View Full Version : Antivirus 2009
heyehuda
2008-10-17, 16:49
Hello,
A couple of issues affecting my PC:
1. Computer significantly slows down
2. Frequently while browsing, a browser window opens alerting of Spyware in my PC and advising to install Antivirus 2009. The web address is "http://safeinternetzone.com/2009/1/_freescan.php?id=770522166386" and it shows as if it is running a scan. When I try to close the window, it opens a "file download" dialog trying to download a file calle "a9installer_770522166386.exe". AVG than warns of a "Potentially Unwanted Program" with threat name "Adware Generic3.TGG" (which I always move to vault)
3. Automatic Updates are no longer active in my PC although in the Control Panel it looks as i they are checked and working
I did a scan with SpyBot in safemode and it found 3 viruses - Virtumonde, Zlob.Downloader and win32.bagle.hi (and some suspicious coockies). I fixed all and now SpyBot scan comes 100% free of warnings (but still the above 3 problems remain).
I will post the HJT log following this post.
Thanks for your help!
Yehuda.
heyehuda
2008-10-17, 16:50
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:28:27, on 17/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176406713156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176406699640
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://audiocodes.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://ssl.audiocodes.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 7870 bytes
Hi
Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file -> somethingElse.exe. Post a fresh hjt log after renaming is done :)
heyehuda
2008-10-18, 18:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:04:05, on 18/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Trend Micro\HijackThis\SomethingElse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {3D663865-4C76-4403-8A4F-33711B5AD700} - C:\WINDOWS\system32\qoMFWmkk.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {BCE97A72-640B-4DED-923F-8196FC01F76B} - C:\WINDOWS\system32\qoMddBrS.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-329068152-1644491937-682003330-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'anat')
O4 - HKUS\S-1-5-21-329068152-1644491937-682003330-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'anat')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176406713156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176406699640
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://audiocodes.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://ssl.audiocodes.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: qoMddBrS - qoMddBrS.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 10343 bytes
Hi
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
eMule
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
C:\Program Files\eMule
Empty Recycle Bin.
After that:
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
heyehuda
2008-10-18, 22:35
Thanks! Automatic Updates are back to life :-)
Please note that during the last stage of ComboFix, an error message popped up regarding a failure in registry process.
Please see bellow ComboFix.txt
ComboFix 08-10-17.01 - yehuda 10/18/2008 22:12:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1037.18.555 [GMT 2:00]
Running from: C:\Documents and Settings\yehuda\שולחן העבודה\ComboFix.exe
Command switches used :: C:\Documents and Settings\yehuda\שולחן העבודה\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\yehuda\LOCALS~1\Temp\install_flash_player.exe
C:\Documents and Settings\yehuda\Application Data\m
C:\Documents and Settings\yehuda\Application Data\m\list.oct
C:\Documents and Settings\yehuda\Application Data\m\srvlist.oct
C:\WINDOWS\cookies.ini
C:\WINDOWS\evsw.exe
C:\WINDOWS\grfxbanodsm.dll
C:\WINDOWS\system32\AHjPonmp.ini
C:\WINDOWS\system32\AHjPonmp.ini2
C:\WINDOWS\system32\aphfjjuj.ini
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\bxcsrhrq.ini
C:\WINDOWS\system32\dawdbcsx.ini
C:\WINDOWS\system32\edmskwng.ini
C:\WINDOWS\system32\enftxrpv.ini
C:\WINDOWS\system32\esdgpkoe.ini
C:\WINDOWS\system32\fcdmwswa.ini
C:\WINDOWS\system32\fmpyqtjk.ini
C:\WINDOWS\system32\funmoqlx.ini
C:\WINDOWS\system32\gnwksmde.dll
C:\WINDOWS\system32\goilfdyw.ini
C:\WINDOWS\system32\hdxfquan.ini
C:\WINDOWS\system32\heosjale.ini
C:\WINDOWS\system32\hmtyujlj.ini
C:\WINDOWS\system32\hqgmitmr.ini
C:\WINDOWS\system32\jujjfhpa.dll
C:\WINDOWS\system32\kkmWFMoq.ini
C:\WINDOWS\system32\kkmWFMoq.ini2
C:\WINDOWS\system32\kxakasnm.dll
C:\WINDOWS\system32\locywdyl.dll
C:\WINDOWS\system32\lydwycol.ini
C:\WINDOWS\system32\mblcgwbs.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnsakaxk.ini
C:\WINDOWS\system32\mpgeglft.ini
C:\WINDOWS\system32\mscwnmtd.ini
C:\WINDOWS\system32\naqbanyg.ini
C:\WINDOWS\system32\nfdllpiy.ini
C:\WINDOWS\system32\Nmlklnnn.ini
C:\WINDOWS\system32\Nmlklnnn.ini2
C:\WINDOWS\system32\nnnlklmN.dll
C:\WINDOWS\system32\qoMFWmkk.dll
C:\WINDOWS\system32\teqradjk.ini
C:\WINDOWS\system32\vleeskei.ini
C:\WINDOWS\system32\vprxtfne.dll
C:\WINDOWS\system32\wfvwegca.ini
C:\WINDOWS\system32\whocmpyb.ini
C:\WINDOWS\system32\xhfhmadk.ini
