends[1].txt";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@m.webtrends[1].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@real[1].txt";"Found Tracking cookie.Real";"Moved to Virus Vault"
"C:\Documents and Settings\Marc\Cookies\marc@real[1].txt:\real.com.66561182";"Found Tracking cookie.Real";"Moved to Virus Vault"

"Information"
"File";"Infection";"Result"
"I:\downloads\bt\Tunebite_v4.0.0.10_Platinum\snd-tunebite4.0.0.10.patch\snd.nfo.viewer.exe";"Runtime packed upack";""
"I:\downloads\bt\Tunebite_v4.0.0.10_Platinum\Tunebite_v4.0.0.10_Platinum.rar";"Runtime packed upack";""
"I:\downloads\bt\Tunebite_v4.0.0.10_Platinum\Tunebite_v4.0.0.10_Platinum.rar:\snd-tunebite4.0.0.10.patch\snd.nfo.viewer.exe";"Runtime packed upack";""
"I:\games\Command And Conquer 3 Tiberium Wars Kane Edition AlcoholClone-CLONEGAME\Command_And_Conquer_3_Tiberium_Wars_Kane_Edition_Keygen-RazorDOX\CC3_Keygen.exe";"Runtime packed fsg";""
"I:\games\Command_And_Conquer_3_Tiberium_Wars_Kane_Edition_Keygen-RazorDOX\CC3_Keygen.exe";"Runtime packed fsg";""

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:43 PM

Posted 19 March 2009 - 09:38 PM

Hi mrmarcdee,

Looks like you are still infected, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read  Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 19 March 2009 - 09:40 PM.
insert AVG disable

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mrmarcdee

mrmarcdee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 March 2009 - 11:21 AM

ComboFix 09-03-19.02 - Marc 2009-03-20 11:56:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1511 [GMT -4:00]
Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Sys.exe
c:\windows\system32\ffhkj.ini
c:\windows\system32\ffhkj.ini2
c:\windows\system32\prqss.ini
c:\windows\system32\prqss.ini2
I:\resycled

