View Full Version : hggfffe and unknown 016 - DPFs
tenchi_alex
2007-11-23, 20:42
Hi there!
Well, the problems I'm having is mainly what HijackThis is showing. I'm not noticing basicaly anything odd (ex. pop-ups, homepage change, very slow compy, etc.) The main two things that are bugging me in the log (shown below) is "O20 - Winlogon Notify: hggfffe - D:\WINDOWS\" and the six 016 - DPFs that have no description. I have used these programs:
1)ComboFix 07-11-19.3
2)Spybot 1.4 (updated today)
3)Ad-Aware 6.2.0.236
4)AVG Anti-Spyware 7.5
5)AVG 7
6)HijackThis 1.99.1
7)CCleaner 2.1.0.507
8)Cleanup! 4.5.2.0
9)Killbox 2.0.0.881
I must say that I am very leary about posting logs such as the HijackThis! Not how to do it, but all this info about my PC posted for all to see... but anyways, I want help, so I guess...
INCOMMING LOG! ;)
Logfile of HijackThis v1.99.1
Scan saved at 1:17:44 PM, on 11/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\LTSMMSG.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
D:\WINDOWS\System32\RunDLL32.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\HJT\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000162-9980-0010-8000-00AA00389B71} -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3253344D-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O20 - Winlogon Notify: hggfffe - D:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
END OF LOG
Thanks in advance for any help! :)
Hello.
You missed our sticky topics. ;)
Running outdated versions of many programs and no Windows updates. :eek:
Please read here:
"BEFORE you POST"(READ this Procedure before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Cheers.
tenchi_alex
2007-11-24, 06:17
:oops:
I'll get to updating in the morning.
One quick question though, is updating my Spybot 1.4 not the same as getting Spybot 1.5 (with updates)? I assume it is not the same, but just checking. :red:
Cya soon, and take good care!
Hi there.
One quick question though, is updating my Spybot 1.4 not the same as getting Spybot 1.5 (with updates)? I assume it is not the same, but just checking. :red:
Spybot-S&D 1.5 is our latest program application. You can still update definitions in version 1.4 but 1.5 has many upgrades.
You can read more in the Spybot-S&D forums later.
http://forums.spybot.info/forumdisplay.php?f=4
http://forums.spybot.info/forumdisplay.php?f=12
However, I suggest taking things slowly, and not trying to do too much at once to start off.
To that end the first thing you should do is update Windows.
Get SP1a here: http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx and all security patches/updates. Read the instructions Microsoft provides.
AFTER it is verified that the machine appears to be clean, you will need to get SP2. Your helper will tell you when.
So, once you have updated Windows to Service Pack 1a, please post a new log (Trend Micro HijackThis 2.0.2) for a helper to analyse and give further instructions.
How to produce a log here: http://forums.spybot.info/showpost.php?p=1150&postcount=2
Please don't run any tools such as combofix etc unless asked to do so, and you will be linked to the latest version/s.
Cheers.
tenchi_alex
2007-11-25, 02:55
Hi Tashi! :greeting:
I have only been able to get to SP1. Now, when I get to Microsoft Update, no high-priority updates exist (except for SP2 of course)! These are the only things I have not downloaded:
(Software, Optional)
Microsoft Base Smart Card Cryptographic Service Provider Package: x86 (KB909520)
Update for WMDRM-enabled Media Players (KB891122)
Windows Media Player 10
Windows Media 9 Series Codec Install Package
Microsoft .NET Framework version 1.1
So, are we to progress to the next step (download and run HijackThis 2.0.2)?
Thanks again! :2thumb:
Hello.
I have only been able to get to SP1. Now, when I get to Microsoft Update, no high-priority updates exist (except for SP2 of course)!
Yes please post the HJT log so one of our helpers can take a look.
