Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malicious files on computer


  • This topic is locked This topic is locked
6 replies to this topic

#1 sapa

sapa

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 11 November 2009 - 05:47 PM

Hello,
I seem to find some files that look malicious so i figured i would come to the experts,you guys have never done me wrong and i appreciate your services.
So here is my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:20 PM, on 11/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.inbox.com/search/dispatcher.asp...&tbid=70026
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.inbox.com/search/ie.aspx?tb_id=70026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.inbox.com/support/sa_customize.aspx?TbId=70026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.inbox.com/search/ie.aspx?tb_id=70026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.inbox.com/support/sa_customize.aspx?TbId=70026
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - Startup: America Online 6.0 Tray Icon.lnk = F:\America Online 6.0a\aoltray.exe
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab75411.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O19 - User stylesheet: C:\Documents and Settings\Ed\My Documents\My Pictures\Sample Pictures.lnk
O20 - AppInit_DLLs: c:\windows\system32\mmcfxcommonh.dll,
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: (no name) - http://www.fulltiltpoker.com/images/global...nks/nav1-on.gif
O24 - Desktop Component 1: (no name) - http://www.fulltiltpoker.com/images/global...nks/nav2-on.gif
O24 - Desktop Component 2: (no name) - https://www.adobe.com/lib/com.adobe/templat...shadow_8bit.png
O24 - Desktop Component 3: (no name) - http://wwwimages.adobe.com/www.adobe.com/l...shadow_8bit.png

Thank you for the help and i will be sending a donation @ the end of the week

I also am Giving you the mbam log

Malwarebytes' Anti-Malware 1.41
Database version: 3153
Windows 5.1.2600 Service Pack 3

11/12/2009 12:49:19 AM
mbam-log-2009-11-12 (00-49-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 135654
Time elapsed: 31 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ConTest.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

Edited by sapa, 12 November 2009 - 05:19 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:10 AM

Posted 19 November 2009 - 02:15 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 sapa

sapa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 19 November 2009 - 03:39 PM

ok here are the logs


DDS (Ver_09-10-26.01) - FAT32x86
Run by Ed at 15:29:36.51 on Thu 11/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.24 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ed\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=70026
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Performance Center] c:\program files\ascentive\performance center\APCMain.exe -m
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DXM6Patch_981116] c:\windows\p_981116.exe /Q:A
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: fulltilt.com\www
Trusted Zone: pandora.com\www
Trusted Zone: pureplay.com\player
Trusted Zone: purepoker.com\www
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\login
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab75411.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\mmcfxcommonh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\bsfagueh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\ed\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-7 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-7 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-7 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-7 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-31 135664]

=============== Created Last 30 ================

2009-11-17 20:49:19 0 d-----w- c:\program files\PurePlay
2009-11-16 21:26:13 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-12 05:14:39 0 d-----w- c:\docume~1\ed\applic~1\Malwarebytes
2009-11-12 05:14:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-12 05:14:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-12 05:14:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-12 05:14:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 02:35:24 0 d-----w- c:\windows\system32\CatRoot2
2009-11-12 00:16:13 0 d-----w- C:\hereme
2009-11-11 23:47:52 0 d--h--w- c:\windows\PIF
2009-11-11 23:28:04 0 d--h--w- c:\windows\ie8
2009-11-11 22:44:41 0 d-----w- c:\program files\Trend Micro
2009-11-07 18:08:14 0 d--h--w- C:\$AVG
2009-11-07 17:58:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-07 17:58:15 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-07 17:58:15 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-07 17:58:13 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-07 17:57:46 0 d-----w- c:\program files\AVG
2009-11-07 17:57:44 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-24 02:26:55 0 d-sh--w- c:\documents and settings\ed\IECompatCache
2009-10-21 23:35:37 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-10-21 23:35:37 8704 ----a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-10-21 23:35:37 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-10-21 23:35:37 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-10-21 23:35:37 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-10-21 23:35:37 6144 ----a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-10-21 23:35:37 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-10-21 23:35:37 5632 ----a-w- c:\windows\system32\dllcache\kbd103.dll
2009-10-21 23:35:36 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-10-21 23:35:36 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-10-21 23:35:35 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-10-21 23:35:35 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2009-10-21 22:06:59 0 d-sh--w- c:\documents and settings\ed\PrivacIE
2009-10-21 10:04:20 0 d-sh--w- c:\documents and settings\ed\IETldCache
2009-10-21 09:58:57 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-21 09:58:57 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-21 09:58:48 0 d-----w- c:\windows\ie8updates
2009-10-21 09:58:39 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-21 09:32:28 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-10-21 09:31:33 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-10-21 09:30:53 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-10-21 09:26:57 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-21 09:26:57 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-10-21 09:26:57 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-10-21 09:26:57 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-21 09:26:57 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-10-21 09:26:57 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-10-21 09:26:57 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-21 09:26:57 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-10-21 09:26:56 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-10-21 09:24:20 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-21 09:24:19 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-21 09:24:19 1203922 ------w- c:\windows\system32\dllcache\sysmain.sdb

