Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with various Injectors that ESET is unable to clean


  • This topic is locked This topic is locked
13 replies to this topic

#1 millerpa

millerpa

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 03 May 2011 - 06:04 AM

Found the following infections while running ESET scan (that ESET was unable to clean)

Win32/Injector.FLK trojan
Java/TrojanDownloader.Agent.NBB trojan
Java/TrojanDownloader.OpenStream.NBM trojan

Was instructed in another forum to come here after running DDS and GMER. I have pasted the DDS log below and attached the other log files. Any help would be appreciated.
Attached File  Attach.txt   16.5KB   2 downloads
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Patrick Miller at 20:35:42.01 on Mon 05/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2715 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
c:\altera\10.1\quartus\bin\jtagserver.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Patrick Miller\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:54202
BHO: AutorunsDisabled - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {35065594-9169-4A34-B167-FC4865038E53} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: intuit.com\ttlc
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228415060295
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228432665796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.26.2.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\patric~1\applic~1\mozilla\firefox\profiles\xu6hbv66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-8 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-8 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-8 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-4-14 10384]
S1 ntiomin;ntiomin; [x]
S3 MsibiosDevice;MsibiosDevice;c:\program files\msi\live update 4\lu4\msibios.sys [2010-6-3 18432]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S4 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-10-9 493248]
.
=============== Created Last 30 ================
.
2011-04-23 04:12:52 -------- d-----w- c:\program files\ESET
2011-04-22 04:00:42 -------- d-----w- C:\AutoRuns
2011-04-16 14:37:37 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-04-15 01:09:20 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2011-04-15 01:07:47 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2011-04-15 01:07:43 84496 ----a-w- c:\windows\system32\KemXML.dll
2011-04-15 01:07:43 170512 ----a-w- c:\windows\system32\kemutb.dll
2011-04-15 01:07:43 145936 ----a-w- c:\windows\system32\KemUtil.dll
2011-04-15 01:07:43 117264 ----a-w- c:\windows\system32\KemWnd.dll
2011-04-10 15:14:04 -------- d-----w- c:\docume~1\patric~1\applic~1\wargaming.net
2011-04-10 03:35:33 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-04-10 03:35:33 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-04-10 03:35:33 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-04-10 03:35:33 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-04-10 03:35:32 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-04-10 03:35:32 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-04-10 03:35:31 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-04-10 03:35:31 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-04-10 03:35:30 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-04-10 03:35:30 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-04-10 03:35:30 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-04-10 03:35:30 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-04-10 03:23:28 -------- d-----w- C:\Games
2011-04-07 18:39:38 -------- d-----w- c:\docume~1\patric~1\applic~1\hte
2011-04-07 18:34:18 -------- d-----w- C:\sandbox
.
==================== Find3M ====================
.
2011-05-02 01:35:06 214520 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-05-02 01:35:06 214520 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-16 11:40:59 0 ----a-w- c:\windows\Tqopexi.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 20:36:14.53 ===============

Attached Files

  • Attached File  ark.log   1.97KB   1 downloads


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:38 PM

Posted 03 May 2011 - 02:32 PM

Good evening. :)

Found the following infections while running ESET scan (that ESET was unable to clean)

Win32/Injector.FLK trojan
Java/TrojanDownloader.Agent.NBB trojan
Java/TrojanDownloader.OpenStream.NBM trojan

Did you by any chance save the log that ESET created? It would be helpful to know the file names rather than the type of infection.

So long, and thanks for all the fish.

 

 


#3 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 03 May 2011 - 08:10 PM

Hello!

Yes, here is the log. It was posted as part of my original Topic...

