Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wow more problems less then 2 months later


  • This topic is locked This topic is locked
15 replies to this topic

#1 drk123

drk123

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 15 June 2009 - 05:26 PM

Okay. I just did the whole reply with HJT logs and do combofix like a billion times over at GeeksToGo. All the malware/spyware was removed (apparently) from my system. Now, I've been scanning my system weekly with AVG8 and Spybot, but I seem to be missing this trojan thats affecting things on my system.

I CANNOT RUN HIJACKTHIS. It wont let me. I uninstalled, reinstalled, did it 3 times. Cant run it. Wtf? =( The trojan must be pretty serious for it to block a program from me using.

I honestly do not know what to post here because I cannot run Hijackthis. I'm running WinXP 32bit SP3, on a Q6600 quad core at 2.4ghz, 2ghz DDR2 ram, and I need help ridding this spyware from my system. I would attempt combofix and kaspersky myself, but I dont know the scripts for CF and I figure the infection would just outsmart me anyways.

I need some advice on what I can do first, as I have no logs or anything to post here so far. I can list the symptoms aswell.

Symptoms:
Google searches are redirecting me and opening new tab windows, sometimes directing me to a completely different site then what I was searching for.
Certain sites say I have been infected by a trojan which is DOS attacking them when I try to connect to their servers.
MSN Hotmail isnt able to open whatsoever. I have to go through mail.live.ca to get to my inbox. Buttons on msn arent working??
I do my fairshare of downloading, and certain sites wont even let me connect anymore, even though I am able to connect on this network through another computer.
Startup is sluggish and fairly slow compared to when I bought the computer (1 and a half years ago)

If you could reply telling me what to do, I would greatly appreciate any help at all with this.

Thanks,
drk123

BC AdBot (Login to Remove)

 


#2 drk123

drk123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 15 June 2009 - 05:55 PM

Okay so I managed to work around the HJT problem by just renaming the program to HJT instead of hijackthis. Here is my log for 6/15/09

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:50 PM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 91.121.97.18 thepiratebay.org
O1 - Hosts: 91.121.97.18 www.thepiratebay.org
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {56BB6D01-7BD5-4458-A4AE-F03DF643D6EE} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.151,85.255.112.207
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9c3794c85cce) (gupdate1c9c3794c85cce) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6714 bytes

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:33 PM

Posted 16 June 2009 - 09:26 AM

Hi drk123,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

I see your system is still infected. Could you give me the link to your topic at GeeksToGo to see if it is the same infection.

If the combofix did not run you may rename it to drk.exe, please make sure you run it once and give me the log of the first run.
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications (see the end of this post)
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • After Combofix finished and gave you the log, reboot once more and make and copy and paste a fresh Hijackthis log.
+++++++++++++

To disable AVG Resident Shield:
  • Double click AVG system tray icon to open AVG.
  • In Overview section double click Resident Shield.
  • Uncheck Resident Shield Active.
  • Press Save Changes.

    Note: It is important to activate the resident shield immediately after running ComboFix.
Please include in your next reply:
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#4 drk123

drk123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 16 June 2009 - 05:23 PM

Hey farbar! Thanks for the quick and timely reply, really appreciate you taking the time to help me out!!

Okay so, last night after I got HJT to run under a different filename, I also ran combofix and it seemed to clear up a few things on its own. I did this because I assumed I would be waiting for a reply for a few days from BC. Do you know if I can find the log on my computer from the combofix I ran last night? It seemed to speed up page loading in FF, but the google redirection is still plaguing my system. All of the other symptoms still prevalent aswell. So if you need the log or if its lost forever let me know.

I tried to find the GTG thread from April but they close and delete threads so my efforts were fruitless. We had a pretty long thread going back and forth trying numerous combofixes and deleting things with HJT. He advised me on downloading AVG as I wasn't running a virus scanner at the time (norton just clogged up to many system resources.) He helped me remove the last traces of norton and that was pretty much the end of it. Buuuut, as I told him and as I said before, I do a lot of downloading... so I am not at all surprised I was reinfected so quickly.

