Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.tdss/ Trojan.Win32.Agent.crez / redirecting websites


  • This topic is locked This topic is locked
7 replies to this topic

#1 azgrl

azgrl

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 05 August 2009 - 03:43 PM

Hi! I'm new to this forum and really appreciate any help I can get. I'm trying to fix my parents computer as it is infected with trojan.tdss and possibly other bugs. I have tried the following:

AVG
Spy bot
Malwarebytes
ad-aware
advanced system care
Trojan Guarder
Hijackthis
Kaspersky- running first time as I write this


malwarebytes does tell me the system is infected and I ask it to be removed then I restart my comp. When i run malwarebytes again the same files are found.
I'm including the DDS and Hijackthis logs below. Thanks so much for your help!! :thumbup2:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Family at 13:26:50.40 on Wed 08/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.282 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\visualtasktips.exe
C:\WINDOWS\System32\topdesk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\PROGRA~1\AVG\avgrsx.exe
C:\PROGRA~1\AVG\avgnsx.exe
C:\Program Files\AVG\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ad-Aware\AAWService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Kheni Family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\toolbar\IEToolbar.dll
TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll
TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll
TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\toolbar\IEToolbar.dll
uRun: [VisualTaskTips] c:\windows\system32\visualtasktips.exe
uRun: [TopDesk] c:\windows\system32\topdesk.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] c:\progra~1\mi3aa1~1\wcescomm.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [UltimateServices] c:\windows\system32\ultsvcs.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AtiPTA] atiptaxx.exe
mRun: [System Files Updater] c:\windows\flyakiteosx\tools\System Files Updater.exe /S
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avgtray.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [VisualTaskTips] c:\windows\system32\visualtasktips.exe
dRun: [TopDesk] c:\windows\system32\topdesk.exe
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [RTUserConfig] c:\windows\system32\rtusercfg.exe
StartupFolder: c:\users\khenif~1\startm~1\programs\startup\rklaun~1.lnk - c:\program files\rk launcher 041 beta\RKLauncher.exe
StartupFolder: c:\users\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\users\alluse~1\startm~1\programs\startup\trojan~1.lnk - c:\program files\trojan guarder\Trojan Guarder.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: karna.dat?
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\khenif~1\applic~1\mozilla\firefox\profiles\9zjdhbhb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\firefox\components\avgssff.dll
FF - component: c:\program files\avg\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\users\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-18 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avgemc.exe [2009-7-18 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avgwdsvc.exe [2009-7-18 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-1 38160]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2008-2-17 72576]
S3 XPCDriver;XPCDriver;c:\windows\system32\drivers\XPCDriver.sys [2008-2-9 20352]
S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2007-12-13 50984]

=============== Created Last 30 ================

2009-08-05 12:43 15 a------- c:\users\kheni family\settings.dat
2009-08-03 13:03 <DIR> --d----- c:\users\alluse~1\applic~1\12368124
2009-08-02 21:19 <DIR> --d----- c:\users\khenif~1\applic~1\IObit
2009-08-02 21:19 <DIR> --d----- c:\program files\IObit
2009-08-01 19:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 19:55 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 19:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 16:35 <DIR> --d----- c:\program files\Trojan Guarder
2009-07-31 16:45 <DIR> --d----- c:\program files\Trend Micro
2009-07-18 01:36 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-18 00:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-18 00:51 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-18 00:50 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-18 00:50 <DIR> --d----- c:\users\alluse~1\applic~1\AVG Security Toolbar
2009-07-18 00:50 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-18 00:50 <DIR> --d----- c:\users\alluse~1\applic~1\avg8
2009-07-18 00:50 <DIR> --d----- c:\program files\AVG
2009-07-18 00:13 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-17 15:18 <DIR> -cd-h--- c:\users\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-17 15:17 <DIR> --d----- c:\program files\Ad-Aware
2009-07-16 15:49 1,415 a------- c:\windows\wininit.ini
2009-07-16 15:39 58,776 a---h--- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2009-06-18 19:35 29,385 a------- c:\windows\hpoins03.dat
2008-10-11 18:24 19,540 a------- c:\users\khenif~1\applic~1\oguqesuxu.sys
2008-10-11 18:24 15,938 a------- c:\program files\common files\qekelypat.scr
2008-10-11 18:24 15,408 a------- c:\program files\common files\kofynuqyv.pif
2008-10-11 18:24 14,070 a------- c:\users\khenif~1\applic~1\ahecogeker.scr
2008-10-11 18:24 12,190 a------- c:\users\alluse~1\applic~1\elolu.exe
2008-10-08 11:57 18,160 a------- c:\users\khenif~1\applic~1\ehenyt.bat
2008-10-08 11:57 15,808 a------- c:\program files\common files\rudafibidy.bat
2008-01-21 20:51 121 a---h--- c:\program files\desktop.ini
2007-12-27 17:44 60,416 a--sh--- c:\windows\flyakiteosx\backup\msimn.exe
2008-02-08 02:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008020820080209\index.dat
2009-04-07 08:19 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-04-07 08:19 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-04-07 08:19 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:28:46.26 ===============