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=9de43dbb7ff8524e86e8a8cfabed2dbd
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-24 06:16:01
# local_time=2011-04-24 02:16:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777195 100 0 36025594 36025594 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=181309
# found=3
# cleaned=0
# scan_time=6256
C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\6.0\34\ba13362-6bb2b7f0 Java/TrojanDownloader.Agent.NBB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Sarah\Local Settings\Temp\aB624.tmp a variant of Win32/Injector.FLK trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Sarah\Local Settings\Temp\jar_cache2243309136687746651.tmp a variant of Java/TrojanDownloader.OpenStream.NBM trojan (unable to clean) 00000000000000000000000000000000 I

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:38 PM

Posted 04 May 2011 - 01:33 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#5 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 05 May 2011 - 04:47 PM

Unable to run combofix with AVG installed. I followed the instructions on the AVG website for disabling the protection but Combofix continues to detect the presence of the install and indicates that AVG must be removed. I tried to remove the program and wasn't successful. I even tried uninstalling in SAFE mode but that didn't work either. Thoughts?

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:38 PM

Posted 05 May 2011 - 04:50 PM

Good evening. :)

Sorry, should have mentioned this. Try the official AVG removal tool: http://www.avg.com/us-en/download-tools

So long, and thanks for all the fish.

 

 


#7 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 05 May 2011 - 06:26 PM

After installing 4 more programs from the AVG website (as instructed in their forums) ,I finally got it removed. Yea! I ran combofix and the following report was generated:

