Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UNKNOWN INFECTION Search engines and Browsers problematic


  • This topic is locked This topic is locked
21 replies to this topic

#1 lallallla

lallallla

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 24 July 2009 - 03:39 PM

Hello, I'm far from computer savvy and have a problem, I cannot do a search using any famous search engines (Google, Yahoo, Ask, and Bing). Of course Google is my search engine of choice and I am feeling like someone has cut of my right arm, because it's not working. I am using FF3.5.1 as my main browser, but search doesn't work in IE8 or Safari4.0.2 either. Last night I ran through a complete scan of the latest Spybot and Malwarebytes. Spybot did nothing to improve my situation and Malwarebytes appeared to fix the problem at least for several hours and then the PC returned to the same state.

DDR.scr returned no log files, but I was able to run a hijackthis and malewarebyte log files. See attached log file.

Could someone please help me?

Attached Files



BC AdBot (Login to Remove)

 


#2 lallallla

lallallla
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 24 July 2009 - 07:36 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:30 PM, on 7/24/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\WallpaperSS\WallpaperSS.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\No-IP\DUC20.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WallpaperSS] C:\Program Files\WallpaperSS\WallpaperSS.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2537963668-2639629163-748381303-1001\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Kristin')
O4 - S-1-5-21-2537963668-2639629163-748381303-1001 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Kristin')
O4 - S-1-5-21-2537963668-2639629163-748381303-1001 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Kristin')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 6700 bytes

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:44 AM

Posted 25 July 2009 - 12:25 AM

Hello lallallla,

Posted Image

You have a rootkit causing all these problems. :thumbup2:

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 lallallla

lallallla
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 25 July 2009 - 10:43 PM

As requested attached and below are my combofix log files.