C:\WINDOWS\system32\xlqomnuf.dll
C:\WINDOWS\system32\xmijinii.ini
C:\WINDOWS\system32\ywjbbgpb.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SROSA
((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 20:01 --------- d-----w C:\Program Files\CompeGPS
2008-10-18 17:03 --------- d-----w C:\Program Files\eMule
2008-10-18 07:05 --------- d-----w C:\Documents and Settings\yehuda\Application Data\uTorrent
2008-10-18 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\zibkhyha
2008-10-17 11:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-17 11:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-16 20:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Temp
2008-10-16 06:51 --------- d-----w C:\Program Files\Java
2008-10-15 10:17 --------- d-----w C:\Program Files\LPVideoPlugin
2008-10-15 06:30 --------- d-----w C:\Program Files\eToro
2008-10-15 05:45 --------- d-----w C:\Program Files\Suunto Monitor
2008-10-15 05:15 86,016 ----a-w C:\WINDOWS\lomxeqsn.exe
2008-10-13 21:28 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Juniper Networks
2008-10-13 13:20 --------- d-----w C:\Documents and Settings\yehuda\Application Data\GARMIN
2008-10-11 05:08 --------- d-----w C:\Program Files\Suunto Training Manager
2008-10-11 04:27 684,377 ----a-w C:\WINDOWS\unins000.exe
2008-10-11 04:27 --------- d-----w C:\Program Files\SuuntoUSBDrivers
2008-10-11 04:22 --------- d-----w C:\Program Files\DIFX
2008-10-08 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-10-08 05:56 --------- d-----w C:\Program Files\ATI Technologies
2008-10-02 10:36 --------- d-----w C:\Program Files\Suunto
2008-10-02 10:35 --------- d-----w C:\Program Files\Firstbeat
2008-10-01 14:29 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Azureus
2008-09-29 12:31 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Canon
2008-09-24 18:55 --------- d-----w C:\Program Files\ImTOO
2008-09-24 18:53 --------- d-----w C:\Program Files\VideoLAN
2008-09-23 18:00 --------- d-----w C:\Program Files\Real
2008-09-23 18:00 --------- d-----w C:\Program Files\Common Files\xing shared
2008-09-23 18:00 --------- d-----w C:\Program Files\Common Files\Real
2008-09-23 17:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-06 09:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 09:33 --------- d-----w C:\Program Files\Sony Ericsson
2008-09-06 09:33 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Teleca
2008-09-06 09:32 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-09-06 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-08-31 18:04 --------- d-----w C:\Program Files\QuickTime
2008-08-31 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-31 18:03 --------- d-----w C:\Program Files\Apple Software Update
2008-08-31 18:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-08-31 18:00 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Apple Computer
2008-08-31 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-31 14:59 --------- d-----w C:\Documents and Settings\yehuda\Application Data\CyberLink
2008-08-31 14:51 --------- d-----w C:\Program Files\CyberLink
2008-08-31 14:50 --------- d-----w C:\Program Files\SmartSound Software
2008-08-31 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-08-29 05:25 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-21 04:52 3,299,840 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-21 01:17 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-01-30 20:19 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2007-12-06 06:23 678 ----a-w C:\Program Files\ Azureus2.lnk
2007-06-01 12:39 81,920 ----a-w C:\Documents and Settings\yehuda\Application Data\ezpinst.exe
2007-06-01 12:39 47,360 ----a-w C:\Documents and Settings\yehuda\Application Data\pcouffin.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 04:17 AM 15360]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [08/12/2007 01:28 PM 1465280]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [10/18/2007 10:34 AM 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/23/2007 04:03 PM 68856]
"Google Update"="C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [09/05/2008 08:26 AM 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 144784]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [09/28/2006 09:21 PM 57344]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/06/2006 06:11 AM 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/06/2006 06:13 AM 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [10/06/2006 06:10 AM 94208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/23/2008 08:00 PM 185896]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [08/01/2008 03:23 PM 61440]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [09/30/2008 08:39 AM 1234712]
"SkyTel"="SkyTel.EXE" [05/16/2006 12:04 PM 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [10/30/2006 01:49 PM 16269312 C:\WINDOWS\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [04/14/2008 04:17 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^DigiCell.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\DigiCell.lnk
