Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG Multiple threat detect: winlogon.exe ; google redirect ; firefox cancels downloads ; GMER freezes computer


  • This topic is locked This topic is locked
2 replies to this topic

#1 rocketrich

rocketrich

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 23 October 2010 - 09:04 AM

Hi,

Running windows XP Pro. Multiple threat detects from AVG:
c:\\WINDOWS\system32\winlogon.exe
c:\\WINDOWS\explorer.exe

google links frequently redirected to random webpages
firefox cancels downloads. If restarted, file is downloaded but cannot be open/located

Apparently my windows updates and firewall/security warnings were all disabled

Ran trojanremover, it got me back my firewall and some updates, but threat detect/redirect problem stayed

GMER Freezes the whole system whenever I run it, have to hard restart to get my computer back. Last time I noted that it froze while scanning WINDOWS directory.

Please help! any advice appreciated.

DDS Log:


DDS (Ver_10-10-21.02) - NTFSx86
Run by Thombert at 8:04:17.78 on 23/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2291 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBA.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\logitech\logitech webcam software\lu\lulnchr.exe
c:\program files\logitech\logitech webcam software\lu\LogitechUpdate.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AVG\AVG9\avgupd.exe
C:\Documents and Settings\Thombert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON NX110 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifba.exe /fu "c:\windows\temp\E_S556.tmp" /EF "HKCU"
uRun: [setupupdate70700.exe] c:\documents and settings\thombert\application data\5a09b4d1544ebe2371d05cac5e9f3442\setupupdate70700.exe
uRun: [NetLog3] c:\windows\svc3.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.1.5)_Gecko/20091102_Firefox/3.5.5_(.NET_CLR_3.5.30729)" -"http://cc.porsche.com/pva_new/ui/pva/application/bpModules/interior_3D.jsp?pluginsInstalled=true&RT=1257993093703"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [Easy Synchronization] c:\program files\logitech\easy synchronization\LogitechEasySync.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [lkfnnc] RUNDLL32.EXE c:\windows\system32\msnpwbcf.dll,w
mRun: [szetyj67vx] c:\windows\system32\szetyj67vx.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [szetyj67v] c:\windows\system32\szetyj67v.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRunOnce: [Easy Synchronization] c:\program files\logitech\easy synchronization\LogitechEasySync.exe --ports
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mExplorerRun: [RTHDBPL] c:\documents and settings\thombert\application data\systemproc\lsass.exe
mExplorerRun: [jgyo0w] c:\docume~1\thombert\locals~1\temp\19aqp.exe
StartupFolder: c:\docume~1\thombert\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235248691207
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll
Hosts: 173.192.153.178 www.123.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thombert\applic~1\mozilla\firefox\profiles\e3pmi2vj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-9 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-9 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-9 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-9 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-9 308136]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S2 gupdate1c9946da75486ec;Google Update Service (gupdate1c9946da75486ec);c:\program files\google\update\GoogleUpdate.exe [2009-2-21 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-9-13 430152]

=============== Created Last 30 ================

2010-10-21 23:54:36 -------- d-----w- c:\program files\Trojan Remover
2010-10-21 23:47:15 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-21 23:47:15 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-21 23:47:15 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-21 23:47:15 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-21 23:47:15 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-10-21 23:47:13 -------- d-----w- c:\docume~1\thombert\applic~1\Simply Super Software
2010-10-21 23:47:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-09 22:41:26 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-09 22:31:54 40 ----a-w- c:\windows\system32\service.sys
2009-03-02 22:55:14 380720 ----a-w- c:\program files\GPU-Z.0.3.2.exe

============= FINISH: 8:05:13.23 ===============

since I can't download anything right now, I can't get hijack this. I used an online scan at Bitdefender and got the following. Are there other/better online scans I should do?

QuickScan Beta 32-bit v0.9.9.41
-------------------------------
Scan date: Sat Oct 23 15:19:05 2010
Machine ID: 50798A79



Found 3 infected files!
-----------------------

c:\windows\system32\userinit.exe --> Trojan.Generic.3914100
--> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit"

C:\WINDOWS\system32\winlogon.exe --> Trojan.Patched.GM
--> Process winlogon.exe (928)

C:\WINDOWS\explorer.exe --> Trojan.Patched.GM
--> HKCR\Folder\shell\open\command\(default)
--> HKCR\folder\shell\open\command\(default)
--> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell"
--> Process explorer.exe (128)



