View Full Version : Help please....could you analyze my HJT log?
Please help!
2008-07-26, 07:14
Could you please analyze this log.... my windows security won't stay on, several processes won't run. I need help!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:45 PM, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\User\winlogon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\User\winlogon.exe
O4 - HKLM\..\Run: [18d79509] rundll32.exe "C:\WINDOWS\system32\sepwtpdv.dll",b
O4 - HKLM\..\Run: [BM1be4a695] Rundll32.exe "C:\WINDOWS\system32\dvjujwjq.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [90788817361490122469243907414587] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Madeline\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Quest/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_11/PCAXSetupv2.0.0.11.cab?
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{910C2291-BA58-4F68-B8EF-D9848F00DE1A}: NameServer = 207.164.234.193 207.164.234.129
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 8708 bytes
pskelley
2008-07-27, 16:27
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. This can be a tough infection to remove so do not expect fast or easy.
You have a mess here and I am not quite sure where to start, let's start like this.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Post the combofix log, the log from MBAM and a new HJT log.
Thanks
Please help!
2008-07-27, 22:56
Thank you SO much for your help. I have followed your instructions. Here are the next set of logs.
ComboFix 08-07-26.1 - User 2008-07-27 12:25:45.1 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Madeline\Application Data\macromedia\Flash Player\#SharedObjects\T6W8H6CB\interclick.com
C:\Documents and Settings\Madeline\Application Data\macromedia\Flash Player\#SharedObjects\T6W8H6CB\interclick.com\ud.sol
C:\Documents and Settings\Madeline\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Madeline\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\UJAHLGFR\interclick.com
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\UJAHLGFR\interclick.com\ud.sol
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Wendy\Application Data\macromedia\Flash Player\#SharedObjects\PEREP3HU\interclick.com
C:\Documents and Settings\Wendy\Application Data\macromedia\Flash Player\#SharedObjects\PEREP3HU\interclick.com\ud.sol
C:\Documents and Settings\Wendy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Wendy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\BM1be4a695.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aGiSBcdd.ini
C:\WINDOWS\system32\aGiSBcdd.ini2
C:\WINDOWS\system32\batved.dll
C:\WINDOWS\system32\benfuona.dll
C:\WINDOWS\system32\bfbswvfk.dll
C:\WINDOWS\system32\bpollv.dll
C:\WINDOWS\system32\bwwqqrgb.ini
C:\WINDOWS\system32\cwsffudg.dll
C:\WINDOWS\system32\ddcAqOii.dll
C:\WINDOWS\system32\ddcCRJyx.dll
C:\WINDOWS\system32\dedcrvtk.ini
C:\WINDOWS\system32\dvjujwjq.dll
C:\WINDOWS\system32\eqpxchbq.dll
C:\WINDOWS\system32\fccdefeb.dll
C:\WINDOWS\system32\gocflpfj.ini
C:\WINDOWS\system32\gwmudw.dll
C:\WINDOWS\system32\gyblgt.dll
C:\WINDOWS\system32\hgjfhrdf.dll
C:\WINDOWS\system32\hxfvbz.dll
C:\WINDOWS\system32\jeagqudm.dll
C:\WINDOWS\system32\jelyqvgk.ini
C:\WINDOWS\system32\jjifjqtj.dll
C:\WINDOWS\system32\jkkJyXPj.dll
C:\WINDOWS\system32\jtlyiy.dll
C:\WINDOWS\system32\lcmsnsru.dll
C:\WINDOWS\system32\lmataayr.dll
C:\WINDOWS\system32\ltmpes.dll
C:\WINDOWS\system32\mclaathl.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdocngtu.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nppqcx.dll
C:\WINDOWS\system32\oayctiyt.dll
C:\WINDOWS\system32\ofhtqeei.ini
C:\WINDOWS\system32\opnnomLf.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pluekjlx.dll
C:\WINDOWS\system32\qicyviqq.dll
C:\WINDOWS\system32\rqRKDwtR.dll
C:\WINDOWS\system32\RtwDKRqr.ini
C:\WINDOWS\system32\RtwDKRqr.ini2
C:\WINDOWS\system32\rxzypp.dll
C:\WINDOWS\system32\SDKkRXyb.ini
C:\WINDOWS\system32\SDKkRXyb.ini2
C:\WINDOWS\system32\syeuppag.dll
C:\WINDOWS\system32\tcvgfiyy.dll
C:\WINDOWS\system32\tdrfvgcl.dll
C:\WINDOWS\system32\tgiexebc.dll
C:\WINDOWS\system32\tnawrz.dll
C:\WINDOWS\system32\ukrlnndj.dll
C:\WINDOWS\system32\urmjnvei.dll
C:\WINDOWS\system32\utgncodm.dll
C:\WINDOWS\system32\vdptwpes.ini
C:\WINDOWS\system32\vqmfttaq.ini
C:\WINDOWS\system32\wkkyqwvy.dll
C:\WINDOWS\system32\zpdynb.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.