Thanks.
tenchi_alex
2007-11-25, 21:19
:eek: WARNING! INCOMING HJT LOG!! :eek:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:34 PM, on 11/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\LTSMMSG.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\System32\RunDLL32.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000162-9980-0010-8000-00AA00389B71} -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3253344D-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195939333290
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195939295790
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O20 - Winlogon Notify: hggfffe - D:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
--
End of file - 4724 bytes
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
You don't appear to be using your Antivirus ?
There is no active malware evident in your log, what popups are you getting ?
Why did you use ComboFix and KillBox ?
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000162-9980-0010-8000-00AA00389B71} -
O16 - DPF: {3253344D-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O20 - Winlogon Notify: hggfffe - D:\WINDOWS\
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
If it exists please post the contents of D:\Combofix.txt
tenchi_alex
2007-11-28, 23:26
Hey Katana! :greeting:
You don't appear to be using your Antivirus ?
I don't have anything of the sort running, because I didn't want it to interfere with the fixing. Admittedly, I don't have much when it comes to antivirus... basically just Teatimer...!! :blink:
There is no active malware evident in your log, what popups are you getting ?
Actually, I'm not noticing any odd actions (such as pop-ups)... :halo: just those very suspicious HJT entries. This is not the first time I've gotten caught with hggfffe! :sad: However, the first time had MORE than the "Winlogon Notify" entry! Also listed was, "hggfffe.dll". SOMEHOW, I was able to get rid of both of them (with the various programs I mentioned in my first post). Speaking of that, I forgot to list a few more that I used:
10)VundoFix 6.5.0.9
11)VirtumundoBeGone 1.5.0.0
12)SmitfraudFix 2.236
Why did you use ComboFix and KillBox ?
I used both in my first encounter with hggfffe (specifically hggfffe.dll), and only ComboFix in the second.
I did all you said to do in HJT, and have not rebooted since it was not requested. I also will not post the new log since you didn't say to do so, however I did create one. So, if you want to see it (which I assume you will), I'll have it ready. :)
If it exists please post the contents of D:\Combofix.txt
:police: Reminder! This ComboFix log is prior to when I updated Windows (which was on the 24th) :police:
ComboFix 07-11-19.3 - Alex 2007-11-23 11:09:01.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.320 [GMT -6:00]
Running from: D:\Documents and Settings\Alex.TENCHI.000\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.
2007-11-23 11:07 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
2007-11-23 11:07 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
2007-11-23 11:07 53,248 --a------ D:\WINDOWS\system32\Process.exe
2007-11-23 11:07 25,088 --a------ D:\WINDOWS\system32\WS2Fix.exe
2007-11-22 23:28 <DIR> d-------- D:\Documents and Settings\Alex.TENCHI.000\Application Data\Grisoft
2007-11-22 23:28 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-15 06:57 <DIR> d-------- D:\Documents and Settings\Alex.TENCHI.000\WhiteCap
2007-11-15 06:56 <DIR> d-------- D:\Program Files\SoundSpectrum
2007-11-15 01:33 <DIR> d-------- D:\Program Files\CamStudio
2007-11-15 01:04 351,616 --a--c--- D:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-11-15 01:04 116,736 --a--c--- D:\WINDOWS\system32\dllcache\ovcodec2.dll
2007-11-15 01:04 48,000 --a--c--- D:\WINDOWS\system32\dllcache\ovcam2.sys
2007-11-15 01:04 44,544 --a--c--- D:\WINDOWS\system32\dllcache\ovui2.dll
2007-11-15 01:04 41,984 --a--c--- D:\WINDOWS\system32\dllcache\ovui2rc.dll
2007-11-15 01:04 39,424 --a--c--- D:\WINDOWS\system32\dllcache\ovcoms.exe
2007-11-15 01:04 31,872 --a--c--- D:\WINDOWS\system32\dllcache\ovce.sys
2007-11-15 01:04 25,216 --a--c--- D:\WINDOWS\system32\dllcache\ovsound2.sys
2007-11-15 01:04 20,480 --a--c--- D:\WINDOWS\system32\dllcache\ovcomc.dll