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-19 20:32 . 2009-03-19 21:10 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-19 20:20 . 2009-03-19 20:24 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-19 20:20 . 2009-03-19 20:20 <DIR> d-------- c:\program files\AVG
2009-03-19 20:20 . 2009-03-19 20:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-19 20:20 . 2009-03-19 20:20 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-19 20:20 . 2009-03-19 20:20 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-19 20:20 . 2009-03-19 20:20 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-19 12:54 . 2009-03-19 12:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-19 12:54 . 2009-03-19 12:54 <DIR> d-------- c:\documents and settings\Marc\Application Data\Malwarebytes
2009-03-19 12:54 . 2009-03-19 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-19 12:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-19 12:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-19 12:53 . 2009-03-19 12:53 <DIR> d-------- c:\program files\Java
2009-03-19 12:53 . 2009-03-19 12:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 11:54 . 2009-03-19 11:54 <DIR> d-------- c:\documents and settings\Marc\.SunDownloadManager
2009-03-13 11:54 . 2009-03-13 11:54 25,992 --a------ c:\windows\system32\pgdfgsvc.exe
2009-03-13 09:38 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-12 22:40 . 2009-03-12 22:40 118 --a------ c:\windows\system32\MRT.INI
2009-03-12 20:52 . 2009-03-12 20:52 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-12 20:45 . 2009-03-12 20:45 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 20:35 . 2009-03-12 22:51 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-12 19:40 . 2009-03-12 19:40 <DIR> d-------- c:\program files\johnsadventures.com
2009-03-12 19:40 . 2009-03-12 19:40 <DIR> d-------- c:\documents and settings\Marc\Application Data\johnsadventures.com
2009-03-11 10:59 . 2008-12-05 02:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-09 22:48 . 2009-03-09 22:48 <DIR> d-------- c:\documents and settings\Marc\Paulo Coelho
2009-03-09 22:46 . 2009-03-09 22:46 <DIR> d-------- c:\documents and settings\Marc\Hunter S Thompson
2009-03-09 22:42 . 2009-03-09 22:42 <DIR> d-------- c:\documents and settings\Marc\Robert M. Pirsig
2009-03-09 22:37 . 2009-03-09 22:37 <DIR> d-------- c:\documents and settings\Marc\Jeff Jarvis
2009-03-09 17:56 . 2009-03-09 18:04 <DIR> d-------- c:\documents and settings\Marc\Leo Tolstoy
2009-03-09 11:05 . 2008-05-09 06:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
2009-03-09 11:05 . 2008-05-09 06:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
2009-03-09 11:05 . 2008-05-09 06:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2009-03-09 11:05 . 2008-05-09 06:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2009-03-09 11:05 . 2008-05-08 07:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2009-03-09 11:05 . 2008-05-09 04:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2009-03-09 11:05 . 2008-05-09 06:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2009-03-08 18:53 . 2004-08-03 19:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-08 18:48 . 2009-03-08 18:48 <DIR> d-------- c:\windows\system32\scripting
2009-03-08 18:48 . 2009-03-08 18:48 <DIR> d-------- c:\windows\system32\en
2009-03-08 18:48 . 2009-03-08 18:48 <DIR> d-------- c:\windows\system32\bits
2009-03-08 18:47 . 2009-03-08 18:47 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-08 18:10 . 2009-03-08 18:57 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-03-08 17:59 . 2009-03-08 18:00 <DIR> d-------- c:\program files\Rockstar Games
2009-03-03 18:49 . 2008-07-12 09:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-03-03 18:49 . 2008-07-12 09:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-03-03 18:49 . 2008-07-31 11:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-03-03 18:49 . 2008-07-12 09:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-03-03 18:49 . 2008-07-31 11:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-03-03 18:49 . 2008-07-31 11:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-25 19:12 . 2009-02-25 19:12 <DIR> d-------- c:\documents and settings\Marc\Application Data\EPSON
2009-02-25 19:03 . 2009-02-25 19:03 9,662 --a------ c:\windows\EPISME00.SWB
2009-02-25 19:02 . 2004-02-18 02:10 98,304 --a------ c:\windows\system32\E_SAGSET.DLL
2009-02-25 19:02 . 2004-05-21 06:04 79,622 --a------ c:\windows\system32\EBPMON24.DLL
2009-02-25 19:02 . 2003-05-21 03:27 64,000 --a------ c:\windows\system32\ECBTEG.DLL
2009-02-25 19:02 . 2000-06-07 02:01 34,304 --a------ c:\windows\system32\EBPCHP.DLL
2009-02-25 18:58 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-25 18:24 . 2009-02-25 19:02 <DIR> d-------- c:\program files\epson
2009-02-25 18:24 . 2003-07-01 01:00 46,080 --a------ c:\windows\system32\escimgd.dll
2009-02-25 18:24 . 2003-07-01 01:00 29,696 --a------ c:\windows\system32\escwiad.dll
2009-02-25 18:24 . 2003-07-01 01:00 22,528 --a------ c:\windows\system32\esccmd.dll
2009-02-25 17:21 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-25 09:58 . 2008-06-17 15:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
2009-02-24 17:35 . 2009-02-24 17:35 <DIR> d-------- c:\program files\Pidgin
2009-02-21 21:58 . 2009-02-21 23:31 <DIR> d-------- c:\documents and settings\Marc\k