Here's the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:45 PM, on 8/5/2009
Platform: Windows XP SP3, v.3282 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\visualtasktips.exe
C:\WINDOWS\System32\topdesk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\PROGRA~1\AVG\avgrsx.exe
C:\PROGRA~1\AVG\avgnsx.exe
C:\Program Files\AVG\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ad-Aware\AAWService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\KHENIF~1\LOCALS~1\Temp\Temporary Directory 1 for RootRepeal.zip\RootRepeal.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\Toolbar\IEToolbar.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O3 - Toolbar: QT Breadcrumbs Address Bar - {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UltimateServices] C:\WINDOWS\System32\ultsvcs.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [VisualTaskTips] C:\WINDOWS\System32\visualtasktips.exe
O4 - HKCU\..\Run: [TopDesk] C:\WINDOWS\System32\topdesk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] C:\PROGRA~1\MI3AA1~1\wcescomm.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [VisualTaskTips] C:\WINDOWS\System32\visualtasktips.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TopDesk] C:\WINDOWS\System32\topdesk.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: RK Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\avgpp.dll
O20 - AppInit_DLLs: karna.dat?
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8317 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 PM

Posted 06 August 2009 - 02:56 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 azgrl

azgrl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 06 August 2009 - 09:24 PM

Hi Sam! here's my Combo Fix log. Also I had to uninstall AVG because it wouldn't exit completely before the combofix. I hope thats ok? Thanks for your help!!

ComboFix 09-08-06.01 - Kheni Family 08/06/2009 18:47.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.555 [GMT -7:00]
Running from: c:\users\Kheni Family\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Trojan Guarder
c:\program files\Trojan Guarder\Anti_Virus Help.chm
c:\program files\Trojan Guarder\AquaOS.dll
c:\program files\Trojan Guarder\BlockList.txt
c:\program files\Trojan Guarder\bttom.jpg
c:\program files\Trojan Guarder\button.png
c:\program files\Trojan Guarder\clpt.dll
c:\program files\Trojan Guarder\config.ini
c:\program files\Trojan Guarder\Contact.exe
c:\program files\Trojan Guarder\EGhostLog.txt
c:\program files\Trojan Guarder\fmon.sys
c:\program files\Trojan Guarder\hook.dll
c:\program files\Trojan Guarder\msvcm.dll
c:\program files\Trojan Guarder\NetGuardBlack.txt
c:\program files\Trojan Guarder\NetGuardWhite.txt
c:\program files\Trojan Guarder\Products.htm
c:\program files\Trojan Guarder\pthreadVC2.dll
c:\program files\Trojan Guarder\rars.dll
c:\program files\Trojan Guarder\skin.png
c:\program files\Trojan Guarder\SkinPPWTL.dll
c:\program files\Trojan Guarder\softhook.dll
c:\program files\Trojan Guarder\Trojan Guarder.exe
c:\program files\Trojan Guarder\trojan.update
c:\program files\Trojan Guarder\unins000.dat
c:\program files\Trojan Guarder\unins000.exe
c:\program files\Trojan Guarder\unism.dll
c:\program files\Trojan Guarder\unrar.dll
c:\program files\Trojan Guarder\update.exe
c:\program files\Trojan Guarder\Visit Our Site.url
c:\users\All Users\Start Menu\Programs\Startup\Trojan Guarder.lnk
c:\users\All Users\Start Menu\Programs\Trojan Guarder
c:\users\All Users\Start Menu\Programs\Trojan Guarder\Contact Us.lnk
c:\users\All Users\Start Menu\Programs\Trojan Guarder\Help.lnk
c:\users\All Users\Start Menu\Programs\Trojan Guarder\Trojan Guarder.lnk
c:\users\All Users\Start Menu\Programs\Trojan Guarder\Uninstall.lnk
c:\users\All Users\Start Menu\Programs\Trojan Guarder\Visit Our Site.lnk
c:\users\Kheni Family\Desktop\Trojan Guarder.lnk
c:\windows\Installer\1ec47b.msi
c:\windows\Installer\1f1961.msi
c:\windows\Installer\1fccb5.msp
c:\windows\Installer\1fccbc.msp
c:\windows\Installer\1fccce.msp
c:\windows\Installer\20ecea.msi
c:\windows\Installer\21d0b6.msp
c:\windows\Installer\21d0bd.msp
c:\windows\Installer\21d0d4.msp
c:\windows\Installer\253195.msi
c:\windows\Installer\253196.msp
c:\windows\Installer\253197.msp
c:\windows\Installer\253198.msp
c:\windows\Installer\253199.msp
c:\windows\Installer\25319a.msp
c:\windows\Installer\25319b.msp
c:\windows\Installer\25319c.msp
c:\windows\Installer\25319d.msp
c:\windows\Installer\25319e.msp
c:\windows\Installer\d5b4.msi
c:\windows\system32\bin
c:\windows\system32\bin\brutalchess.exe
c:\windows\system32\bin\freetype6.dll
c:\windows\system32\bin\jpeg.dll
c:\windows\system32\bin\libpng12.dll
c:\windows\system32\bin\libtiff.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcm80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcp80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcr80.dll
c:\windows\system32\bin\SDL.dll
c:\windows\system32\bin\SDL_image.dll
c:\windows\system32\bin\zlib1.dll
c:\windows\system32\drivers\hjgruidoyldpoh.sys
c:\windows\system32\Hearts.exe
c:\windows\system32\hjgruiirrskqae.dll
c:\windows\system32\hjgruimpkaldrq.dat
c:\windows\system32\hjgruitircxlvn.dll
c:\windows\system32\hjgruiutpvgrvq.dat