Processes
---------
Apple Mobile Device Service 760 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
AVG Internet Security 1536 C:\Program Files\AVG\AVG9\avgchsvx.exe
AVG Internet Security 1908 C:\Program Files\AVG\AVG9\avgcsrvx.exe
AVG Internet Security 2304 C:\Program Files\AVG\AVG9\avgcsrvx.exe
AVG Internet Security 2068 C:\Program Files\AVG\AVG9\avgemc.exe
AVG Internet Security 1596 C:\Program Files\AVG\AVG9\avgnsx.exe
AVG Internet Security 1548 C:\Program Files\AVG\AVG9\avgrsx.exe
AVG Internet Security 748 C:\Program Files\AVG\AVG9\avgwdsvc.exe
AVG Internet Security 1140 C:\PROGRA~1\AVG\AVG9\avgtray.exe
Bluetooth Services 3780 C:\Program Files\Logitech\SetPoint\LBTWiz.exe
Bonjour 736 C:\Program Files\Bonjour\mDNSResponder.exe
COCIManager.exe 2576 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
EEventManager Application 1392 C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
EPSON Status Monitor 3 2168 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIFBA.EXE
Firefox 4548 C:\Program Files\Mozilla Firefox\firefox.exe
iTunes 2212 C:\Program Files\iTunes\iTunesHelper.exe
Java™ Platform SE 6 U17 1624 C:\Program Files\Java\jre6\bin\jqs.exe
Java™ Platform SE 6 U17 2840 C:\Program Files\Java\jre6\bin\jucheck.exe
Java™ Platform SE 6 U17 2200 C:\Program Files\Java\jre6\bin\jusched.exe
Logitech 2264 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
Logitech QuickCam 3656 C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
Logitech SetPoint 3268 C:\Program Files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
Logitech SetPoint 1276 C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
Logitech SetPoint 2488 C:\Program Files\Logitech\SetPoint\SetPoint.exe
Logitech Webcam Software 1748 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
LogitechEasySync.exe 1568 C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
LogitechEasySync.exe 3668 C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
LWS.exe 3864 C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
Microsoft® Windows® Operating System 128 C:\WINDOWS\explorer.exe
Microsoft® Windows® Operating System 3020 C:\WINDOWS\system32\alg.exe
Microsoft® Windows® Operating System 904 C:\WINDOWS\system32\csrss.exe
Microsoft® Windows® Operating System 1672 C:\WINDOWS\system32\ctfmon.exe
Microsoft® Windows® Operating System 992 C:\WINDOWS\system32\lsass.exe
Microsoft® Windows® Operating System 3088 C:\WINDOWS\system32\rundll32.exe
Microsoft® Windows® Operating System 3688 C:\WINDOWS\system32\rundll32.exe
Microsoft® Windows® Operating System 980 C:\WINDOWS\system32\services.exe
Microsoft® Windows® Operating System 848 C:\WINDOWS\system32\smss.exe
Microsoft® Windows® Operating System 1884 C:\WINDOWS\system32\spoolsv.exe
Microsoft® Windows® Operating System 504 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 556 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 660 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1384 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1204 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1156 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1124 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 112 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1244 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 1416 C:\WINDOWS\system32\svchost.exe
Microsoft® Windows® Operating System 928 C:\WINDOWS\system32\winlogon.exe
NVIDIA Driver Helper Service, Version 1 668 C:\WINDOWS\system32\nvsvc32.exe
Realtek HD Audio Sound Effect Manager 3228 C:\WINDOWS\RTHDCPL.EXE
Secunia PSI 2784 C:\Program Files\Secunia\PSI\psi.exe
servicestub.exe 1720 C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
TaskSwitch.exe 2256 C:\WINDOWS\system32\TaskSwitch.exe


Network activity
----------------
Process firefox.exe (4548) connected on port 80 (HTTP) --> 66.235.143.118
Process firefox.exe (4548) connected on port 80 (HTTP) --> 184.51.181.115
Process firefox.exe (4548) connected on port 80 (HTTP) --> 74.125.95.100
Process firefox.exe (4548) connected on port 80 (HTTP) --> 74.125.95.100
Process firefox.exe (4548) connected on port 80 (HTTP) --> 74.125.95.100

Process svchost.exe (1204) listens on ports: 135 (RPC)
Process EEventManager.exe (1392) listens on ports: 2968