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 09:17:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 15:18:40 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 15:18:40 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 22:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 09:08:22 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 09:08:22 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-08-29 09:08:22 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-08-29 09:08:20 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-08-29 09:08:18 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-29 09:08:18 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-29 09:08:18 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-08-29 09:08:18 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-08-29 09:08:18 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-08-29 09:08:16 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-08-29 09:08:14 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-08-28 11:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 09:00:22 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 09:00:22 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll

============= FINISH: 15:30:18.26 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/1/2002 5:47:21 AM
System Uptime: 11/19/2009 6:07:55 AM (9 hours ago)

Motherboard: Dell Computer Corp. | | 02X378
Processor: Intel® Pentium® 4 CPU 2.00GHz | Microprocessor | 1992/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 13 GiB total, 5.795 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&3B1CAF2B&0&38F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&3B1CAF2B&0&38F0
Service:

==== System Restore Points ===================

RP227: 11/11/2009 8:25:32 PM - System Checkpoint
RP228: 11/12/2009 9:50:56 AM - Avg8 Update
RP229: 11/13/2009 12:54:35 AM - Installed QuickTime
RP230: 11/14/2009 2:16:09 AM - System Checkpoint
RP231: 11/15/2009 12:34:00 PM - System Checkpoint
RP232: 11/16/2009 1:42:11 PM - System Checkpoint
RP233: 11/16/2009 4:17:14 PM - Installed Windows Media Player 11
RP234: 11/16/2009 4:22:51 PM - Software Distribution Service 3.0
RP235: 11/16/2009 11:47:32 PM - Software Distribution Service 3.0
RP236: 11/17/2009 3:34:58 PM - Removed PurePlay Poker.
RP237: 11/17/2009 3:49:15 PM - Installed PurePlay Poker.
RP238: 11/18/2009 10:19:54 AM - Software Distribution Service 3.0
RP239: 11/19/2009 11:12:31 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Software Update
AVG Free 9.0
Dorling Kindersley Application Database v1.4
ebgcInfra
ebgcRes
ebgcSDK
Full Tilt Poker
Google Earth Plug-in
Google Update Helper
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Java™ 6 Update 17
Mah Jong Medley
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Move Media Player
Mozilla Firefox (3.5.5)
Pinball Collection Vol II
PurePlay Poker
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SoundMAX
SpadeClub Poker
Texas Hold'em Poker 3D - Deluxe Edition 1.0
Tik's Texas Hold 'em
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

11/18/2009 9:52:50 AM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
11/17/2009 3:35:09 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
11/16/2009 4:27:16 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Media Player 11.
11/12/2009 9:53:04 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg9wd service.

==== End Of File ===========================

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit quick scan 2009-11-19 15:35:02
Windows 5.1.2600 Service Pack 3
Running: r50zjfjx.exe; Driver: C:\DOCUME~1\Ed\LOCALS~1\Temp\kgkiypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:10 AM

Posted 20 November 2009 - 01:26 AM

Looks quite good. Do you have issues left there?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 sapa

sapa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 20 November 2009 - 07:46 AM

everything is working fine but what is the files and can i use hijackthis to delete them if not needed.

O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

and thank you so much

Edited by sapa, 20 November 2009 - 07:46 AM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:10 AM

Posted 20 November 2009 - 11:16 AM

Hi,

Yes, you may nuke those entries with hjt. They are all leftovers :(

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:10 AM

Posted 26 November 2009 - 05:59 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users