Anyways, heres the combofix log and the hjt log from ten minutes ago.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:46 PM, on 6/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PSIService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Labtec\Mouse\V3.0\MOUSE32A.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Steam\GameOverlayUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 91.121.97.18 thepiratebay.org
O1 - Hosts: 91.121.97.18 www.thepiratebay.org
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9c3794c85cce) (gupdate1c9c3794c85cce) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)

--
End of file - 6951 bytes


_______
_______

ComboFix 09-06-16.01 - dRk 06/16/2009 16:05.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1462 [GMT -6:00]
Running from: c:\documents and settings\dRk\Desktop\drk.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.

2009-06-14 15:32 . 2009-06-14 15:32 -------- d-----w- c:\documents and settings\dRk\Application Data\CopyTrans
2009-06-14 15:30 . 2009-06-15 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2009-06-14 15:30 . 2009-06-14 15:30 -------- d-----w- c:\documents and settings\dRk\Application Data\WindSolutions
2009-06-14 15:21 . 2009-06-14 15:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-06-12 22:27 . 2009-06-12 22:41 -------- d-----w- C:\Root
2009-05-27 15:48 . 2009-05-27 15:48 25 ----a-w- c:\windows\popcinfot.dat
2009-05-24 16:03 . 2009-05-24 16:03 10134 ----a-r- c:\documents and settings\dRk\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-24 16:03 . 2009-05-24 16:03 -------- dc----w- c:\program files\Microsoft WSE
2009-05-24 15:02 . 2009-05-24 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-23 03:36 . 2009-06-15 18:10 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-23 03:27 . 2009-05-23 03:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-23 03:27 . 2009-05-23 03:27 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-23 03:27 . 2009-06-15 22:37 -------- d-----w- c:\windows\system32\drivers\Avg
2009-05-23 03:27 . 2009-05-23 03:27 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-23 03:27 . 2009-05-23 03:27 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-23 03:27 . 2009-05-26 15:17 -------- d-----w- c:\documents and settings\dRk\Application Data\AVGTOOLBAR
2009-05-23 03:02 . 2009-05-23 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-23 03:02 . 2009-02-13 17:31 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-23 00:17 . 2009-05-23 00:16 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-23 00:16 . 2009-05-23 00:16 152576 ----a-w- c:\documents and settings\dRk\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-22 04:07 . 2009-05-22 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-21 04:13 . 2009-06-15 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-21 04:13 . 2009-05-21 04:13 -------- dc----w- c:\program files\AVG
2009-05-21 03:26 . 2007-12-10 20:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-05-21 03:26 . 2007-12-10 20:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-05-21 03:26 . 2007-12-10 20:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-05-21 03:26 . 2007-12-10 20:53 41864 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-05-21 03:26 . 2009-05-21 03:26 -------- d-----w- c:\documents and settings\dRk\Application Data\PC Tools
2009-05-21 02:09 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-05-21 02:09 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-21 02:09 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-05-21 02:09 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-05-21 02:09 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-21 02:09 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-05-21 02:09 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-05-21 02:09 . 2009-02-06 11:08 2189056 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-21 02:09 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-21 02:09 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-21 02:08 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-20 03:04 . 2009-05-20 03:04 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 02:01 . 2008-11-23 20:36 -------- dc----w- c:\program files\Steam
2009-06-16 00:07 . 2009-03-30 16:37 117760 ----a-w- c:\documents and settings\dRk\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 00:06 . 2009-01-24 19:11 763016 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-15 23:50 . 2007-12-23 20:12 -------- d-----w- c:\documents and settings\dRk\Application Data\uTorrent