2007-11-15 00:28 <DIR> d-------- D:\Program Files\virtualdub1618
2007-11-03 17:00 182,880 --a--c--- D:\WINDOWS\system32\dllcache\iuengine.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 17:08 --------- d-----w D:\Program Files\try
2007-11-23 17:02 --------- d-----w D:\Program Files\HJT
2007-11-23 04:25 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 01:55 --------- d-----w D:\Program Files\TrackMania Nations ESWC
2007-11-22 17:32 --------- d-----w D:\Documents and Settings\Alex.TENCHI.000\Application Data\AVG7
2007-11-15 08:34 --------- d-----w D:\Program Files\Winamp
2007-10-12 03:12 --------- d-----w D:\Program Files\GetRight
2007-10-06 19:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\avg7
2007-10-04 00:17 --------- d-----w D:\Program Files\CCleaner
2007-10-03 22:02 --------- d-----w D:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-03 22:01 --------- d-----w D:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-03 17:15 --------- d--h--w D:\Program Files\InstallShield Installation Information
2007-10-03 15:13 --------- d-----w D:\Program Files\Killbox
2007-10-03 01:41 --------- d-----w D:\Program Files\QuickTime
2007-10-03 01:22 --------- d-----w D:\Program Files\Toolbar Cop
2007-10-03 00:59 --------- d-----w D:\Program Files\Bazooka Scanner
2007-09-29 22:33 --------- d-----w D:\Documents and Settings\Alex.TENCHI.000\Application Data\gtk-2.0
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2001-08-23 06:00]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001-08-23 06:00]
"PHIME2002ASync"="D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" []
"PHIME2002A"="D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" []
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 10:22 D:\WINDOWS\LTSMMSG.exe]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 06:00 D:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-06-01 17:22 D:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 08:46]
"MSConfig"="D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2001-08-23 06:00]
"NvMediaCenter"="RunDLL32.exe" [2001-08-23 06:00 D:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-04-30 20:09]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfffe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^AGEIA PhysX System Tray Icon.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\AGEIA PhysX System Tray Icon.lnk
backup=D:\WINDOWS\pss\AGEIA PhysX System Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
D:\Program Files\QuickTime\bak\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"COM+ Messages"=2 (0x2)
R3 LucentSoftModem;Lucent Technologies Soft Modem;D:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 soma;SOMA Service;D:\WINDOWS\System32\DRIVERS\soma.sys
R3 SONYWBMS;Sony Memory Stick controller(WB);D:\WINDOWS\System32\DRIVERS\SonyWBMS.SYS
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;D:\WINDOWS\System32\drivers\yacxgc.sys
S1 lusbaudio;Logitech USB Microphone;D:\WINDOWS\System32\drivers\OVSound2.sys
S3 QCEmerald;Logitech QuickCam Web;D:\WINDOWS\System32\DRIVERS\OVCE.sys
S3 wdm_opl3sax;YAMAHA OPL3-SAx Audio Driver (WDM);D:\WINDOWS\System32\drivers\opl3sax.sys
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 11:11:09
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-23 11:12:09
D:\ComboFix-quarantined-files.txt ... 2007-10-05 13:27
D:\ComboFix2.txt ... 2007-11-22 23:39
D:\ComboFix3.txt ... 2007-11-22 20:17
.
--- E O F ---
:thud:........Okay, there ya are. Cya soon, and take care!:greeting:
Admittedly, I don't have much when it comes to antivirus... basically just Teatimer...!!
ARRRRGGGGGHHHHH !!!!!!
(bangs head on desk then jumps up and runs away screaming ) :laugh:
Teatimer, whilst being very good at what it does, is in no way an Anti Virus !
I can see parts of AVG7 there, open it and get it running at startup.
There is evidence of an AWF infection at some point in the past, lets see what else is lurking.
FindAWF
Click here (http://noahdfear.geekstogo.com/FindAWF.exe) to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to Press any key to continue.
Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
Copy and paste the contents of the AWF.txt file in your next reply.
tenchi_alex
2007-11-29, 02:35
ARRRRGGGGGHHHHH !!!!!!