ComboFix 09-07-25.04 - Christian 07/25/2009 23:26.1.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2011 [GMT -4:00]
Running from: c:\users\Christian\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\program files\sFX
c:\recycler\S-1-5-21-1957994488-492894223-1801674531-1003
c:\recycler\S-1-5-21-861567501-152049171-1708537768-1003
c:\users\Christian\AppData\Roaming\inst.exe
c:\windows\E88D4.exe
c:\windows\system32\AutoRun.inf
c:\windows\Installer\de54f.msi . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFXDRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-24 20:35 . 2009-07-24 20:35 -------- d-----w- c:\program files\Trend Micro
2009-07-23 18:11 . 2009-07-26 02:56 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-23 18:00 . 2009-07-23 18:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-23 18:00 . 2009-07-23 18:00 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-23 18:00 . 2009-07-23 18:00 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-23 18:00 . 2009-07-23 18:00 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-23 17:59 . 2009-07-25 12:39 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-23 17:59 . 2009-07-23 17:59 -------- d-----w- c:\program files\AVG
2009-07-23 17:04 . 2009-07-23 17:59 -------- d-----w- c:\programdata\avg8
2009-07-23 16:50 . 2009-07-23 16:50 -------- d-----w- c:\users\Christian\AppData\Roaming\AVG8
2009-07-23 14:22 . 2009-07-23 14:22 -------- d-----w- c:\users\Christian\AppData\Roaming\Malwarebytes
2009-07-23 14:22 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 14:22 . 2009-07-23 14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 14:22 . 2009-07-23 14:22 -------- d-----w- c:\programdata\Malwarebytes
2009-07-23 14:22 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 22:45 . 2009-07-22 22:45 43008 ----a-w- C:\lacivk.exe
2009-07-22 00:49 . 2009-07-22 00:49 205 ----a-w- c:\windows\prxid93ps.dat
2009-07-21 00:40 . 2009-07-22 22:45 -------- d-sh--w- c:\windows\System Volume Information
2009-07-19 18:17 . 2009-07-19 18:17 -------- d-----w- c:\programdata\QuickTime
2009-07-19 18:14 . 2009-07-19 18:33 -------- d-----w- c:\program files\QuickTime
2009-07-19 18:13 . 2009-07-19 18:13 -------- d-----w- c:\program files\Apple Software Update
2009-07-19 18:07 . 2009-07-19 18:07 -------- d-----w- c:\users\Christian\AppData\Roaming\MPEG Streamclip
2009-07-16 23:57 . 2009-07-18 21:40 -------- d-----w- c:\users\Christian\AppData\Roaming\ImgBurn
2009-07-16 23:53 . 2009-07-16 23:54 -------- d-----w- c:\program files\ImgBurn
2009-06-30 02:08 . 2009-06-30 02:08 -------- d-----w- c:\users\Christian\AppData\Roaming\Sony Corporation
2009-06-30 02:01 . 2009-06-30 02:01 -------- d-----w- c:\users\Kristin\AppData\Roaming\InstallShield
2009-06-30 01:54 . 2009-06-30 01:54 10134 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2009-06-30 01:54 . 2009-06-30 01:54 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-06-30 01:37 . 2009-06-30 01:37 -------- d-----w- c:\program files\Sony
2009-06-27 01:48 . 2008-12-17 23:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2009-06-27 01:48 . 2008-12-11 17:26 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 01:13 . 2009-01-17 23:19 -------- d-----w- c:\users\Christian\AppData\Roaming\uTorrent
2009-07-23 17:43 . 2009-05-18 12:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-23 17:07 . 2009-05-18 12:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-07-19 18:16 . 2009-01-18 05:03 -------- d-----w- c:\programdata\Apple Computer
2009-07-13 01:30 . 2009-03-21 03:38 -------- d-----w- c:\program files\Ad Muncher
2009-07-11 03:52 . 2009-03-21 03:38 -------- d-----w- c:\users\Christian\AppData\Roaming\Ad Muncher
2009-07-10 01:02 . 2009-01-18 01:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 19:01 . 2009-01-18 02:46 -------- d-----w- c:\users\Christian\AppData\Roaming\FrostWire
2009-06-27 01:48 . 2009-05-03 02:43 -------- d-----w- c:\program files\ffdshow
2009-06-26 02:10 . 2009-06-16 05:14 449024 ----a-w- c:\windows\system32\termsrv.dll
2009-06-22 22:39 . 2009-02-02 18:11 -------- d-----w- c:\users\Christian\AppData\Roaming\Vso
2009-06-20 19:24 . 2009-06-20 19:23 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-20 19:23 . 2009-01-23 03:41 -------- d-----w- c:\programdata\Nero
2009-06-20 19:23 . 2009-06-20 19:23 -------- d-----w- c:\program files\Nero
2009-06-20 16:03 . 2009-01-17 22:27 2032 ----a-w- c:\users\Christian\AppData\Local\d3d9caps.dat
2009-06-16 05:29 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-06-16 05:29 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-06-16 05:29 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-16 05:29 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-16 05:29 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-06-16 05:28 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-16 05:21 . 2006-11-02 12:35 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-16 03:53 . 2009-01-18 01:22 -------- d-----w- c:\programdata\Microsoft Help
2009-06-07 23:53 . 2009-04-19 03:58 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-07 23:53 . 2009-04-19 03:58 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-07 23:46 . 2009-06-07 23:46 -------- d-----w- c:\program files\Photosynth
2009-06-07 00:45 . 2009-01-27 00:56 140570 ----a-w- c:\windows\hpoins14.dat
2009-06-06 20:16 . 2009-01-18 02:45 -------- d-----w- c:\program files\FrostWire
2009-06-05 11:41 . 2009-05-22 03:26 -------- d-----w- c:\program files\Incomplete
2009-06-05 11:41 . 2009-01-18 02:49 -------- d-----w- c:\users\Kristin\AppData\Roaming\FrostWire
2009-06-01 00:06 . 2009-05-31 19:56 -------- d-----w- c:\programdata\Rosetta Stone
2009-05-31 19:56 . 2009-05-31 19:56 -------- d-----w- c:\program files\Rosetta Stone
2009-05-31 19:52 . 2009-01-23 04:46 -------- d-----w- c:\program files\PowerISO
2009-05-31 19:52 . 2009-05-31 19:52 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-24 19:35 . 2009-05-24 19:34 210080 ----a-w- C:\uninstall_flash_player.exe
2009-05-16 04:18 . 2009-01-18 02:36 102048 ----a-w- c:\users\Kristin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-16 03:39 . 2009-01-17 22:28 102048 ----a-w- c:\users\Christian\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-16 02:56 . 2009-05-13 23:07 36864 ----a-w- c:\programdata\Temp\{E9B10AA5-E5F6-4DEF-A435-FB20704AF1E8}\PostBuild.exe
2009-05-14 03:36 . 2009-05-13 22:32 36864 ----a-w- c:\programdata\Temp\{479F8C12-576B-4A58-AB78-4B70F7012AA8}\PostBuild.exe
2009-05-09 05:50 . 2009-06-16 04:42 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-16 04:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 11:47 . 2009-07-01 04:11 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------