ComboFix 11-05-04.02 - Patrick Miller 05/05/2011 19:17:07.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2951 [GMT -4:00]
Running from: c:\documents and settings\Patrick Miller\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Matthew\Local Settings\Application Data\{E73C125A-7313-4AE7-B85F-0C655D6B8846}
c:\documents and settings\Matthew\Local Settings\Application Data\{E73C125A-7313-4AE7-B85F-0C655D6B8846}\chrome.manifest
c:\documents and settings\Matthew\Local Settings\Application Data\{E73C125A-7313-4AE7-B85F-0C655D6B8846}\chrome\content\_cfg.js
c:\documents and settings\Matthew\Local Settings\Application Data\{E73C125A-7313-4AE7-B85F-0C655D6B8846}\chrome\content\overlay.xul
c:\documents and settings\Matthew\Local Settings\Application Data\{E73C125A-7313-4AE7-B85F-0C655D6B8846}\install.rdf
c:\documents and settings\Patrick Miller\Local Settings\Application Data\{FE0B9005-E904-46F9-A75C-7BCD2614B0BD}
c:\documents and settings\Patrick Miller\Local Settings\Application Data\{FE0B9005-E904-46F9-A75C-7BCD2614B0BD}\chrome.manifest
c:\documents and settings\Patrick Miller\Local Settings\Application Data\{FE0B9005-E904-46F9-A75C-7BCD2614B0BD}\chrome\content\_cfg.js
c:\documents and settings\Patrick Miller\Local Settings\Application Data\{FE0B9005-E904-46F9-A75C-7BCD2614B0BD}\chrome\content\overlay.xul
c:\documents and settings\Patrick Miller\Local Settings\Application Data\{FE0B9005-E904-46F9-A75C-7BCD2614B0BD}\install.rdf
c:\documents and settings\Patrick Miller\Recent\Thumbs.db
c:\documents and settings\Patrick Miller\Start Menu\Programs\Windows Disk
c:\documents and settings\Patrick Miller\Start Menu\Programs\Windows Disk\Uninstall Windows Disk.lnk
c:\documents and settings\Patrick Miller\Start Menu\Programs\Windows Disk\Windows Disk.lnk
c:\documents and settings\Patrick Miller\WINDOWS
c:\documents and settings\Patrick\Local Settings\Application Data\{295E7B1F-3583-48DD-873C-2AA5AD78DE31}
c:\documents and settings\Patrick\Local Settings\Application Data\{295E7B1F-3583-48DD-873C-2AA5AD78DE31}\chrome.manifest
c:\documents and settings\Patrick\Local Settings\Application Data\{295E7B1F-3583-48DD-873C-2AA5AD78DE31}\chrome\content\_cfg.js
c:\documents and settings\Patrick\Local Settings\Application Data\{295E7B1F-3583-48DD-873C-2AA5AD78DE31}\chrome\content\overlay.xul
c:\documents and settings\Patrick\Local Settings\Application Data\{295E7B1F-3583-48DD-873C-2AA5AD78DE31}\install.rdf
c:\documents and settings\Sarah\Local Settings\Application Data\{50CC4518-4282-44EA-B661-B8753A4165CE}
c:\documents and settings\Sarah\Local Settings\Application Data\{50CC4518-4282-44EA-B661-B8753A4165CE}\chrome.manifest
c:\documents and settings\Sarah\Local Settings\Application Data\{50CC4518-4282-44EA-B661-B8753A4165CE}\chrome\content\_cfg.js
c:\documents and settings\Sarah\Local Settings\Application Data\{50CC4518-4282-44EA-B661-B8753A4165CE}\chrome\content\overlay.xul
c:\documents and settings\Sarah\Local Settings\Application Data\{50CC4518-4282-44EA-B661-B8753A4165CE}\install.rdf
C:\install.exe
C:\Thumbs.db
C:\VDM10.tmp
C:\VDM11.tmp
C:\VDM12.tmp
C:\VDM13.tmp
C:\VDM14.tmp
C:\VDM15.tmp
C:\VDM16.tmp
C:\VDM17.tmp
C:\VDM18.tmp
C:\VDM19.tmp
C:\VDM1A.tmp
C:\VDM1B.tmp
C:\VDM1C.tmp
C:\VDM1D.tmp
C:\VDM1E.tmp
C:\VDM1F.tmp
C:\VDM20.tmp
C:\VDM22.tmp
C:\VDM23.tmp
C:\VDM24.tmp
C:\VDM25.tmp
C:\VDM26.tmp
C:\VDM27.tmp
C:\VDMF.tmp
c:\windows\System32\BSTIeprintctl1.dll
c:\windows\system32\SysInfo.dll
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-04-23 04:12 . 2011-04-23 04:12 -------- d-----w- c:\program files\ESET
2011-04-22 04:00 . 2011-04-22 04:02 -------- d-----w- C:\AutoRuns
2011-04-16 14:37 . 2011-04-16 14:37 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-04-15 03:05 . 2011-04-15 03:05 -------- d-----w- c:\documents and settings\Sarah\Application Data\Logitech
2011-04-15 01:10 . 2011-04-15 01:10 -------- d-----w- c:\documents and settings\Patrick Miller\Application Data\Logitech
2011-04-15 01:10 . 2011-04-15 01:10 -------- d-----w- c:\documents and settings\Patrick Miller\Application Data\Leadertech
2011-04-15 01:09 . 2009-06-17 16:55 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2011-04-15 01:07 . 2009-07-20 16:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2011-04-15 01:07 . 2009-07-20 16:26 84496 ----a-w- c:\windows\system32\KemXML.dll
2011-04-15 01:07 . 2009-07-20 16:26 117264 ----a-w- c:\windows\system32\KemWnd.dll
2011-04-15 01:07 . 2009-07-20 16:26 145936 ----a-w- c:\windows\system32\KemUtil.dll
2011-04-15 01:07 . 2009-07-20 16:26 170512 ----a-w- c:\windows\system32\kemutb.dll
2011-04-15 01:07 . 2011-04-15 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2011-04-15 01:07 . 2011-04-15 01:10 -------- d-----w- c:\program files\Common Files\Logishrd
2011-04-15 01:07 . 2011-04-15 01:07 -------- d-----w- c:\program files\Logitech
2011-04-15 01:06 . 2011-04-15 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2011-04-10 15:14 . 2011-04-10 15:14 -------- d-----w- c:\documents and settings\Patrick Miller\Application Data\wargaming.net