(bangs head on desk then jumps up and runs away screaming ) :)
........:halo:
Yeah, TeaTimer is good, but I'm realizing that I do need more protection. I feel I do a good job of making sure stuff I download is legit and used to think that was good enough.....!!! However, there's a bunch of other stuffs going behind the scenes!
I can see parts of AVG7 there, open it and get it running at startup.
I changed some of the AVG7 component settings when I originally got it. All are on except Resident Shield, Shell Extension, and E-mail Scanner. I'm definitely considering turning Shield and Shell, but would I still need E-mail Scanner (since I use Yahoo! mail)?
Ran FindAWF, and it "didn't find anything"... but here's the log anyways :)
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Wed 11/28/2007
The current time is: 18:31:11.28
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
These bak folders are familiar... In my first run in with hggfffe, there were a few bak folders. Found out that stored inside them are legit versions of popular programs on my PC, so I replaced the legit .exes, and deleted the bak folders. That was part of my original "fix".
By the way, why did you have me fix with HJT "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank"
Tis be all for now... cya again soon! :greeting:
but I'm realizing that I do need more protection.
Just a bit ;)
I feel I do a good job of making sure stuff I download is legit and used to think that was good enough.
I am impressed that your PC works at all !!!!
No AV, no AS and no service packs :thud::buried:
It is a miracle that you can even turn on your PC never mind access a security forum :laugh:
I'm definitely considering turning Shield and Shell, but would I still need E-mail Scanner (since I use Yahoo! mail)?
I would uninstall AVG and then reinstall with the default settings.
I'm not sure about the E-Mail scanner, I will have a mooch around and see what I can find out
These bak folders are familiar... In my first run in with hggfffe, there were a few bak folders. Found out that stored inside them are legit versions of popular programs on my PC, so I replaced the legit .exes, and deleted the bak folders. That was part of my original "fix".
If you know that much, why are you asking for help ????
You should be on this side doing the helping !!!!
By the way, why did you have me fix with HJT "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank"
Force of habit :p: :oops:
You seem to keep a clean PC, so stick this next one in your bookmarks/favorites and it will help in the future :)
TotalScan
Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK
Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.
All joking aside, you should consider joining up and getting trained to work the forums.
You have obviously got the skills needed, otherwise your PC would be toast by now.
tenchi_alex
2007-11-29, 23:02
'Ello again. :greeting:
I would uninstall AVG and then reinstall with the default settings.
I was thinking about that myself... however, since I didn't fool with each component's settings (just its "on/off" setting), I flipped them all (except Shell and E-mail) to the on position. I did not turn on Shell on because:
from the AVG 7.5 help,
"The Shell Extension component activates the AVG functions in the Windows Explorer (and some other file managers). This means that you can test locations and objects within the file browser by clicking the right mouse button and selecting the Scan with AVG option."
So, it's merely a convenience.. ;).
I'm not sure about the E-Mail scanner, I will have a mooch around and see what I can find out
Thank you very much!
If you know that much, why are you asking for help ????
You should be on this side doing the helping !!!!
Originally Posted by tenchi_alex
These bak folders are familiar... In my first run in with hggfffe, there were a few bak folders. Found out that stored inside them are legit versions of popular programs on my PC, so I replaced the legit .exes, and deleted the bak folders. That was part of my original "fix".
:) Well, the main reason is that while the first time I "fixed" hggfffe it never reappeared (in HJT), even after rebooting. However, this time it does!... yeah probably should have said that earlier :halo: Actually, I'm surprised that I didn't!... oh well.
I have not rebooted since I've posted this topic (mainly since I was not asked to do so)
Force of habit :p: :oops:
Originally Posted by tenchi_alex
By the way, why did you have me fix with HJT "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank"
:laugh: Understood.