.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruivujcxxnx
-------\Legacy_hjgruivujcxxnx


((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2019-09-25 22:40 . 2019-09-25 22:40 20480 ----a-w- c:\windows\system32\APITypes.dll
2009-08-05 19:43 . 2009-08-05 19:44 15 ----a-w- c:\users\Kheni Family\settings.dat
2009-08-05 19:43 . 2009-08-05 19:44 15 ----a-w- c:\users\\Kheni Family\settings.dat
2009-08-03 20:03 . 2009-08-05 08:33 -------- d-----w- c:\users\All Users\Application Data\12368124
2009-08-03 04:19 . 2009-08-03 04:19 -------- d-----w- c:\users\Kheni Family\Application Data\IObit
2009-08-03 04:19 . 2009-08-03 04:19 -------- d-----w- c:\program files\IObit
2009-08-03 04:16 . 2009-08-03 04:30 -------- d-----w- c:\users\Kheni Family\Local Settings\Application Data\Temp
2009-08-02 02:55 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 02:55 . 2009-08-02 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 02:55 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 23:45 . 2009-07-31 23:45 -------- d-----w- c:\program files\Trend Micro
2009-07-30 16:46 . 2009-07-30 16:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Logs
2009-07-19 15:52 . 2009-07-18 07:50 327688 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-19 15:52 . 2009-07-18 07:50 2301208 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-19 15:52 . 2009-07-18 07:50 3298072 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-19 15:52 . 2009-07-18 07:50 3402008 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-19 15:52 . 2009-07-18 07:50 1204504 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-19 15:52 . 2009-07-18 07:50 1107224 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgssie.dll
2009-07-19 15:51 . 2009-07-18 07:50 337176 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-19 15:51 . 2009-07-18 07:50 829208 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-19 15:51 . 2009-07-18 07:50 2167576 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-19 15:51 . 2009-07-18 07:50 906520 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-19 15:50 . 2009-07-18 07:50 1454360 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-19 15:50 . 2009-07-18 07:50 1085208 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-18 15:44 . 2009-07-18 15:44 2052376 ----a-w- c:\users\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-18 08:36 . 2009-08-06 08:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-18 07:50 . 2009-08-07 01:30 -------- d-----w- c:\program files\AVG
2009-07-18 07:50 . 2009-08-07 01:29 -------- d-----w- c:\users\All Users\Application Data\avg8
2009-07-18 07:13 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-17 22:18 . 2009-07-17 22:18 -------- dc-h--w- c:\users\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-17 22:18 . 2009-07-08 17:28 2920112 -c--a-w- c:\users\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-17 22:17 . 2009-07-17 22:20 -------- d-----w- c:\users\All Users\Application Data\Lavasoft
2009-07-17 22:17 . 2009-07-17 22:18 -------- d-----w- c:\program files\Ad-Aware
2009-07-16 22:39 . 2009-07-16 22:39 58776 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-14 23:40 . 2009-07-14 23:40 -------- d-----w- c:\program files\Apple Software Update
2009-07-14 23:39 . 2009-07-14 23:40 -------- d-----w- c:\program files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 01:45 . 2008-02-09 11:48 -------- d-----w- c:\program files\RK Launcher 041 Beta
2009-07-30 22:44 . 2008-10-12 01:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-17 21:48 . 2009-04-13 21:36 -------- d-----w- c:\program files\Zylom Games
2009-07-16 22:39 . 2008-02-09 12:46 -------- d-----w- c:\users\Kheni Family\Application Data\Apple Computer
2009-06-19 02:35 . 2009-06-19 02:27 29385 ----a-w- c:\windows\hpoins03.dat
2009-06-19 02:34 . 2009-06-19 02:28 -------- d-----w- c:\program files\HP
2009-06-19 02:33 . 2009-06-19 02:33 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-06-19 02:31 . 2009-06-19 02:31 -------- d-----w- c:\program files\Common Files\HP
2008-10-12 01:24 . 2008-10-12 01:24 15938 ----a-w- c:\program files\Common Files\qekelypat.scr
2008-10-12 01:24 . 2008-10-12 01:24 15408 ----a-w- c:\program files\Common Files\kofynuqyv.pif
2008-10-08 18:57 . 2008-10-08 18:57 15808 ----a-w- c:\program files\Common Files\rudafibidy.bat
2007-12-28 00:44 . 2008-02-09 11:55 60416 --sha-w- c:\windows\FlyakiteOSX\Backup\msimn.exe
.