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 15:49 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-20 03:15 --------- d-----w c:\documents and settings\Marc\Application Data\uTorrent
2009-03-20 03:15 --------- d-----w c:\documents and settings\Marc\Application Data\foobar2000
2009-03-20 03:15 --------- d-----w c:\documents and settings\Marc\Application Data\.purple
2009-03-20 02:55 --------- d-----w c:\program files\Free Easy Burner
2009-03-20 01:10 --------- d-----w c:\program files\DAEMON Tools Lite
2009-03-09 22:23 --------- d-----w c:\program files\calibre
2009-03-08 22:00 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 01:27 --------- d-----w c:\documents and settings\Marc\Application Data\gtk-2.0
2009-03-03 22:48 --------- d-----w c:\program files\Ubisoft
2009-02-25 17:13 --------- d-----w c:\program files\Steam
2009-02-24 21:35 --------- d-----w c:\program files\Common Files\GTK
2009-02-22 21:24 --------- d-----w c:\program files\foobar2000
2009-02-22 00:28 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-22 00:28 --------- d-----w c:\program files\AGEIA Technologies
2009-02-19 22:58 --------- d-----w c:\program files\Real
2009-02-19 22:58 --------- d-----w c:\program files\Common Files\xing shared
2009-02-19 22:58 --------- d-----w c:\program files\Common Files\Real
2009-02-19 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-18 17:14 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-15 00:53 --------- d-----w c:\program files\WorldOfGoo
2009-02-15 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2009-02-09 18:18 6,307,328 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-02-07 15:53 --------- d-----w c:\program files\Rosetta Stone
2009-02-07 15:21 --------- d-----w c:\program files\Flock
2009-02-07 15:21 --------- d-----w c:\documents and settings\Marc\Application Data\Flock
2009-02-07 03:40 --------- d-----w c:\program files\Common Files\Adobe
2009-02-07 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-02-07 03:32 --------- d-----w c:\program files\Adobe Media Player
2009-02-07 03:31 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-23 22:42 --------- d-----w c:\documents and settings\Marc\Application Data\My Games
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EPSON Stylus CX6400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [2003-06-03 99840]
"BackgroundSwitcher"="c:\program files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" [2009-03-09 1093952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-03-02 1282048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"EPSON Stylus CX6400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [2003-06-03 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-19 1932568]
"nwiz"="nwiz.exe" [2009-02-09 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex G Desktop Card Adapter\DynexWCUI.exe [2009-01-12 1462272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-19 20:20 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^Marc^Start Menu^Programs^Startup^VirtuaGirl HD.LNK]
path=c:\documents and settings\Marc\Start Menu\Programs\Startup\VirtuaGirl HD.LNK
backup=c:\windows\pss\VirtuaGirl HD.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-06-11 23:43 640376 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
--a------ 2008-06-12 03:25 37232 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 08:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
--a------ 2008-08-15 06:46 378224 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-11-22 20:36 203720 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link Wireless G WUA-1340]
--a------ 2007-08-27 17:25 1662976 c:\program files\D-Link\Wireless G WUA-1340\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-14 07:55 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2008-07-21 14:07 2752512 c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-08 18:11 133104 c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
--a------ 2009-02-19 18:58 69632 c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-07 22:47 1410296 c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\vghd\\vghd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Joost Plugin\\joostws.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spellforce 2 shadow wars\\spellforce2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spellforce 2 dragon storm\\spellforce2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-19 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-19 107912]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2008-03-15 179584]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2008-03-15 49536]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-19 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-19 298264]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\bcmwlnpf.sys [2009-01-12 33664]
R2 Synergy Server;Synergy Server;c:\program files\Synergy\synergys.exe [2006-04-02 733184]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
S3 krdpdre;krdpdre;\??\c:\docume~1\Marc\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Marc\LOCALS~1\Temp\krdpdre.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com i:
\Shell\Open\command - i:\resycled\boot.com i:
.
Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1177238915-725345543-1003.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 18:11]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3C77B4EE-1F27-4785-9343-2F2633142BE2} - c:\windows\system32\ssqrp.dll
BHO-{706C68E9-3647-4793-B9C7-FA320070A377} - c:\windows\system32\jkhff.dll
HKCU-Run-AdobeBridge - (no file)
MSConfigStartUp-AGEIA PhysX SysTray - c:\program files\AGEIA Technologies\TrayIcon.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\
FF - plugin: c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Joost Plugin\npjoost.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 11:58:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1177238915-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:9e,94,fe,ad,3f,ed,e4,94,5e,6d,66,24,dd,b2,4b,a2,f2,88,1d,45,14,
c8,b7,52,cd,e7,ad,c4,8c,6c,2d,32,24,70,23,10,71,17,dd,af,20,65,7e,31,5c,5b,\
"rkeysecu"=hex:21,30,cd,8e,af,8b,ea,e7,d6,c6,6e,fb,f8,88,f4,4a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll
c:\program files\Synergy\synrgyhk.dll

- - - - - - - > 'lsass.exe'(1160)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-20 12:01:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 16:01:50

Pre-Run: 4,094,328,832 bytes free
Post-Run: 5,680,566,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

319 --- E O F --- 2009-03-13 13:48:55

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:43 PM

Posted 20 March 2009 - 11:48 AM

Hi mrmarcdee,

Your system is infected with a Flash Drive infector

Warning: Any flash / jump drives you have connected to this system since your infection have been compromised by a flash drive infector.
We are going to run a tool as part of the following fix which will disinfect your machine, as well as clean any flash drives connected to the system.
It is advised you connect any flash drives that have been connected to this machine during this time frame to this system for the following fix, in order to disinfect them.