[-] 2009-06-26 02:10 449024 737531B9D90D96309E0F4375FA935455 c:\windows\System32\termsrv.dll
[7] 2006-11-02 09:46 427520 FAD71C1E8E4047B154E899AE31EB8CAA c:\windows\winsxs\x86_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6000.16386_none_8c687fcc5759068e\termsrv.dll
[7] 2008-01-19 04:36 448512 D605031E225AACCBCEB5B76A4F1603A6 c:\windows\winsxs\x86_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6001.18000_none_8e9f41c854441762\termsrv.dll
[7] 2009-04-11 06:28 449024 BB95DA09BEF6E7A131BFF3BA5032090D c:\windows\winsxs\x86_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6002.18005_none_908abad45165e2ae\termsrv.dll



.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WallpaperSS"="c:\program files\WallpaperSS\WallpaperSS.exe" [2009-01-09 454288]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-23 1948440]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-11-01 4702208]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-10-12 1826816]

c:\users\Kristin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2009-2-5 1172992]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayOn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::b7,78,65,55,44,ee,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2537963668-2639629163-748381303-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{067D7FEC-F9AA-41E2-8D88-3CAA9B23DD30}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{D78B0581-2D46-4D61-BE6D-A1A8D0443433}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{C1767043-D862-455A-AB00-097EEA4C0514}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{99FBC7D6-4A09-40C6-B07F-1B9089526A24}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9C9CB1A4-EB0C-45D6-AC53-8F6A03CD085E}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A957ABDE-710D-4545-B210-92C0432F63E3}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{08F8E77C-9931-46A8-80A7-1E61A9B0A6D7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{55A434FF-E3A8-495C-A68B-353DB8C60848}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"UDP Query User{20AB3B8F-FEAC-475B-A84E-BE7CEC215A48}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"{CC1610C4-8772-4661-9681-532B5AC694FF}"= UDP:c:\program files\TurboTax\Premier 2007\32bit\ttax.exe:TurboTax
"{A985C98B-E03C-4B12-92BF-181F6A81F8BB}"= TCP:c:\program files\TurboTax\Premier 2007\32bit\ttax.exe:TurboTax
"{C9C253ED-8B40-4A3D-8B81-4D6766340E10}"= UDP:c:\program files\TurboTax\Premier 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{EC88B256-AF4E-4C8D-B75D-792759E4A2D4}"= TCP:c:\program files\TurboTax\Premier 2007\32bit\updatemgr.exe:TurboTax Update Manager
"TCP Query User{7E8885EF-8079-4212-8122-B5C47DC70A66}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{14C1FB17-E423-4C64-A800-FB8053876163}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{D3291BCF-4D23-457C-9900-E9EAE32D08D1}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{7AC4CBBB-B5B9-4F19-BDF9-CC5F3809C5AE}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{AD7151AD-074C-4A5F-A6F3-FFA730516901}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9E9A61E9-F555-488C-8A92-B28E1DE8C91D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F80EA7F1-B7DF-4920-A5AD-587ACEAEE317}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{1508BD92-C1E1-4DF8-9598-2A6C730E4E9D}"= UDP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{13148E36-E9E1-4126-A713-73C52D8F83FA}"= TCP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{77395B0F-E6C9-4877-9FA5-2D39E1C90768}"= c:\program files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:Rosetta Stone Version 3 Application
"{164A5C9A-65A3-4E38-9C5E-FA1BBDAA5A75}"= c:\program files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:Rosetta Stone Ltd Services
"{F8BDAB5A-B695-4997-A7CD-CD59EC0E683F}"= UDP:3389:Remote3389TCP
"{5E8D2CC9-7A59-4615-89B4-24064C433E1C}"= UDP:80:Remote80TCP
"{AAA5752B-EE4F-48A4-B55D-3501D40ED48C}"= UDP:2869:UPnP Framework TCP
"{97D07B4B-277F-4420-AE8A-2C0776C2F3B6}"= TCP:1900:UPnP Framework UDP
"{31DD933B-021E-4AE2-A24B-37C8CAB76887}"= UDP:8085:sfx
"{38A71473-8AF0-48CF-86CB-FE70FA02119C}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{2E00AE5C-17A4-4C7D-B314-A5A8D16337E6}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"SNMP-1"= TCP:%SystemRoot%\system32\snmp.exe|Svc=SNMP:@%SystemRoot%\system32\snmp.exe,-5|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [7/23/2009 2:00 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [7/23/2009 2:00 PM 108552]
R1 Odptdi;Odptdi;c:\windows\System32\drivers\odptdi.sys [4/4/2009 8:45 PM 46744]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/23/2009 1:59 PM 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [1/20/2009 8:44 AM 47640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/17/2009 8:03 PM 92008]
S3 FoxAwdWINFLASH;FoxAwdWINFLASH;c:\program files\FOXCONN\FOX LiveUpdate\FoxAwdWINFLASH.sys [1/17/2009 9:25 PM 14736]
S3 FXDrv32;FXDrv32;c:\program files\FOXCONN\FOX LiveUpdate\FXDrv32.sys [1/17/2009 9:25 PM 23872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226EE}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226EE}