2009-06-12 22:41 . 2007-12-13 07:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-12 22:27 . 2008-07-26 03:57 -------- dc----w- c:\program files\Activision
2009-06-11 09:03 . 2007-12-13 07:52 -------- d-----w- c:\program files\Microsoft Works
2009-06-03 19:16 . 2008-12-16 02:10 -------- dc----w- c:\program files\Zune
2009-06-02 04:30 . 2008-02-04 17:32 804 -c--a-w- c:\documents and settings\dRk\Application Data\wklnhst.dat
2009-05-26 15:08 . 2008-11-23 21:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-24 17:46 . 2008-05-18 18:50 -------- dc----w- c:\program files\Electronic Arts
2009-05-23 03:17 . 2008-03-24 03:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-23 00:17 . 2007-12-13 07:38 -------- d-----w- c:\program files\Java
2009-05-22 04:08 . 2007-12-13 07:46 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-21 03:16 . 2009-02-09 23:26 -------- d-----w- c:\documents and settings\dRk\Application Data\GetRightToGo
2009-05-21 01:00 . 2009-03-29 13:23 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-05-20 03:04 . 2009-03-30 15:36 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-09 03:04 . 2009-05-09 03:04 -------- d-----w- c:\documents and settings\dRk\Application Data\DivX
2009-05-08 01:55 . 2009-03-29 20:24 -------- dc----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2009-05-07 22:59 . 2008-11-15 02:33 -------- dc----w- c:\program files\Microsoft
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 04:16 . 2009-05-07 04:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-05-04 08:46 . 2009-05-07 04:16 2835656 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\speedupmypc2009.exe
2009-05-01 06:31 . 2009-05-01 06:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-01 06:31 . 2009-05-01 06:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-05-01 06:31 . 2009-05-01 06:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-05-01 06:31 . 2009-05-01 06:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-05-01 06:31 . 2009-05-01 06:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-05-01 06:31 . 2009-05-01 06:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-05-01 06:31 . 2009-05-01 06:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-05-01 04:02 . 2009-05-01 04:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 04:02 . 2009-05-01 04:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-01 04:02 . 2009-03-27 16:03 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 04:02 . 2008-11-12 21:54 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 04:02 . 2007-12-13 07:27 457248 -c--a-w- c:\windows\system32\nvudisp.exe
2009-05-01 04:02 . 2007-12-13 07:24 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 04:02 . 2007-12-13 07:24 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 04:02 . 2007-12-13 07:24 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 04:02 . 2007-12-13 07:24 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-05-01 04:02 . 2005-08-16 10:35 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-05-01 04:02 . 2005-08-16 10:35 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-29 09:45 . 2009-05-07 04:16 845128 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\58D97068\B74607BA\System.Data.SQLite.dll
2009-04-29 09:45 . 2009-05-07 04:16 771368 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\9966075F\B74607BA\UBSysMan.dll
2009-04-29 09:45 . 2009-05-07 04:16 614696 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\7AEFAE8C\B74607BA\Launcher.exe
2009-04-29 09:45 . 2009-05-07 04:16 54608 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\D720648F\B74607BA\Interop.IWshRuntimeLibrary.dll
2009-04-29 09:45 . 2009-05-07 04:16 519168 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\78B94F67\B74607BA\IsLicense40.dll
2009-04-29 09:45 . 2009-05-07 04:16 474408 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\62A3297F\B74607BA\AvalonCommon.dll
2009-04-29 09:45 . 2009-05-07 04:16 395048 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\C77843B\B74607BA\SUMPBackend.dll
2009-04-29 09:45 . 2009-05-07 04:16 345008 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\4BF757A\B74607BA\IsLicense30.dll
2009-04-29 09:45 . 2009-05-07 04:16 236840 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\683B013A\B74607BA\PowerSuiteBackendUtils.dll