Please let owners of other machines to which you have connected any flash media or drives that their machines may now be infected.

We need to remove the Flash Drive infector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.

Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


Looks like your i drive is infected. Probably a flash drive.
Be sure it is inserted when ComboFix runs.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\docume~1\Marc\LOCALS~1\Temp\krdpdre.sys 

Folder:: 
i:\resycled

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

Driver:: 
krdpdre


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mrmarcdee

mrmarcdee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 March 2009 - 12:23 PM

ComboFix 09-03-19.02 - Marc 2009-03-20 13:11:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1550 [GMT -4:00]
Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marc\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\docume~1\Marc\LOCALS~1\Temp\krdpdre.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KRDPDRE
-------\Service_krdpdre


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-19 20:32 . 2009-03-19 21:10 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-19 20:20 . 2009-03-20 12:00 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-19 20:20 . 2009-03-19 20:20 <DIR> d-------- c:\program files\AVG
2009-03-19 20:20 . 2009-03-19 20:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-19 20:20 . 2009-03-19 20:20 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-19 20:20 . 2009-03-19 20:20 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-19 20:20 . 2009-03-19 20:20 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-19 12:54 . 2009-03-19 12:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-19 12:54 . 2009-03-19 12:54 <DIR> d-------- c:\documents and settings\Marc\Application Data\Malwarebytes
2009-03-19 12:54 . 2009-03-19 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-19 12:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-19 12:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-19 12:53 . 2009-03-19 12:53 <DIR> d-------- c:\program files\Java
2009-03-19 12:53 . 2009-03-19 12:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 11:54 . 2009-03-19 11:54 <DIR> d-------- c:\documents and settings\Marc\.SunDownloadManager
2009-03-13 11:54 . 2009-03-13 11:54 25,992 --a------ c:\windows\system32\pgdfgsvc.exe
2009-03-13 09:38 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-12 22:40 . 2009-03-12 22:40 118 --a------ c:\windows\system32\MRT.INI
2009-03-12 20:52 . 2009-03-12 20:52 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-12 20:45 . 2009-03-12 20:45 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 20:35 . 2009-03-12 22:51 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-12 19:40 . 2009-03-12 19:40 <DIR> d-------- c:\program files\johnsadventures.com
2009-03-12 19:40 . 2009-03-12 19:40 <DIR> d-------- c:\documents and settings\Marc\Application Data\johnsadventures.com
2009-03-11 10:59 . 2008-12-05 02:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-09 22:48 . 2009-03-09 22:48 <DIR> d-------- c:\documents and settings\Marc\Paulo Coelho
2009-03-09 22:46 . 2009-03-09 22:46 <DIR> d-------- c:\documents and settings\Marc\Hunter S Thompson
2009-03-09 22:42 . 2009-03-09 22:42 <DIR> d-------- c:\documents and settings\Marc\Robert M. Pirsig
2009-03-09 22:37 . 2009-03-09 22:37 <DIR> d-------- c:\documents and settings\Marc\Jeff Jarvis
2009-03-09 17:56 . 2009-03-09 18:04 <DIR> d-------- c:\documents and settings\Marc\Leo Tolstoy
2009-03-09 11:05 . 2008-05-09 06:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
2009-03-09 11:05 . 2008-05-09 06:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
2009-03-09 11:05 . 2008-05-09 06:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2009-03-09 11:05 . 2008-05-09 06:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2009-03-09 11:05 . 2008-05-08 07:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2009-03-09 11:05 . 2008-05-09 04:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2009-03-09 11:05 . 2008-05-09 06:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2009-03-08 18:53 . 2004-08-03 19:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-08 18:48 . 2009-03-08 18:48 <DIR> d-------- c:\windows\system32\scripting
2009-03-08 18:48 . 2009-03-08 18:48 <DIR> d-------- c:\windows\system32\en
2009-03-08 18:48 . 2009-03-08 18:48 <DIR> d-------- c:\windows\system32\bits
2009-03-08 18:47 . 2009-03-08 18:47 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-08 18:10 . 2009-03-08 18:57 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-03-08 17:59 . 2009-03-08 18:00 <DIR> d-------- c:\program files\Rockstar Games
2009-03-03 18:49 . 2008-07-12 09:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-03-03 18:49 . 2008-07-12 09:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-03-03 18:49 . 2008-07-31 11:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-03-03 18:49 . 2008-07-12 09:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-03-03 18:49 . 2008-07-31 11:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-03-03 18:49 . 2008-07-31 11:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-25 19:12 . 2009-02-25 19:12 <DIR> d-------- c:\documents and settings\Marc\Application Data\EPSON
2009-02-25 19:03 . 2009-02-25 19:03 9,662 --a------ c:\windows\EPISME00.SWB
2009-02-25 19:02 . 2004-02-18 02:10 98,304 --a------ c:\windows\system32\E_SAGSET.DLL
2009-02-25 19:02 . 2004-05-21 06:04 79,622 --a------ c:\windows\system32\EBPMON24.DLL
2009-02-25 19:02 . 2003-05-21 03:27 64,000 --a------ c:\windows\system32\ECBTEG.DLL
2009-02-25 19:02 . 2000-06-07 02:01 34,304 --a------ c:\windows\system32\EBPCHP.DLL
2009-02-25 18:58 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-25 18:24 . 2009-02-25 19:02 <DIR> d-------- c:\program files\epson
2009-02-25 18:24 . 2003-07-01 01:00 46,080 --a------ c:\windows\system32\escimgd.dll
2009-02-25 18:24 . 2003-07-01 01:00 29,696 --a------ c:\windows\system32\escwiad.dll
2009-02-25 18:24 . 2003-07-01 01:00 22,528 --a------ c:\windows\system32\esccmd.dll
2009-02-25 17:21 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-25 09:58 . 2008-06-17 15:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
2009-02-24 17:35 . 2009-02-24 17:35 <DIR> d-------- c:\program files\Pidgin
2009-02-21 21:58 . 2009-02-21 23:31 <DIR> d-------- c:\documents and settings\Marc\k