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-07-26 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Christian.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-23 17:36]

2009-07-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Christian.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-23 17:36]

2009-07-26 c:\windows\Tasks\User_Feed_Synchronization-{3FC1F17F-4DD6-437C-B4C8-D43BAD38B879}.job
- c:\windows\system32\msfeedssync.exe [2009-06-16 11:31]

2009-07-26 c:\windows\Tasks\User_Feed_Synchronization-{9B2C64B9-F5CA-4C05-93CD-623731304856}.job
- c:\windows\system32\msfeedssync.exe [2009-06-16 11:31]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/s%
Trusted Zone: turbotax.com
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\zyqevqpt.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
c:\windows\System32\PnkBstrA.exe
c:\windows\System32\snmp.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\WUDFHost.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\System32\inetsrv\w3wp.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-07-26 23:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 03:41

Pre-Run: 83,667,660,800 bytes free
Post-Run: 84,237,324,288 bytes free

311 --- E O F --- 2009-06-16 05:22

Attached Files



#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:44 AM

Posted 25 July 2009 - 11:09 PM

Hello,

And the HijackThis log? :thumbup2: How is it running now please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 lallallla

lallallla
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 27 July 2009 - 06:41 PM

Updated Hijackthis log file attached and below:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:38 PM, on 7/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\WallpaperSS\WallpaperSS.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\No-IP\DUC20.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WallpaperSS] C:\Program Files\WallpaperSS\WallpaperSS.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-21-2537963668-2639629163-748381303-1001\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Kristin')
O4 - S-1-5-21-2537963668-2639629163-748381303-1001 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Kristin')
O4 - S-1-5-21-2537963668-2639629163-748381303-1001 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Kristin')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5956 bytes

Attached Files



#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:44 AM

Posted 27 July 2009 - 06:51 PM

How is it running now please?

:thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 lallallla

lallallla
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 27 July 2009 - 09:14 PM

It is currently running well, but my AVG and Malwarebytes are constantly returning found items. I will attach the log files of both in a moment.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:44 AM

Posted 27 July 2009 - 09:27 PM

Okay, post when you're ready. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 lallallla

lallallla
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 28 July 2009 - 08:19 AM

Malwarebytes log file attached. As for AVG 8(free edition) log file, I am unsure which (of the many) to upload so I zipped them up. I am noticing about 3 or 4 cookie trojans are detected on my AVG daily if ithelps any.

Attached Files



#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:44 AM

Posted 29 July 2009 - 08:45 PM

Hello,

Please navigate to the following file:

C:\lacivk.exe

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 lallallla

lallallla
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 30 July 2009 - 12:08 PM

Unfortunately I was unable to locate the file in question (I searched through hidden files too). Updated Malwarebytes, Combofix and hijackthis files attached.

Attached Files



#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:44 AM

Posted 31 July 2009 - 01:02 AM

Hello,

Thanks for those. :thumbup2: How is it running?

Please navigate to the following file: c:\windows\Installer\de54f.msi and tell me how big the file is, please. Right click and choose Properties. It should tell you. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 lallallla

lallallla
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 31 July 2009 - 09:59 AM

de54f.msi =59.5KB

As far as the computer, it appears to be running fine other than the occasional random pop-ups that appear and my malwarebytes and virus software appear with new findings.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:44 AM

Posted 01 August 2009 - 06:32 AM

Hello,

Thanks. :thumbup2:

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks.
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users