2008-07-26 11:13 . 2008-07-26 11:13 44,544 --a------ C:\WINDOWS\17PHolmes1188.exe
2008-07-25 23:49 . 2008-07-25 23:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 20:56 . 2008-07-25 20:56 91 --a------ C:\WINDOWS\wininit.ini
2008-07-25 01:09 . 2008-07-25 01:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 01:09 . 2008-07-25 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 09:02 . 2008-07-24 09:02 <DIR> d-------- C:\Temp\epr1
2008-07-24 09:02 . 2008-07-24 11:28 <DIR> d-------- C:\Temp
2008-07-24 09:02 . 2008-07-23 15:54 44,544 -ra------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-07-23 14:24 . 2008-07-27 12:21 111,612 --a------ C:\WINDOWS\BM1be4a695.xml
2008-07-23 01:33 . 2008-07-23 01:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-07-23 00:13 . 2008-07-23 10:35 43,693 --ahs---- C:\WINDOWS\system32\cfalubek.ini
2008-07-23 00:05 . 2008-07-26 11:14 <DIR> d-------- C:\WINDOWS\system32\kBin02
2008-07-22 00:48 . 2008-07-22 00:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\SpinTop
2008-07-21 23:35 . 2008-07-22 12:22 <DIR> d-------- C:\WINDOWS\system32\carH18
2008-07-21 21:24 . 2008-07-21 21:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\.wyzo
2008-07-20 18:12 . 2008-07-20 18:12 <DIR> d-------- C:\Documents and Settings\Madeline\Application Data\PlayFirst
2008-07-19 15:53 . 2008-07-19 15:53 <DIR> d-------- C:\Documents and Settings\User\Application Data\PlayFirst
2008-07-19 14:28 . 2008-07-19 14:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\iWin
2008-07-19 02:20 . 2008-07-23 01:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 02:11 . 2008-07-19 02:11 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-07-19 02:10 . 2008-07-23 21:34 <DIR> d-------- C:\Program Files\IncrediGames
2008-07-18 18:49 . 2008-07-18 18:49 <DIR> d-------- C:\Documents and Settings\Madeline\Application Data\AdobeUM
2008-07-04 02:36 . 2008-07-26 11:14 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-03 11:05 . 2008-07-26 21:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-03 11:05 . 2008-07-05 09:36 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 11:05 . 2008-07-05 09:36 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 11:05 . 2008-07-05 09:36 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-03 11:04 . 2008-07-03 11:04 <DIR> d-------- C:\Program Files\AVG
2008-07-03 11:04 . 2008-07-03 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-29 15:43 . 2008-06-29 15:43 268 --ah----- C:\sqmdata19.sqm
2008-06-29 15:43 . 2008-06-29 15:43 244 --ah----- C:\sqmnoopt19.sqm
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Wendy\winlogon.exe
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\User\winlogon.exe
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Madeline\winlogon.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-10 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 14:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 14:19 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-07-01 05:16 --------- d-----w C:\Program Files\FirstClass
2008-07-01 05:13 --------- d-----w C:\Program Files\Bonjour
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 19:50 --------- d-----w C:\Program Files\FrostWire
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 23:44 --------- d-----w C:\Documents and Settings\Wendy\Application Data\Ulead Systems
2008-06-07 23:39 --------- d-----w C:\Documents and Settings\Wendy\Application Data\Sony Corporation
2008-06-01 00:28 --------- d-----w C:\Program Files\Electronic Arts
2008-05-29 14:50 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-28 20:59 --------- d-----w C:\Program Files\iTunes
2008-05-28 20:59 --------- d-----w C:\Program Files\iPod
2008-05-28 20:57 --------- d-----w C:\Program Files\QuickTime
2008-05-28 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2001-09-17 08:45 127 ----a-w C:\Documents and Settings\User\setup.bat
2001-09-17 08:44 1,007,761 ----a-w C:\Documents and Settings\User\unpack.exe
2001-08-20 13:47 4,657,152 ----a-w C:\Documents and Settings\User\CardGames.exe
2001-07-13 13:55 27,648 ----a-w C:\Documents and Settings\User\startw.exe
2001-07-03 18:02 782,336 ----a-w C:\Documents and Settings\User\Hoyle_Card_Games.exe
2001-05-09 13:49 176,128 ----a-w C:\Documents and Settings\User\INSTAIDE.DLL
2000-03-18 06:29 49,152 ----a-w C:\Documents and Settings\User\INJECT.EXE
1997-12-24 14:45 105,472 ----a-w C:\Documents and Settings\User\SOS9503.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-08-21 11:44 208946]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56 40960]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 04:08 172032]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-02-27 19:48 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-05 09:36 1232152]
"Windows Logon Applicationedc"="C:\Documents and Settings\User\winlogon.exe" [2008-06-27 18:38 53248]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-13 08:13:37 124400]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-05 09:36]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-05 09:36]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 09:36]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 09:36]