2009-04-29 09:45 . 2009-05-07 04:16 197968 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\6A0591D6\B74607BA\ICSharpCode.SharpZipLib.dll
2009-04-29 09:45 . 2009-05-07 04:16 1250600 -c--a-w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}\SpeedUpMyPC2009\B430549D\B74607BA\SUMP.exe
2009-04-29 04:56 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2009-04-16 01:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-29 02:12 . 2009-03-29 19:40 -------- dc----w- c:\program files\Ubisoft
2009-04-27 06:42 . 2007-12-13 07:40 457248 -c--a-w- c:\windows\system32\NVUNINST.EXE
2009-04-22 21:50 . 2009-04-22 21:50 355888 ----a-w- c:\documents and settings\All Users\Application Data\Pure Networks\Platform\1033\Update\nm\nmurlexc.exe
2009-04-22 18:35 . 2008-01-23 05:22 -------- d-----w- c:\program files\DivX
2009-04-22 18:34 . 2009-04-22 18:34 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 20:25 . 2009-04-22 18:35 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-04-15 20:25 . 2009-04-22 18:35 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2009-04-22 18:35 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-04-15 20:25 . 2006-09-14 22:13 129784 -c----w- c:\windows\system32\PxAFS.DLL
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 21:32 . 2009-03-30 15:36 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 . 2009-03-30 15:36 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-29 01:43 . 2007-01-18 12:03 784 -c--a-w- c:\windows\eReg.dat
2009-03-27 16:03 . 2008-11-12 21:54 1346080 ----a-w- c:\windows\system32\nvdspsch.exe
2009-03-27 16:03 . 2007-12-13 07:24 45056 ----a-w- c:\windows\system32\nvmccsrs.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-02-27 06:38 . 2008-02-10 22:07 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-15_22.46.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-16 00:07 . 2009-06-16 00:07 16384 c:\windows\temp\Perflib_Perfdata_7d8.dat
+ 2005-08-16 10:18 . 2009-06-16 00:12 68246 c:\windows\system32\perfc009.dat
- 2005-08-16 10:18 . 2009-06-15 22:45 68246 c:\windows\system32\perfc009.dat
+ 2005-08-16 10:18 . 2009-06-16 00:12 434468 c:\windows\system32\perfh009.dat
- 2005-08-16 10:18 . 2009-06-15 22:45 434468 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"FLMOFFICE4DMOUSE"="c:\program files\Labtec\Mouse\V3.0\moffice.exe" [2008-12-26 958464]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-23 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-23 1947928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-04-12 282624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-23 03:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's H.A.W.X\\HAWX.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Steam\\steamapps\\menace357\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Activision\\Prototype\\prototypef.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2009 9:27 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2009 9:27 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05 AM 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/22/2009 9:27 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/22/2009 9:27 PM 298776]
S2 gupdate1c9c3794c85cce;Google Update Service (gupdate1c9c3794c85cce);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S3 XPAD910;XPADFilter Service 910;c:\windows\system32\DRIVERS\xpad910.sys --> c:\windows\system32\DRIVERS\xpad910.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-16 c:\windows\Tasks\User_Feed_Synchronization-{FFB33A86-3DB1-42AF-B4F0-F5E75715D387}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
IE: Crawler Search
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3557644179-1791728507-2582695965-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,86,7e,71,f7,93,14,93,ab,3e,52,e9,e9,97,50,6c,16,34,ec,e5,e7,7b,cf,
47,d1,a7,b8,45,e9,d9,f9,e5,f9,ec,58,a8,5a,10,49,d8,16,05,5b,e5,65,d2,e0,07,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-3557644179-1791728507-2582695965-1005\Software\SecuROM\License information*]
"datasecu"=hex:09,0d,5c,b8,fb,e4,36,0e,50,e4,15,06,47,1d,c8,c6,d5,a1,4a,37,df,
c1,38,05,28,80,01,01,de,2c,ba,b7,ba,1e,5d,54,77,bc,2b,93,fa,5f,e5,f6,b4,90,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\dRk\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(3048)
c:\program files\Labtec\Mouse\V3.0\MOUDL32A.DLL
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-16 16:10
ComboFix-quarantined-files.txt 2009-06-16 22:10
ComboFix2.txt 2009-06-16 00:16
ComboFix3.txt 2009-06-15 22:48