backup=C:\WINDOWS\pss\DigiCell.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^MSI Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\MSI Wireless Utility.lnk
backup=C:\WINDOWS\pss\MSI Wireless Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^PC Alert 4.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\PC Alert 4.lnk
backup=C:\WINDOWS\pss\PC Alert 4.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Program Neighborhood Agent.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\Program Neighborhood Agent.lnk
backup=C:\WINDOWS\pss\Program Neighborhood Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^yehuda^תפריט התחלה^תוכניות^הפעלה^MotionBased Agent.lnk]
path=C:\Documents and Settings\yehuda\תפריט התחלה\תוכניות\הפעלה\MotionBased Agent.lnk
backup=C:\WINDOWS\pss\MotionBased Agent.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 01/11/2008 10:16 PM 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 09/03/2005 02:18 PM 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 02/19/2006 01:41 AM 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 07/08/2006 01:15 AM 600896 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 07/08/2006 01:14 AM 576320 C:\Program Files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 03/14/2007 09:01 PM 54832 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 05/27/2008 09:50 AM 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 03/14/2007 09:01 PM 71216 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
--a------ 02/20/2008 11:22 AM 356352 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 06/23/2007 04:03 PM 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"40bb974c"=rundll32.exe "C:\WINDOWS\system32\gnwksmde.dll",b
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\lhemule53\\emule.exe"=
"C:\\Program Files\\eMule\\eMule.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Documents and Settings\\yehuda\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\nir\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\CompeGPS\\CompeGPSLAND.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [08/29/2008 07:25 AM 97928]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [09/19/2007 09:37 PM 41456]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [08/29/2008 07:25 AM 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [08/29/2008 07:25 AM 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [07/04/2008 08:18 AM 76040]
R2 mgnt;mgnt;C:\WINDOWS\system32\drivers\mgnt.sys [09/22/1997 10:55 AM 19232]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [12/28/2007 04:48 AM 23552]
S3 DigiCellDriver;DigiCellDriver;C:\Program Files\MSI\DigiCell\NTGLM7X.sys [06/07/2006 10:00 AM 28672]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [10/25/2004 02:40 PM 17664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1797ffd9-1a0c-11dd-b9ba-0019db231763}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [04/11/2008 04:57 PM]
2008-10-18 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [09/05/2008 08:26 AM]
.
- - - - ORPHANS REMOVED - - - -
BHO-{BCE97A72-640B-4DED-923F-8196FC01F76B} - C:\WINDOWS\system32\qoMddBrS.dll
BHO-{D7AB5B13-3F72-48A5-9CDF-5BC2D3EC072F} - C:\WINDOWS\system32\qoMFWmkk.dll
ShellExecuteHooks-{BCE97A72-640B-4DED-923F-8196FC01F76B} - C:\WINDOWS\system32\qoMddBrS.dll
Notify-qoMddBrS - qoMddBrS.dll
MSConfigStartUp-!AVG Anti-Spyware - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
MSConfigStartUp-avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-gStart - C:\Garmin\gStart.exe
MSConfigStartUp-mRouterConfig - C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
MSConfigStartUp-PC Suite for Smartphones - C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe
MSConfigStartUp-SearchIndexer - C:\WINDOWS\system32\bypmcohw.dll
MSConfigStartUp-ServUTrayIcon - C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
MSConfigStartUp-SpywareTerminator - C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
MSConfigStartUp-Microsoft Windows Update x86 - firefox.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.vmule.com/homepage.html
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &יצא ל- Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 22:23:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 10/18/2008 22:29:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 20:29:14
Pre-Run: 176,618,151,936 bytes free
Post-Run: 176,937,398,272 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
298 --- E O F --- 2008-10-18 20:26:14
heyehuda
2008-10-18, 22:37
Here's a fresh HJT log. Following that log, I will activate again TeaTimer and AVG Resident Shield
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:36:02, on 18/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\SomethingElse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176406713156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176406699640
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://audiocodes.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://ssl.audiocodes.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 8658 bytes
I will activate again TeaTimer and AVG Resident Shield
Don't do that until system cleaning process is finished.