R3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-09 12:44]
S3 9516d19c-ad8c-43ea-a7ca-fdb036518e81;9516d19c-ad8c-43ea-a7ca-fdb036518e81;D:\Player\cds300.dll []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99dc3585-54b1-11dc-a08c-000347bf25b9}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{194F6747-8102-4F6D-90C5-B86C59FF9B45} - C:\WINDOWS\system32\ddcBSiGa.dll
BHO-{4A37BB9D-C558-450E-B81A-E3CD600C54B6} - C:\WINDOWS\system32\byXRkKDS.dll
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-18d79509 - C:\WINDOWS\system32\sepwtpdv.dll
HKLM-Run-BM1be4a695 - C:\WINDOWS\system32\mclaathl.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://sympatico.msn.ca/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Madeline\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\stg_drm.ocx
O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Quest/Images/armhelper.ocx
C:\WINDOWS\Downloaded Program Files\armhelper.ocx
O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
C:\WINDOWS\Downloaded Program Files\GoPetsWeb.inf
C:\WINDOWS\Downloaded Program Files\GoPetsWeb.ocx
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 13:14:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-27 13:28:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-27 17:28:24
Pre-Run: 59,407,208,448 bytes free
Post-Run: 60,436,975,616 bytes free
257 --- E O F --- 2008-07-10 04:15:17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:45 PM, on 27/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\User\winlogon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Madeline\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Quest/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_11/PCAXSetupv2.0.0.11.cab?
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 8353 bytes
Malwarebytes' Anti-Malware 1.23
Database version: 999
Windows 5.1.2600 Service Pack 2
3:52:35 PM 27/07/2008
mbam-log-7-27-2008 (15-52-35).txt
Scan type: Full Scan (C:\|)
Objects scanned: 220083
Time elapsed: 2 hour(s), 12 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 39
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\pornpro.pornpro_bho (Adware.PlayaZ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pornpro.pornpro_bho.1 (Adware.PlayaZ) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\kBin02 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcAqOii.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcCRJyx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccdefeb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkJyXPj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\opnnomLf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRKDwtR.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\utgncodm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0041618.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0040703.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0040712.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0041613.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0041614.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0041615.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0041616.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0041617.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0041619.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP357\A0041620.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP358\A0042624.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP358\A0042625.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP358\A0042626.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP358\A0042627.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP358\A0042628.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP358\A0043642.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP358\A0044626.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP358\A0044643.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP361\A0045835.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP361\A0045836.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP361\A0045839.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP361\A0045846.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP361\A0045854.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP361\A0045857.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{621E0529-2179-4AF2-9236-5DACDCFF58BB}\RP361\A0045866.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\17PHolmes1188.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1188.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\winlogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\BM1be4a695.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wendy\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Madeline\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Thank you again, and please help me with next steps.
pskelley
2008-07-27, 23:32
Thanks for returning your information, so you are aware, the HJT log is the picture that tells us how the other tools did and it must always be run last:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:32:45 PM, on 27/07/2008
Malwarebytes' Anti-Malware 1.23 3:52:35 PM 27/07/2008
In this case I am aware they are out of order.