------- Sigcheck -------

[-] 2008-02-09 10:19 578048 E37DE8DF6C1F77CC2FD09EC9EF43211B c:\windows\FlyakiteOSX\Backup\user32.dll
[-] 2008-02-09 10:19 578048 EC70685B57D9D0CF8FC89234CB086293 c:\windows\system32\user32.dll

[7] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-01-31 12:25 796160 3B8A4F277A8BCB07C1CDB74B50D9B226 c:\windows\FlyakiteOSX\Backup\wininet.dll
[7] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-01-31 12:25 796160 FC4511610B57F41A95DF9BF166DE308C c:\windows\system32\wininet.dll
[-] 2008-01-31 12:25 796160 FC4511610B57F41A95DF9BF166DE308C c:\windows\system32\dllcache\wininet.dll

[-] 2007-10-11 15:44 361088 270684847A8EF5C51FFF58457E4DC8C6 c:\windows\system32\drivers\tcpip.sys
[-] 2007-10-11 15:44 361088 270684847A8EF5C51FFF58457E4DC8C6 c:\windows\system32\syscache\tcpip.sys

[7] 2007-12-28 00:52 2023936 2BE04E5EEB1C58A458C7A86EC75168BA c:\windows\FlyakiteOSX\Backup\ntkrnlpa.exe
[-] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[-] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[-] 2008-02-09 11:55 1981440 9D39CF92B2294D9A093B258FAA9F0F69 c:\windows\system32\ntkrnlpa.exe

[-] 2008-02-09 10:17 2146304 57BF6E3DF8487D91663B35A00E5B8834 c:\windows\FlyakiteOSX\Backup\ntoskrnl.exe
[-] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[-] 2009-02-08 02:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[-] 2008-02-09 11:55 2102784 8BCE13C1246A6547ACAD921A5E36CEA5 c:\windows\system32\ntoskrnl.exe

[-] 2008-02-09 10:17 2849792 C5059CED3FEFE6A57324069538E0E937 c:\windows\explorer.exe
[-] 2008-02-09 10:17 1424384 B733D20910E7D462FCF1DA03646D7B21 c:\windows\FlyakiteOSX\Backup\explorer.exe

[7] 2008-06-23 16:01 3594240 28B8231CA8D55FC85E027A57C90F5C88 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[7] 2008-08-26 09:08 3594752 25CC085720EE3617FD1F8AB9E2F7CAB2 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-01-31 12:25 3922432 2DE89B59793B901DA7CEE870F8343DFC c:\windows\FlyakiteOSX\Backup\mshtml.dll
[7] 2008-06-24 17:57 3592192 EC936148284F557F19C333178768109B c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2008-01-31 12:25 3922432 2DE89B59793B901DA7CEE870F8343DFC c:\windows\system32\mshtml.dll
[-] 2008-01-31 12:25 3922432 2DE89B59793B901DA7CEE870F8343DFC c:\windows\system32\dllcache\mshtml.dll

[-] 2008-02-09 10:17 1015296 168163B5A3B8DBC53DC8B06252B94D40 c:\windows\FlyakiteOSX\Backup\comres.dll
[-] 2008-02-09 10:17 1435648 63E61CDD3417C6E2F31679AF22810592 c:\windows\system32\comres.dll