2011-04-10 03:35 . 2010-06-02 08:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-04-10 03:35 . 2010-06-02 08:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-04-10 03:35 . 2010-06-02 08:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-04-10 03:35 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-04-10 03:35 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-04-10 03:35 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-04-10 03:35 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-04-10 03:35 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-04-10 03:35 . 2010-02-04 14:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-04-10 03:35 . 2010-02-04 14:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-04-10 03:35 . 2010-02-04 14:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-04-10 03:35 . 2010-02-04 14:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-04-10 03:23 . 2011-04-10 03:23 -------- d-----w- C:\Games
2011-04-07 18:39 . 2011-04-07 18:39 -------- d-----w- c:\documents and settings\Patrick Miller\Application Data\hte
2011-04-07 18:34 . 2011-04-08 13:30 -------- d-----w- C:\sandbox
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-05 21:56 . 2008-12-27 01:07 137464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-05-05 21:56 . 2009-02-20 02:03 214520 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-05-05 21:56 . 2008-12-27 01:07 214520 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-13 18:32 . 2011-01-03 20:12 0 ----a-w- c:\documents and settings\Matthew\Local Settings\Application Data\Tqopexi.bin
2011-03-07 05:33 . 2008-12-04 17:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-15 00:03 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2008-04-14 00:12 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSys2"="c:\windows\system32\winsys2.exe" [2009-10-12 208896]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Patrick Miller^Start Menu^Programs^Startup^chkntfs.exe]
path=c:\documents and settings\Patrick Miller\Start Menu\Programs\Startup\chkntfs.exe
backup=c:\windows\pss\chkntfs.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Patrick Miller^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Patrick Miller\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Patrick Miller^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Patrick Miller\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-11-02 02:30 2508104 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-09-04 01:43 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
2003-05-08 17:34 69632 ------w- c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScanUtility]
2009-09-28 22:56 140640 ----a-w- c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 01:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-11 02:47 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"Bonjour Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\Patrick Miller\\My Documents\\Downloads\\Smokin_Guns_1.0\\Smokin' Guns\\smokinguns.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Documents and Settings\\Matthew\\My Documents\\Smokin_Guns_1.0\\Smokin' Guns\\smokinguns.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [4/14/2011 9:09 PM 10384]
S1 ntiomin;ntiomin; [x]
S3 MsibiosDevice;MsibiosDevice;c:\program files\MSI\Live Update 4\LU4\msibios.sys [6/3/2010 6:27 PM 18432]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S4 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [10/9/2009 11:07 AM 493248]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:54202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Patrick Miller\Application Data\Mozilla\Firefox\Profiles\xu6hbv66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-6CkdwsAuvw63 - c:\documents and settings\All Users\Application Data\6CkdwsAuvw63.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-MSI Live - c:\program files\MSI\MSI Live\SetWallpaper.exe
MSConfigStartUp-MSIAfterburner - c:\program files\MSI Afterburner\MSIAfterburner.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-Qfoniquyi - c:\windows\ujomesum.dll
MSConfigStartUp-RecoverFromReboo - c:\windows\Temp\RECOVE~1.EXE
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-05 19:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\VVniqinufeworitul*]
"Ckeponu"=hex:36,01,33,03,30,05,44,07,3b,09,4b,0b,34,0d,3b,0f,26,11,20,13,21,
15,24,17,2c,19,2e,1b,5e,1d,2b,1f,61,21,11,23,62,25,64,27,1f,29,1b,2b,6e,2d,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion*Vniqinufeworitul]
"Ckeponu"=hex:42,01,33,03,40,05,42,07,4c,09,3d,0b,35,0d,3b,0f,51,11,51,13,26,
15,21,17,2c,19,58,1b,28,1d,5b,1f,18,21,14,23,60,25,10,27,1f,29,6c,2b,14,2d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2011-05-05 19:23:04
ComboFix-quarantined-files.txt 2011-05-05 23:23
.
Pre-Run: 29,969,035,264 bytes free
Post-Run: 33,599,639,552 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - ED588D0DE2D135B5AF8116090406CBAB