Pre-Run: 55,522,168,832 bytes free
Post-Run: 55,532,519,424 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
273 --- E O F --- 2009-06-11 09:03


Both scans went smooth, everything listed above in the symptoms are still here though. Difficulties connecting to msn aswell? This just started after last nights combofix sweep. =(

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:33 PM

Posted 17 June 2009 - 07:01 AM

He helped me remove the last traces of norton and that was pretty much the end of it. Buuuut, as I told him and as I said before, I do a lot of downloading... so I am not at all surprised I was reinfected so quickly.


Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions

Please perform all the steps fully and in the order they are written. Also tell me if you faced any problem.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O1 - Hosts: 91.121.97.18 thepiratebay.org
    O1 - Hosts: 91.121.97.18 www.thepiratebay.org


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • We are going to remove some service leftovers.
    Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    sc delete gupdate1c9c3794c85cce
    sc delete sdAuxService
    sc delete sdCoreService


    A window flashes each time, this is normal.

  • Please go to start -> Run.
    • Copy and paste the bold line in the run-box and click OK: "C:\Qoobox\Add-Remove Programs.txt"
    • A text file opens up, copy and paste the content to your reply.
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @echo off
    cd\
    >Log1.txt (
    ipconfig /all
    nslookup google.com
    nslookup msn.com
    ping -n 2 google.com
    ping -n 2 msn.com
    route print
    )
    start Log1.txt
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: test.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click tast.bat on the desktop.
    • First a command window and after sometime a notepad opens, copy and paste the content it (log1.txt) to your reply.


#6 drk123

drk123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 17 June 2009 - 04:07 PM

µTorrent
AAC Decoder
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
Apple Software Update
AutoUpdate
AVG Free 8.5
Broadcom Gigabit Integrated Controller
Call of Duty® 4 - Modern Warfare™
Critical Update for Windows Media Player 11 (KB959772)
Dell Resource CD
Dell Support Center
Dell System Restore
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DVD Flick
Fable - The Lost Chapters
Fallout 3
Futuremark SystemInfo
Grand Theft Auto IV
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Java™ 6 Update 13
Labtec Mouse Software 3.0
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WinUsb 1.0
Microsoft Works
Microsoft WSE 3.0 Runtime
Microsoft Xbox 360 Accessories 1.1
MKV Splitter
Mozilla Firefox (3.0.11)
MS Access 97 SP2
MSN
MSVCRT
MSXML 4.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Network Magic
NVIDIA Drivers
NVIDIA PhysX
PowerDVD
PowerISO
Prototype™
PunkBuster Services
Pure Networks Platform
QuickTime
Rockstar Games Social Club
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SimCity 4 Deluxe
Sonic Encoders
Spybot - Search & Destroy
Spyware Doctor 5.5
SQL Server System CLR Types
Steam
SUPERAntiSpyware Professional
System Requirements Lab
Team Fortress 2
The Sims™ 3
Tom Clancy's EndWar
Tom Clancy's H.A.W.X
Touchstone Installer
Turok
Uniblue DriverScanner 2009
Uniblue RegistryBooster 2009
Uniblue SpeedUpMyPC 2009
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Visual C++ 8.0 CRT (x86) WinSXS MSM
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall
Zune
Zune Desktop Theme
Zune Language Pack (ES)
Zune Language Pack (FR)


___
____
_____
______



___
_____
_______



Windows IP Configuration



Host Name . . . . . . . . . . . . : Home

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 4:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller #2

Physical Address. . . . . . . . . : 00-1A-A0-E6-F6-0F

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.199

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Wednesday, June 17, 2009 5:42:15 AM

Lease Expires . . . . . . . . . . : Thursday, June 18, 2009 5:42:15 AM

Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 74.125.127.100, 74.125.45.100, 74.125.67.100

Server: UnKnown
Address: 192.168.0.1

Name: msn.com
Address: 207.68.172.246



Pinging google.com [74.125.127.100] with 32 bytes of data:



Reply from 74.125.127.100: bytes=32 time=54ms TTL=248

Reply from 74.125.127.100: bytes=32 time=53ms TTL=248



Ping statistics for 74.125.127.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 53ms, Maximum = 54ms, Average = 53ms



Pinging msn.com [207.68.172.246] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 207.68.172.246:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a a0 e6 f6 0f ...... Broadcom NetXtreme 57xx Gigabit Controller #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.199 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.199 192.168.0.199 20
192.168.0.199 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.199 192.168.0.199 20
224.0.0.0 240.0.0.0 192.168.0.199 192.168.0.199 20
255.255.255.255 255.255.255.255 192.168.0.199 192.168.0.199 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None




___
_____
_______


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:25 PM, on 6/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PSIService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Labtec\Mouse\V3.0\MOUSE32A.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 6431 bytes



Everything went smoothly!! Google's still redirecting me unfortunately. MSN is difficult to connect too aswell. Sites that I frequently use are connecting slower? Anyways, you did not ask for an HJT log but I figured I would post one just for reference.