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
eMule
Azureus
LHeMule
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
C:\Program Files\eMule
C:\Documents and Settings\yehuda\Application Data\uTorrent
C:\Documents and Settings\yehuda\Application Data\Azureus
C:\lhemule53
C:\Program Files\Azureus
C:\Program Files\uTorrent
Empty Recycle Bin.
After that:
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\lomxeqsn.exe
C:\Program Files\ Azureus2.lnk
Folder::
C:\Program Files\eMule
C:\Documents and Settings\yehuda\Application Data\uTorrent
C:\Documents and Settings\All Users\Application Data\zibkhyha
C:\Documents and Settings\yehuda\Application Data\Azureus
C:\lhemule53
C:\Program Files\Azureus
C:\Program Files\uTorrent
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"40bb974c"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\lhemule53\\emule.exe"=-
"C:\\Program Files\\eMule\\eMule.exe"=-
"C:\\Program Files\\Azureus\\Azureus.exe"=-
"C:\\Program Files\\uTorrent\\uTorrent.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Uninstall all your old Java versions and get update 7 here (http://javadl.sun.com/webapps/download/AutoDL?BundleId=23111).
Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).
Download ATF (Atribune Temp File) Cleanerİ by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
heyehuda
2008-10-19, 20:16
Thanks a lot for the quick response. Much appreciated!
Is it possible to proceed without deleting the P2P programs and folders? I use these quite a lot and will make sure AVG scans the downloads before executing.
Yehuda.
Hi Yehuda
I'm sorry but that's not an option. Either you uninstall all P2P programs or I can't help you.
heyehuda
2008-10-19, 21:08
OK. Will uninstall all P2P programs.
A question regarding the CSFscript file - do I need to include also "Code:" in the begining? It appears out of the blue frame...
Also - do I need to enable "wrap text" or not?
Thanks,
Yehuda.
Hi
Don't include "Code:". Also, keep wrap text disabled :)
heyehuda
2008-10-21, 06:57
Hi,
Took some time to install Java (got repeating Error 1722, and had to spend half day to find out how to overcpme it...) and Kaspersky ran for 12.5 hours...
Bellow is the Kaspersky log. I will post HJT and ComboFix following this message.
Thanks,
Yehuda.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, October 20, 2008 11:50:24
Records in database: 1325160
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
F:\
Scan statistics:
Files scanned: 118790
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 12:30:34
File name / Threat name / Threats count
C:\Qoobox\Quarantine\Registry_backups\Legacy_SROSA.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp 1
The selected area was scanned.
heyehuda
2008-10-21, 06:58
ComboFix 08-10-19.01 - yehuda 10/19/2008 22:32:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1037.18.525 [GMT 2:00]
Running from: C:\Documents and Settings\yehuda\שולחן העבודה\ComboFix.exe
Command switches used :: C:\Documents and Settings\yehuda\שולחן העבודה\CFScript.txt
* Created a new restore point
FILE ::
C:\Program Files\ Azureus2.lnk
C:\WINDOWS\lomxeqsn.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\zibkhyha
C:\Program Files\ Azureus2.lnk
C:\Program Files\Azureus
C:\Program Files\Azureus\AzureusUpdater.exe
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.4.jar
C:\Program Files\Azureus\plugins\azrating\azrating_1.3.1.jar
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.5.zip
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.8.zip
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.3.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.5.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.8.jar
C:\Program Files\Azureus\plugins\azupdater\plugin.properties
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.5
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.8
C:\Program Files\Azureus\plugins\azupdater\Updater.jar
C:\Program Files\Azureus\plugins\azupdater\Updater.jar.bak
C:\Program Files\Azureus\Uninstall.exe
C:\Program Files\eMule
C:\Program Files\eMule\Temp\003.part
C:\Program Files\eMule\Temp\003.part.met
C:\Program Files\eMule\Temp\003.part.met.bak
C:\Program Files\eMule\Temp\005.part
C:\Program Files\eMule\Temp\005.part.met
C:\Program Files\eMule\Temp\005.part.met.bak
C:\Program Files\eMule\Temp\006.part
C:\Program Files\eMule\Temp\006.part.met
C:\Program Files\eMule\Temp\006.part.met.bak
C:\Program Files\LPVideoPlugin
C:\WINDOWS\lomxeqsn.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 20:14 --------- d-----w C:\Program Files\Java
2008-10-19 19:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-18 20:01 --------- d-----w C:\Program Files\CompeGPS
2008-10-17 11:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-17 11:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-16 20:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Temp
2008-10-15 17:57 267,776 ----a-w C:\WINDOWS\system32\pmnoPjHA.dll
2008-10-15 06:30 --------- d-----w C:\Program Files\eToro
2008-10-15 05:45 --------- d-----w C:\Program Files\Suunto Monitor
2008-10-13 21:28 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Juniper Networks
2008-10-13 13:20 --------- d-----w C:\Documents and Settings\yehuda\Application Data\GARMIN