This computer was badly infected, do you know where the infection came from?
1) C:\Program Files\Java\jre1.6.0_05\ <<< Update your Java program, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
(careful with these next instructions)
4) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\BM1be4a695.xml
C:\WINDOWS\system32\cfalubek.ini
C:\Documents and Settings\Wendy\winlogon.exe
C:\Documents and Settings\User\winlogon.exe
C:\Documents and Settings\Madeline\winlogon.exe
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\User\winlogon.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the combofix log from CFScript, a new HJT log and some feedback. How is the computer running now.
Thanks
Please help!
2008-07-28, 04:05
I wasn't able to do the HJT because the 04 entry you listed wasn't there so there was no action to take.
I have the Combo log:
ComboFix 08-07-26.1 - User 2008-07-27 20:05:13.2 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\Madeline\winlogon.exe
C:\Documents and Settings\User\winlogon.exe
C:\Documents and Settings\Wendy\winlogon.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\BM1be4a695.xml
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\cfalubek.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\cfalubek.ini
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.
2008-07-27 19:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-27 19:54 . 2008-07-27 19:54 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-27 13:37 . 2008-07-27 13:37 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-27 13:36 . 2008-07-27 13:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 13:36 . 2008-07-27 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-27 13:36 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-27 13:36 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-25 23:49 . 2008-07-25 23:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 20:56 . 2008-07-25 20:56 91 --a------ C:\WINDOWS\wininit.ini
2008-07-25 01:09 . 2008-07-25 01:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 01:09 . 2008-07-25 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 09:02 . 2008-07-24 09:02 <DIR> d-------- C:\Temp\epr1
2008-07-24 09:02 . 2008-07-24 11:28 <DIR> d-------- C:\Temp
2008-07-23 01:33 . 2008-07-23 01:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-07-22 00:48 . 2008-07-22 00:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\SpinTop
2008-07-21 23:35 . 2008-07-22 12:22 <DIR> d-------- C:\WINDOWS\system32\carH18
2008-07-21 21:24 . 2008-07-21 21:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\.wyzo
2008-07-20 18:12 . 2008-07-20 18:12 <DIR> d-------- C:\Documents and Settings\Madeline\Application Data\PlayFirst
2008-07-19 15:53 . 2008-07-19 15:53 <DIR> d-------- C:\Documents and Settings\User\Application Data\PlayFirst
2008-07-19 14:28 . 2008-07-19 14:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\iWin
2008-07-19 02:20 . 2008-07-23 01:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 02:11 . 2008-07-19 02:11 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-07-19 02:10 . 2008-07-23 21:34 <DIR> d-------- C:\Program Files\IncrediGames
2008-07-18 18:49 . 2008-07-18 18:49 <DIR> d-------- C:\Documents and Settings\Madeline\Application Data\AdobeUM
2008-07-04 02:36 . 2008-07-26 11:14 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-03 11:05 . 2008-07-27 15:59 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-03 11:05 . 2008-07-05 09:36 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 11:05 . 2008-07-05 09:36 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 11:05 . 2008-07-05 09:36 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-03 11:04 . 2008-07-03 11:04 <DIR> d-------- C:\Program Files\AVG
2008-07-03 11:04 . 2008-07-03 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-29 15:43 . 2008-06-29 15:43 268 --ah----- C:\sqmdata19.sqm
2008-06-29 15:43 . 2008-06-29 15:43 244 --ah----- C:\sqmnoopt19.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 23:56 --------- d-----w C:\Program Files\Java
2008-07-27 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-10 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 14:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 14:19 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-07-01 05:16 --------- d-----w C:\Program Files\FirstClass
2008-07-01 05:13 --------- d-----w C:\Program Files\Bonjour