As for p2p and pirating things, I usually just trust the comments and rating systems of various groups for the different sites. I'm making it a habit to scan anything I grab now. It's obviously where all these problems have stemmed from. =S

(edit: posted the test.bat log twice)

Edited by drk123, 17 June 2009 - 04:09 PM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:33 PM

Posted 17 June 2009 - 04:51 PM

Thanks for the feedback, but no need for posting the extra log, I'll certainly ask for one if I needed it.
  • Empty all p2p download folders from any active torrent/file. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"="http://windowsupdate.microsoft.com/"
    "Completed"=hex:01,00,00,00
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Double-click GooredFix.exe to run it.
    • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
    • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
    Note: Do not run Option #2 yet.


#8 drk123

drk123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 17 June 2009 - 05:10 PM

Okay so at the end of your post you said Do not run option 2? Was that the regedit fix? Because I was reading your post and following along in order of what you had written. So I did 2. after I cleared out my download folders. Was this a bad thing? =S

Malwarebytes' Anti-Malware 1.38
Database version: 2299
Windows 5.1.2600 Service Pack 3

6/17/2009 4:00:11 PM
mbam-log-2009-06-17 (16-00-11).txt

Scan type: Quick Scan
Objects scanned: 93193
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreaxs (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


___
____
______


Malwarebytes' Anti-Malware 1.38
Database version: 2299
Windows 5.1.2600 Service Pack 3

6/17/2009 4:00:11 PM
mbam-log-2009-06-17 (16-00-11).txt

Scan type: Quick Scan
Objects scanned: 93193
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreaxs (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:33 PM

Posted 17 June 2009 - 05:36 PM

at the end of your post you said Do not run option 2?


The registry fix was needed. I meant option 2 from the tool you are suppose to run in step 4. Please proceed with the step 4.
You have posted MBAM log twice. :thumbup2:

#10 drk123

drk123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 17 June 2009 - 08:41 PM

GooredFix v1.92 by jpshortstuff
Log created at 16:01 on 17/06/2009 running Option #1 (dRk)
Firefox version 3.0.11 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{DDB744DC-176A-4CD7-B315-1FA7E360D213}

C:\Program Files\Mozilla Firefox\extensions\{C054A224-6CB9-4A7E-9F6E-D2208BBF4BF5}

C:\Program Files\Mozilla Firefox\extensions\{5602362B-23A9-4724-9F69-A9DD021AB68F}

C:\Program Files\Mozilla Firefox\extensions\{33B146C9-13A4-4192-95D5-2172DF3DB024}

C:\Program Files\Mozilla Firefox\extensions\{1299A9B8-9A6B-429C-9F2A-C319516CE8BD}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

LOL SORRY

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:33 PM

Posted 18 June 2009 - 01:18 AM

Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

#12 drk123

drk123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 June 2009 - 06:12 PM

GooredFix v1.92 by jpshortstuff
Log created at 17:06 on 18/06/2009 running Option #2 (dRk)
Firefox version 3.0.11 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{DDB744DC-176A-4CD7-B315-1FA7E360D213}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{C054A224-6CB9-4A7E-9F6E-D2208BBF4BF5}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{5602362B-23A9-4724-9F69-A9DD021AB68F}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{33B146C9-13A4-4192-95D5-2172DF3DB024}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{1299A9B8-9A6B-429C-9F2A-C319516CE8BD}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


No restart or registry changes. All of my spyware progs are off and the only thing running is AVG, since you told me to stop teatimer

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:33 PM

Posted 18 June 2009 - 06:21 PM

Good. Now reboot and see if redirecting is stopped.

#14 drk123

drk123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 18 June 2009 - 06:29 PM

This bleeping computer runs perfectly! Clicked all 10 results on the first page and I was actually sent to the page! Without having to click the link 3 times!

So yeah, I had to click the result link 3 times then it directed me through some site and MAYBE I would get to the site I wanted.

Works fine now!!!!! Thank you so much.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:33 PM

Posted 18 June 2009 - 06:39 PM

Great. :thumbup2:

Everything looks good.

Go to Start => Run => copy and paste next command in the field then hit enter:

"%userprofile%\Desktop\drk.exe" /u

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Happy Surfing!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users