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:38 PM

Posted 05 May 2011 - 06:42 PM

You can reinstall AVG now, if you wish, or go with another free AV if you prefer. The usual ones I offer, apart from AVG, are::

avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here
Microsoft Security Essentials: Available here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Time to see if all has gone according to plan. Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#9 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 05 May 2011 - 09:24 PM

Computer seems to be running fine now. I have yet to log into all accounts and make sure my error msg is gone but here is the DDS log...
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Patrick Miller at 22:22:52.57 on Thu 05/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2498 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Documents and Settings\Patrick Miller\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:54202
BHO: AutorunsDisabled - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {35065594-9169-4A34-B167-FC4865038E53} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAAxADIAOQA4ADQANwAxADYALQBUADEANwAtAEsAVgAzACsANwAtAEIAQQArADEALQBYAEwAKwAxAC0ARgBQADkAKwA2AC0AQgBBAFIAOQBHACsAMQAtAFQAQgA5ACsAMgAtAEYATAArADkALQBYAE8AMwA2ACsAMQAtAFgATwA5ACsAMQA"&"prod=90"&"ver=9.0.894
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: intuit.com\ttlc
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228415060295
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228432665796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.26.2.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\patric~1\applic~1\mozilla\firefox\profiles\xu6hbv66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-4-14 10384]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S1 ntiomin;ntiomin; [x]
S3 MsibiosDevice;MsibiosDevice;c:\program files\msi\live update 4\lu4\msibios.sys [2010-6-3 18432]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S4 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-10-9 493248]
.
=============== Created Last 30 ================
.
2011-05-06 00:15:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-06 00:15:29 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-05-06 00:11:06 -------- d-----w- c:\docume~1\patric~1\applic~1\AVG10
2011-05-06 00:06:36 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-06 00:06:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-05-05 23:15:00 -------- d-sha-r- C:\cmdcons
2011-05-05 23:12:13 98816 ----a-w- c:\windows\sed.exe
2011-05-05 23:12:13 89088 ----a-w- c:\windows\MBR.exe
2011-05-05 23:12:13 256512 ----a-w- c:\windows\PEV.exe
2011-05-05 23:12:13 161792 ----a-w- c:\windows\SWREG.exe
2011-05-05 23:11:59 -------- d-----w- C:\ComboFix
2011-05-05 23:00:29 -------- d-----w- C:\AVGTemp
2011-05-05 22:39:02 -------- d-----w- c:\windows\system32\NtmsData
2011-05-05 22:24:33 -------- d-----w- c:\program files\Windows Resource Kits
2011-05-05 21:43:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-23 04:12:52 -------- d-----w- c:\program files\ESET
2011-04-22 04:00:42 -------- d-----w- C:\AutoRuns
2011-04-16 14:37:37 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-04-15 01:09:20 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2011-04-15 01:07:47 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2011-04-15 01:07:43 84496 ----a-w- c:\windows\system32\KemXML.dll
2011-04-15 01:07:43 170512 ----a-w- c:\windows\system32\kemutb.dll
2011-04-15 01:07:43 145936 ----a-w- c:\windows\system32\KemUtil.dll
2011-04-15 01:07:43 117264 ----a-w- c:\windows\system32\KemWnd.dll
2011-04-10 15:14:04 -------- d-----w- c:\docume~1\patric~1\applic~1\wargaming.net
2011-04-10 03:35:33 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-04-10 03:35:33 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-04-10 03:35:33 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-04-10 03:35:33 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-04-10 03:35:32 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-04-10 03:35:32 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-04-10 03:35:31 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-04-10 03:35:31 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-04-10 03:35:30 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-04-10 03:35:30 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-04-10 03:35:30 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-04-10 03:35:30 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-04-10 03:23:28 -------- d-----w- C:\Games
2011-04-07 18:39:38 -------- d-----w- c:\docume~1\patric~1\applic~1\hte
2011-04-07 18:34:18 -------- d-----w- C:\sandbox
.
==================== Find3M ====================
.
2011-05-06 00:15:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-05 23:27:34 214520 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-05-05 23:27:34 214520 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-16 11:40:59 0 ----a-w- c:\windows\Tqopexi.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 22:23:23.17 ===============

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:38 PM

Posted 06 May 2011 - 01:42 PM

Good evening. :)

Did ESET find anything?

So long, and thanks for all the fish.

 

 


#11 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 06 May 2011 - 04:43 PM

Sry, I forgot to mention that. ESET found no infections on that computer but I have since ran it on another machine and found infections. Should I take this to a different topic or continue to post here?
Thanks!

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:38 PM

Posted 06 May 2011 - 04:56 PM

Should I take this to a different topic or continue to post here?

That will need to be a new topic.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#13 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 06 May 2011 - 05:02 PM

Ok. Thanks for all the help!!!!

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:38 PM

Posted 10 May 2011 - 02:29 PM

s this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users