Told the Panda to scan my entire PC... here's what he/sh... well whatever gender the Panda is... THE LOG :eek:
;********************************************************************************************************************************
ANALYSIS: 2007-11-29 05:44:56
PROTECTIONS: 0
MALWARE: 15
SUSPECTS: 0
;***************************************************************************************
PROTECTIONS
Description Version Active Updated
;=======================================================================================
;=======================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;=======================================================================================
00027791 Joke/Avoid Jokes No 0 Yes No I:\My_stuff\Viao_safety\Desktop Cleanup\AVOID.EXE
00049294 Joke/Aloap Jokes No 0 Yes No I:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP193\A0014240.EXE
00096188 spyware/searchcentrix Spyware No 1 Yes No hkey_current_user\software\dynamic toolbar
00139535 Application/Processor HackTools No 0 No No D:\Program Files\try\VirtumundoBeGone.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No D:\Program Files\try\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 No No D:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP112\A0009429.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No D:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP0\A0000005.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No D:\Documents and Settings\Alex.TENCHI.000\Cookies\alex@tribalfusion[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No D:\Documents and Settings\Alex.TENCHI.000\Cookies\alex@com[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No D:\Documents and Settings\Alex.TENCHI.000\Cookies\alex@adtech[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No D:\Documents and Settings\Alex.TENCHI.000\Cookies\alex@questionmarket[2].txt
00517584 Application/SuperFast HackTools No 0 Yes No D:\Program Files\try\SmitfraudFix\restart.exe
00519333 Application/Processor HackTools No 0 Yes No D:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP112\A0009429.exe
00519333 Application/Processor HackTools No 0 Yes No D:\Program Files\try\VirtumundoBeGone.exe
00958667 Spyware/Conducent-Timesink Spyware No 1 Yes No I:\NV4PRO_B.ZIP[nv40inst.exe]
01262593 Application/NirCmd.A HackTools No 0 No No D:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP1\A0000177.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No D:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP1\A0000177.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No D:\Documents and Settings\Alex.TENCHI.000\Desktop\When not much is open\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 Yes No D:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP0\A0000138.exe
01262593 Application/NirCmd.A HackTools No 0 No No D:\Documents and Settings\Alex.TENCHI.000\Desktop\When not much is open\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No D:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP1\A0000180.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No D:\WINDOWS\NirCmd.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No D:\Program Files\try\SmitfraudFix\Reboot.exe
02406021 Trj/Rebooter.J Virus/Trojan No 1 Yes No D:\Program Files\try\SmitfraudFix.exe
02406021 Trj/Rebooter.J Virus/Trojan No 1 Yes No D:\System Volume Information\_restore{01460F4A-B908-41B3-9470-22E00855ED07}\RP112\A0009430.exe
02556597 Generic Malware Virus/Trojan No 0 Yes No D:\Program Files\HJT\backups\backup-20071002-113948-749.dll
;=======================================================================================
SUSPECTS
Location
;=======================================================================================
;=======================================================================================
The only thing that truely bugs me is
"hkey_current_user\software\dynamic toolbar"
All joking aside, you should consider joining up and getting trained to work the forums.
You have obviously got the skills needed, otherwise your PC would be toast by now.
Re-really?! :blink:
By the way, do you know how well TeaTimer and AVG Resident get along?
Well, tis be all for now... cya soon! :greeting:
Create A Registry File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Regfix.reg Please save it on your desktop.
REGEDIT4
[-HKEY_current_user\software\dynamic toolbar]
Make sure there are NO blank lines before REGEDIT4 and ONE blank line at the end/bottom
Double click on Regfix.reg and click Yes at the prompt
I take that you know what AVOID.EXE is ?
I would delete this file
I:\NV4PRO_B.ZIP
I'm not sure what it is for, but it definately has adware/spyware in it.
Regarding the E-mail scaner of AVG
Full e-mail protection — AVG checks every e-mail sent or received, providing full protection from e-mail-borne threats. AVG supports all leading e-mail clients, including MS Outlook, The bat!, Eudora, and all other SMTP/POP3-based e-mail clients, such as Outlook Express. Encrypted connections using SSL are also supported.