[-] 2008-02-09 10:17 692736 DBEA66514C6FE1E2BAF241D83B13AD85 c:\windows\FlyakiteOSX\Backup\comctl32.dll
[-] 2008-02-09 10:17 706048 85ACA4C80887C82B1622913826565E30 c:\windows\system32\comctl32.dll
[7] 2004-08-04 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\InstallTemp\21029\comctl32.dll
[-] 2004-08-04 12:00 919552 3DB20630FBA2A7B03CA25105B0149129 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2007-12-28 00:44 1054208 ECEFB8593B1885ED9B62BEDAA4257C9A c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.3282_x-ww_d754003b\comctl32.dll

[-] 2008-01-31 12:26 1613824 22F2A2F1CE128C8A6137A009186820A7 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2007-12-14 06:02 96552 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="c:\windows\System32\visualtasktips.exe" [2007-09-05 36352]
"TopDesk"="c:\windows\System32\topdesk.exe" [2007-11-16 1937920]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2006-11-13 1289000]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"UltimateServices"="c:\windows\System32\ultsvcs.exe" [2008-01-31 256777]
"System Files Updater"="c:\windows\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-25 118485]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 49152]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2008-01-31 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-01-29 16859648]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2006-02-22 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"VisualTaskTips"="c:\windows\System32\visualtasktips.exe" [2007-09-05 36352]
"TopDesk"="c:\windows\System32\topdesk.exe" [2007-11-16 1937920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\users\Kheni Family\Start Menu\Programs\Startup\
RK Launcher.lnk - c:\program files\RK Launcher 041 Beta\RKLauncher.exe [2008-2-9 708608]

c:\users\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2/17/2008 8:59 PM 72576]
S3 XPCDriver;XPCDriver;c:\windows\system32\drivers\XPCDriver.sys [2/9/2008 4:00 AM 20352]
S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [12/13/2007 11:02 PM 50984]
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-08-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-RunOnce-RTUserConfig - c:\windows\System32\rtusercfg.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Kheni Family\Application Data\Mozilla\Firefox\Profiles\9zjdhbhb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\users\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 18:53
Windows 5.1.2600 Service Pack 3, v.3282 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(860)
c:\windows\system32\setupapi.dll
.
Completion time: 2009-08-07 18:55
ComboFix-quarantined-files.txt 2009-08-07 01:55

Pre-Run: 57,725,419,520 bytes free
Post-Run: 57,806,581,760 bytes free

298 --- E O F --- 2009-06-24 19:26

Attached Files


Edited by Buckeye_Sam, 07 August 2009 - 03:29 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 PM

Posted 07 August 2009 - 03:35 PM

You can go ahead and reinstall AVG. It doesn't conflict with Combofix as much as other antivirus programs.

Combofix did remove a load of malware for us, but I think there may be more.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply.
How is your computer running now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 azgrl

azgrl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 07 August 2009 - 06:37 PM

Hi! here's the Dr Web attachments and also I installed AVIRA instead of AVG cause I heard good things? any thoughts? anyways comp seems to be ok and jus clicked random google websites to see if i get redirected and I didn't. I hope the darn viruses are gone now! Let me know what else I need to do! thankss!!

i couldn't get the drweb.csv file to attach so i opened it in notepad and am attaching the text

hjgruiirrskqae.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.Tdss.333;Deleted.;
A0020142.dll;C:\System Volume Information\_restore{6D00F6C5-ECD7-497D-A64D-902D4BFEDAF9}\RP494;BackDoor.Tdss.333;Deleted.;
RegUBP2b-Kheni Family.reg;C:\Users\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
Setup_build7_1003313.exe.bac_a01776;C:\Users\Kheni Family\.housecall6.6\Quarantine;Trojan.Fakealert.4156;Deleted.;

Edited by azgrl, 07 August 2009 - 06:57 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 PM

Posted 08 August 2009 - 12:09 PM

I have heard good things about Avira, but I've never used it myself. It's comparable to AVG.

There's just a few files in your log that I'm still suspicious of.

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\program files\Common Files\qekelypat.scr


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html

Also submit these files to be scanned.

c:\program files\Common Files\kofynuqyv.pif
c:\program files\Common Files\rudafibidy.bat

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 azgrl

azgrl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 14 August 2009 - 09:00 PM

Hi! soo my brother didn't know i was trying to fix the comp and he ended up reformatting it completely. I really appreciate the help you gave me those! THANKS!!! :thumbup2:

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:03 PM

Posted 15 August 2009 - 02:16 PM

Ok, thanks for letting me know.

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users