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 19:50 --------- d-----w C:\Program Files\FrostWire
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 23:44 --------- d-----w C:\Documents and Settings\Wendy\Application Data\Ulead Systems
2008-06-07 23:39 --------- d-----w C:\Documents and Settings\Wendy\Application Data\Sony Corporation
2008-06-01 00:28 --------- d-----w C:\Program Files\Electronic Arts
2008-05-29 14:50 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-28 20:59 --------- d-----w C:\Program Files\iTunes
2008-05-28 20:59 --------- d-----w C:\Program Files\iPod
2008-05-28 20:57 --------- d-----w C:\Program Files\QuickTime
2008-05-28 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2001-09-17 08:45 127 ----a-w C:\Documents and Settings\User\setup.bat
2001-09-17 08:44 1,007,761 ----a-w C:\Documents and Settings\User\unpack.exe
2001-08-20 13:47 4,657,152 ----a-w C:\Documents and Settings\User\CardGames.exe
2001-07-13 13:55 27,648 ----a-w C:\Documents and Settings\User\startw.exe
2001-07-03 18:02 782,336 ----a-w C:\Documents and Settings\User\Hoyle_Card_Games.exe
2001-05-09 13:49 176,128 ----a-w C:\Documents and Settings\User\INSTAIDE.DLL
2000-03-18 06:29 49,152 ----a-w C:\Documents and Settings\User\INJECT.EXE
1997-12-24 14:45 105,472 ----a-w C:\Documents and Settings\User\SOS9503.DLL
.
((((((((((((((((((((((((((((( snapshot@2008-07-27_13.27.20.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-22 05:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-08-21 11:44 208946]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56 40960]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 04:08 172032]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-02-27 19:48 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-05 09:36 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-13 08:13:37 124400]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-05 09:36]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-05 09:36]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 09:36]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 09:36]
R3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-09 12:44]
S3 9516d19c-ad8c-43ea-a7ca-fdb036518e81;9516d19c-ad8c-43ea-a7ca-fdb036518e81;D:\Player\cds300.dll []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99dc3585-54b1-11dc-a08c-000347bf25b9}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 20:10:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\TEMP\daaa2136-f862-40c7-834b-6e456f923170.tmp
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-07-27 20:21:34
ComboFix-quarantined-files.txt 2008-07-28 00:21:29
ComboFix2.txt 2008-07-27 17:29:02
Pre-Run: 61,650,132,992 bytes free
Post-Run: 61,660,393,472 bytes free
167 --- E O F --- 2008-07-10 04:15:17
Should I run the full HJT scan?
The windows automatic updates seems to be working now, although not in my avg. It seems as though the constant pop-up ads are gone......I will have to use the computer a bit to see if there is anything else happening.
Um......I'm afraid to tell you where I think this came from. You might want to climb through the computer and smack me. I tried to copy a program from kazaa. I scanned everything and didn't download anything with infections.....but apparently I did. I'm ashamed of myself and grateful that you're helping me despite my stupidity.
Please let me know what my next step is..... thank you!!!
Please help!
2008-07-28, 04:36
Wow! No more popups....security is ok now....and fast! Holy cow! (It's like Christmas morning!) OMG....
pskelley
2008-07-28, 12:49
Thanks for returning your information and the feedback, we still have more to do so stick with me a bit longer.
http://arstechnica.com/news.ars/post/20080316-kazaa-downloads-cost-one-man-750-per-song-in-riaa-suit.html
http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm
Even if the programs may be legal, often downloading files are not. Many forums are even stopping cleaning computers with file sharing programs on them.
combofix reports this file as hidden, navigate to that Temp folder in red and delete the contents of the folder. Some older files (put there by Windows) may not delete, don't be concerned.
C:\WINDOWS\TEMP\daaa2136-f862-40c7-834b-6e456f923170.tmp
This is the next bridge we must cross:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
Please help!