I understand this to mean that if you download the E-Mail to your machine before you read it, then it is scanned.
If you use an online E-Mail (like Yahoo) then you don't need it.
By the way, do you know how well TeaTimer and AVG Resident get along?
I was going to ask... do you mean AVG Antivirus, or AVG AntiSpyware.
Then I realized....It doesn't matter :laugh:
I have had all three running on two of my PC's with no problem at all.
Do a reboot, and then post a fresh HJT log please
( you can update to SP2 now as well )
tenchi_alex
2007-11-30, 02:05
Hey hey! :greeting:
Created and ran Regfix.reg... did a reboot with no problems.
I take that you know what AVOID.EXE is ?
Yeah, it does sound very suspicious, but yup AVOID.EXE was a silly little program I downloaded many years ago (on Win 98 I think) that makes it imposable to click the Windows Start button! :rolleyes:
I would delete this file
I:\NV4PRO_B.ZIP
I'm not sure what it is for, but it definately has adware/spyware in it.
It's a zipped install of the download manager "Net Vampire", but now use GetRight (and have for many years)... so yeah "NV4PRO_B.ZIP" going bye bye! :flame:
Oh, and the adware part was reminders to register it or something like that. :red:
Thanks for the info 'bout the E-mail Scanner. I read the same thing earlier, and my interpretation is the same.
I was going to ask... do you mean AVG Antivirus, or AVG AntiSpyware.
Then I realized....It doesn't matter :laugh:
I have had all three running on two of my PC's with no problem at all.
Okay, thanks! :)
Do a reboot, and then post a fresh HJT log please
( you can update to SP2 now as well )
INCOMING LOG!! :bigthumb: ....Though would you think I should run Panda once more before updating to SP2, since it was the only one that found "hkey_current_user\software\dynamic toolbar")? I would have done it just for fun, but yeah it does take a while! ;)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:47 PM, on 11/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\LTSMMSG.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
D:\WINDOWS\System32\RunDLL32.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195939333290
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195939295790
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
--
End of file - 4650 bytes
We're almost there! :D:
Well, cya later! :wink::
From the Total scan log
Spyware/Conducent-Timesink Spyware ..... I:\NV4PRO_B.ZIP
Conducent-Timesink (http://research.sunbelt-software.com/threatdisplay.aspx?name=Conducent/Timesink&threatid=3867) ...... A bit more than a reminder to register
Congratulations your logs look clean :)
Now get that update done to keep it that way :laugh:
Lets tidy up :)
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Delete FindAWF.exe
You can also delete any logs we have produced, and empty your Recycle bin.
Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.
Firewall
A third party firewall is much safer than the Windows basic firewall , as it stops malware that does get on your PC from contacting "home"
Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
It is recommended to have only one Firewall active.
Comodo Firewall (http://www.personalfirewall.comodo.com/)
Outpost Firewall (http://www.agnitum.com/products/outpostfree/index.php)
zonealarm Firewall (http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp)
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
All the programs in this list have a free version.
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 (http://www.ewido.net/en/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Ad-Aware 2007 Free (http://www.lavasoftusa.com/products/ad_aware_free.php) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 3.5.1 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/content/view/19/2/) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.......So How Did I Get Infected In The First Place (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
Happy surfing K'
tenchi_alex
2007-12-01, 07:15
Hiyas again very sharp piece of steel with an elegant hand grip... :rolleyes:
From the Total scan log
Spyware/Conducent-Timesink Spyware ..... I:\NV4PRO_B.ZIP
Conducent-Timesink ...... A bit more than a reminder to register
Hmm... well, glad I'm not using it anymore! :)
Congratulations your logs look clean :)
YAY! :2thumb: Speaking of logs, a few moments ago I ran Panda again, and didn't find "dynamic toolbar" :D:
Now get that update done to keep it that way :laugh:
Yep yep! :)
Well, I think that about does it. Thank you so much for the assistance! :bigthumb: Please do take good care! :greeting:
Oh, and thanks to tashi for getting me started. :)