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 17:10 --------- d-----w c:\documents and settings\Marc\Application Data\uTorrent
2009-03-20 17:07 --------- d-----w c:\documents and settings\Marc\Application Data\.purple
2009-03-20 16:58 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-20 03:15 --------- d-----w c:\documents and settings\Marc\Application Data\foobar2000
2009-03-20 02:55 --------- d-----w c:\program files\Free Easy Burner
2009-03-20 01:10 --------- d-----w c:\program files\DAEMON Tools Lite
2009-03-09 22:23 --------- d-----w c:\program files\calibre
2009-03-08 22:00 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 01:27 --------- d-----w c:\documents and settings\Marc\Application Data\gtk-2.0
2009-03-03 22:48 --------- d-----w c:\program files\Ubisoft
2009-02-25 17:13 --------- d-----w c:\program files\Steam
2009-02-24 21:35 --------- d-----w c:\program files\Common Files\GTK
2009-02-22 21:24 --------- d-----w c:\program files\foobar2000
2009-02-22 00:28 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-22 00:28 --------- d-----w c:\program files\AGEIA Technologies
2009-02-19 22:58 --------- d-----w c:\program files\Real
2009-02-19 22:58 --------- d-----w c:\program files\Common Files\xing shared
2009-02-19 22:58 --------- d-----w c:\program files\Common Files\Real
2009-02-19 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-18 17:14 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-15 00:53 --------- d-----w c:\program files\WorldOfGoo
2009-02-15 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2009-02-09 18:18 6,307,328 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-02-07 15:53 --------- d-----w c:\program files\Rosetta Stone
2009-02-07 15:21 --------- d-----w c:\program files\Flock
2009-02-07 15:21 --------- d-----w c:\documents and settings\Marc\Application Data\Flock
2009-02-07 03:40 --------- d-----w c:\program files\Common Files\Adobe
2009-02-07 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-02-07 03:32 --------- d-----w c:\program files\Adobe Media Player
2009-02-07 03:31 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-23 22:42 --------- d-----w c:\documents and settings\Marc\Application Data\My Games
.