2008-07-28, 19:55
Um.....I don't know how to get to that file to delete the contents. The machine keeps saying it doesn't exist. Maybe my brain isn't on today. Sorry. Please help. Also....daughter says another trojan warning came up this morning so I guess the machine isn't clean yet. Can you help me with the file thing so I can continue? (sorry)
pskelley
2008-07-28, 21:17
Thanks for the questions and the feedback, this issue first:
Also....daughter says another trojan warning came up this morning so I guess the machine isn't clean yetA warning can mean the program, perhaps AVG, blocked an item that was trying to enter through your security. This can happen all of the time and depending on how you have your settings (I set mine to block silently) depends if you even see the warning. I can not advise with no more information than you have provided.
1) Name of the program that said this
2) Name of the item
3) What did the program do with the item?
My suggestion would be to update AVG and run a System Scan to make sure it finds nothing.
Um.....I don't know how to get to that file to delete the contents. The machine keeps saying it doesn't exist.
It is possible it was removed earlier, I wish to be sure, please do this.
1) Make sure you can view all files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
2) Open MyComputer
3) Open Local Disk (C )
4) Open WINDOWS folder
5) Open TEMP folder
6) At the top of that folder Click Edit > Select All > hit your Delete key > them click YES. A couple of files may not delete, not wo worry.
Continue with the instructions I posted for Recovery Console.
Thanks
Please help!
2008-07-29, 03:26
Oh dear God, this just gets more fun by the minute. I installed the recovery console, got the log....saved it.....copied it to paste.....then internet wasn't displaying. Rebooted the system, and lost the log. I feel like an idiot. Now, I am going to run a complete AVG scan and ad-aware scan to see what I get, and hope that you will come back and help me some more despite.....well....me.
Thanks for your help.
pskelley
2008-07-29, 03:34
Well...as long as you know you got it installed, it could be a very important tool in a dire emergency. Here is some information about RC from Microsoft who I believe should have installed it by default.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Take a look on your C:\ that file should be at C:\CF-RC.txt
I am down for the night until AM EST when I send this post.
Thanks...Phil
Please help!
2008-07-29, 04:51
Found it, thank you.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Thank you for all the help you have given me so far. It's amazing you are willing to do what you do. We're incredibly lucky!
pskelley
2008-07-29, 16:42
You are very welcome and RC was installed correctly. In the next step we will remove combofix, I would like to see the results of the AVG scan first.
Thanks...Phil
Please help!
2008-07-29, 20:13
The AVG scan only came up with cookies. Everything else was clean. The only warnings that came up recently have been for trojans in the system restore. How do I purge those?
pskelley
2008-07-29, 23:29
Thanks for the feedback, purge infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Safe surfing:bigthumb:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Please help!
2008-07-30, 01:49
Thank you! All is well! I have one last question for you. Do I delete the programs that were used during this "cure"? I I realize HJT and Combofix are not necessary, but what about Malwarebytes and AFT?
Also..... having never used this.....I need to set up a paypal account to donate to yours? (yes, I'm a behind-the-times-doofus)
pskelley
2008-07-30, 02:12
Combofix: Remove combofix from your computer like this
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
HijackThis: I have had a copy of HJT on all computer I own for ten years, here is a tutorial of all it can do.
http://www.bleepingcomputer.com/tutorials/tutorial42.html
MBAM: great, free on demand scanner that uses no resources unless you run it.
ATF-Cleaner: You will not find a better, free cleaning tool thatn this one, yours to keep if you wish.
You get to make those calls.
Donations: while we volunteer our time, I am sure it costs plenty to run a site like this and any donation would be appreciated. Look at the top of the page on the black line to the right for the word "Donate" for alternatives to PayPal.
Thanks
Please help!
2008-07-30, 08:23
I would like to thank you very much for all of your help. Not only did you cure all of my computer problems, but you answered every question and gave me a ton of information I can access easily to educate myself and keep me out of trouble in the future. And all that as a volunteer? You are amazing!!! Thank you, thank you, thank you!! Best wishes to you!!
Please help!
2008-07-30, 08:34
Oops....one more comment.... I was reading some of the info you sent me..... I remembered that I told you I downloaded from Kazaa, when in fact, I downloaded from Frostwire. That is on your list of Clean p2p sites.....and well, after all this mess....I don't think its such a clean site after all. I never had an issue with audio files, to my knowledge, but I obviously got clobbered when looking into program files. I just thought I'd report that. Thanks!