Autoruns and critical files
---------------------------
Adobe Acrobat C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
AVG Internet Security C:\Program Files\AVG\AVG9\avgtray.exe
AVG Internet Security C:\WINDOWS\system32\avgrsstx.dll
EEventManager Application C:\Program Files\Epson Software\Event Manager\EEventManager.exe
EPSON Status Monitor 3 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIFBA.EXE
Google Update C:\Program Files\Google\Update\GoogleUpdate.exe
Google Updater C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
iTunes C:\Program Files\iTunes\iTunesHelper.exe
Java™ Platform SE 6 U17 C:\Program Files\Java\jre6\bin\jusched.exe
Logitech C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
Logitech QuickCam C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
Logitech SetPoint C:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
Logitech SetPoint C:\Program Files\Logitech\SetPoint\SetPoint.exe
Logitech SetPoint C:\WINDOWS\KHALMNPR.EXE
LogitechEasySync.exe C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
LWS.exe C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
Messenger C:\Program Files\Messenger\msmsgs.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\bthprops.cpl
Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\NvCpl.dll
NVIDIA Media Center Library C:\WINDOWS\system32\nvmctray.dll
nwiz.exe C:\WINDOWS\system32\nwiz.exe
QuickTime C:\Program Files\QuickTime\QTTask.exe
Realtek AC97 Audio - Event Monitor C:\WINDOWS\ALCMTR.EXE
Realtek HD Audio Sound Effect Manager C:\WINDOWS\RTHDCPL.EXE
Secunia PSI C:\Program Files\Secunia\PSI\psi.exe
shellexecutehook.dll C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll
Shockwave C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe
TaskSwitch.exe C:\WINDOWS\system32\TaskSwitch.exe
userinit.exe c:\windows\system32\userinit.exe
Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll


Browser plugins
---------------
AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
Ask.com Toolbar c:\program files\askbardis\bar\bin\askbar.dll
AVG Internet Security c:\program files\avg\avg9\avgssie.dll
AVG Security Toolbar c:\program files\avg\avg9\toolbar\ietoolbar.dll
BitDefender QuickScan C:\Documents and Settings\Thombert\Application Data\Mozilla\Firefox\Profiles\e3pmi2vj.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
BitDefender QuickScan C:\Documents and Settings\Thombert\Application Data\Mozilla\Firefox\Profiles\e3pmi2vj.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
BitTorrent C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
Foxit Reader Plugin for Mozilla C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
Google Earth Plugin C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
Google Update C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
Google Updater C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
GoogleToolbarNotifier c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
Java Deployment Toolkit 6.0.170.4 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
Java™ Platform SE 6 U17 c:\program files\java\jre6\bin\jp2ssv.dll
Java™ Platform SE 6 U17 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Messenger C:\Program Files\Messenger\msmsgs.exe
Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\wshbth.dll
Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
Picasa C:\Program Files\Google\Picasa3\npPicasa3.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
QuickTime Plug-in 7.6.6 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
Shockwave for Director C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
Skype add-on for IE c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll


Missing files
-------------
File not found: C:\DOCUME~1\Thombert\LOCALS~1\Temp\19aqp.exe
--> HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"jgyo0w"

File not found: C:\Documents and Settings\Thombert\Application Data\5A09B4D1544EBE2371D05CAC5E9F3442\setupupdate70700.exe
--> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"setupupdate70700.exe"

File not found: C:\Documents and Settings\Thombert\Application Data\SystemProc\lsass.exe
--> HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"RTHDBPL"

File not found: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
--> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Malwarebytes Anti-Malware (reboot)"

File not found: C:\WINDOWS\svc3.exe
--> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"NetLog3"

File not found: C:\WINDOWS\system32\msnpwbcf.dll
--> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"lkfnnc"

File not found: C:\WINDOWS\system32\szetyj67v.exe
--> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"szetyj67v"

File not found: C:\WINDOWS\system32\szetyj67vx.exe
--> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"szetyj67vx"

File not found: LBTWIZ.EXE -silent
--> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Bluetooth Connection Assistant"


Scan
----

The following file(s) must be uploaded for server-side scanning:
C:\Program Files\Secunia\PSI\psires.dll
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe

Upload started - 3 file(s)
winlogon.exe (507904)
explorer.exe (1033728)
psires.dll (521728)
Upload speed - 55 KB/s
Upload finished - 3 uploaded, 0 failed

Scan finished - communication took 37 sec
Total traffic - 2.01 MB sent, 2.37 KB recvd
Scanned 989 files and modules - 141 seconds

==============================================================================

EDIT: Posts merged ~BP

Edited by Budapest, 23 October 2010 - 03:14 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:17 PM

Posted 01 November 2010 - 02:49 AM

Hi,

If help still needed post fresh dds logs (both dds.txt & attach.txt).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:17 PM

Posted 07 November 2010 - 12:28 PM

Due to inactivity, this thread will now be closed. Should you have same or a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users