((((((((((((((((((((((((((((( SnapShot@2009-03-20_12.01.30.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-20 14:06:05 67,312 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-20 17:13:04 67,312 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-20 14:06:05 432,356 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-20 17:13:04 432,356 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-20 17:15:38 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EPSON Stylus CX6400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [2003-06-03 99840]
"BackgroundSwitcher"="c:\program files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" [2009-03-09 1093952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-03-02 1282048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"EPSON Stylus CX6400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [2003-06-03 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-19 1932568]
"nwiz"="nwiz.exe" [2009-02-09 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex G Desktop Card Adapter\DynexWCUI.exe [2009-01-12 1462272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-19 20:20 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^Marc^Start Menu^Programs^Startup^VirtuaGirl HD.LNK]
path=c:\documents and settings\Marc\Start Menu\Programs\Startup\VirtuaGirl HD.LNK
backup=c:\windows\pss\VirtuaGirl HD.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-06-11 23:43 640376 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
--a------ 2008-06-12 03:25 37232 c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 08:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
--a------ 2008-08-15 06:46 378224 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-11-22 20:36 203720 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link Wireless G WUA-1340]
--a------ 2007-08-27 17:25 1662976 c:\program files\D-Link\Wireless G WUA-1340\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-14 07:55 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2008-07-21 14:07 2752512 c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-08 18:11 133104 c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
--a------ 2009-02-19 18:58 69632 c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-07 22:47 1410296 c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\vghd\\vghd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Joost Plugin\\joostws.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spellforce 2 shadow wars\\spellforce2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spellforce 2 dragon storm\\spellforce2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-19 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-19 107912]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2008-03-15 179584]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2008-03-15 49536]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-19 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-19 298264]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\bcmwlnpf.sys [2009-01-12 33664]
R2 Synergy Server;Synergy Server;c:\program files\Synergy\synergys.exe [2006-04-02 733184]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
.
Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1177238915-725345543-1003.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Marc\Application Data\Mozilla\Firefox\Profiles\wr873voz.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 13:15:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1177238915-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:9e,94,fe,ad,3f,ed,e4,94,5e,6d,66,24,dd,b2,4b,a2,f2,88,1d,45,14,
c8,b7,52,cd,e7,ad,c4,8c,6c,2d,32,24,70,23,10,71,17,dd,af,20,65,7e,31,5c,5b,\
"rkeysecu"=hex:21,30,cd,8e,af,8b,ea,e7,d6,c6,6e,fb,f8,88,f4,4a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1096)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll
c:\program files\Synergy\synrgyhk.dll

- - - - - - - > 'lsass.exe'(1152)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-20 13:19:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 17:19:15
ComboFix2.txt 2009-03-20 16:01:53

Pre-Run: 5,658,185,728 bytes free
Post-Run: 5,644,460,032 bytes free

303 --- E O F --- 2009-03-13 13:48:55




hijackthis log





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:23 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20978)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [BackgroundSwitcher] "C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9096 bytes

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:43 PM

Posted 20 March 2009 - 12:56 PM

Hi mrmarcdee,

Looks good. :thumbup2:

Lets do a scan for lingering malware.

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 mrmarcdee

mrmarcdee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 26 March 2009 - 01:24 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, March 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, March 26, 2009 02:09:19
Records in database: 1970700
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 309718
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 06:56:54

No malware has been detected. The scan area is clean.

The selected area was scanned.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:43 PM

Posted 26 March 2009 - 02:12 PM

Hi mrmarcdee,


Great, Kaspersky did not find anything. :thumbup2:

Please tell me how the computer is running.

We still have to do some program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 mrmarcdee

mrmarcdee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 26 March 2009 - 02:40 PM

Hey thanks for your help SifuMike.

You don't really have to keep helping me anymore.
I mean, I'll keep doing stuff that you tell me is good for my computer, but if its a hassle and is taking up your time don't bother.

My computer seems to be running just fine

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:43 PM

Posted 26 March 2009 - 02:44 PM

Hi mrmarcdee ,


We have to do the program clean up, then you are good to go. :thumbup2:

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTMoveIt3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the

Secunia Software Inspector
Scan.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:43 PM

Posted 11 April 2009 - 09:56 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users