2008-10-11 05:08 --------- d-----w C:\Program Files\Suunto Training Manager
2008-10-11 04:27 684,377 ----a-w C:\WINDOWS\unins000.exe
2008-10-11 04:27 --------- d-----w C:\Program Files\SuuntoUSBDrivers
2008-10-11 04:22 --------- d-----w C:\Program Files\DIFX
2008-10-08 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-10-08 05:56 --------- d-----w C:\Program Files\ATI Technologies
2008-10-02 10:36 --------- d-----w C:\Program Files\Suunto
2008-10-02 10:35 --------- d-----w C:\Program Files\Firstbeat
2008-09-29 12:31 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Canon
2008-09-24 18:55 --------- d-----w C:\Program Files\ImTOO
2008-09-24 18:53 --------- d-----w C:\Program Files\VideoLAN
2008-09-23 18:00 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-09-23 18:00 --------- d-----w C:\Program Files\Real
2008-09-23 18:00 --------- d-----w C:\Program Files\Common Files\xing shared
2008-09-23 18:00 --------- d-----w C:\Program Files\Common Files\Real
2008-09-23 17:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-15 15:26 1,846,272 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-06 09:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 09:33 --------- d-----w C:\Program Files\Sony Ericsson
2008-09-06 09:33 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Teleca
2008-09-06 09:32 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-09-06 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-08-31 18:04 --------- d-----w C:\Program Files\QuickTime
2008-08-31 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-31 18:03 --------- d-----w C:\Program Files\Apple Software Update
2008-08-31 18:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-08-31 18:00 --------- d-----w C:\Documents and Settings\yehuda\Application Data\Apple Computer
2008-08-31 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-31 14:59 --------- d-----w C:\Documents and Settings\yehuda\Application Data\CyberLink
2008-08-31 14:51 --------- d-----w C:\Program Files\CyberLink
2008-08-31 14:50 --------- d-----w C:\Program Files\SmartSound Software
2008-08-31 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-08-29 05:25 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-26 08:11 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-21 04:52 3,299,840 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-21 02:19 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-08-21 02:18 314,880 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-08-21 02:08 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-08-21 02:08 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-08-21 02:07 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-08-21 02:07 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-08-21 02:07 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-08-21 02:05 573,440 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-08-21 02:04 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-08-21 02:01 10,084,352 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-08-21 01:55 4,094,560 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-08-21 01:50 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-08-21 01:38 2,377,856 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-08-21 01:23 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-08-21 01:19 380,928 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-08-21 01:18 37,376 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-08-21 01:18 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-08-21 01:17 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-08-21 01:17 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-08-21 01:11 561,152 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-08-20 19:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-08-14 13:24 2,146,816 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 13:24 2,025,472 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-05 21:14 90,112 ----a-w C:\WINDOWS\system32\ATIBRTMON.EXE
2008-01-30 20:19 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2007-06-01 12:39 81,920 ----a-w C:\Documents and Settings\yehuda\Application Data\ezpinst.exe
2007-06-01 12:39 47,360 ----a-w C:\Documents and Settings\yehuda\Application Data\pcouffin.sys
.
((((((((((((((((((((((((((((( snapshot@Sat 10-18-2008_22.28.24.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 09:10:29 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtmsft.dll
+ 2008-08-26 09:10:29 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtrans.dll
+ 2008-08-26 09:10:29 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\icardie.dll
+ 2008-08-25 08:43:21 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ie4uinit.exe
+ 2008-08-26 09:10:29 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieakeng.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieapfltr.dat
+ 2008-08-26 09:10:31 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iernonce.dll
+ 2008-08-26 09:10:31 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iertutil.dll
+ 2008-08-25 08:43:21 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\ieudinit.exe
+ 2008-08-23 05:56:16 635,848 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
+ 2008-08-26 09:10:32 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\jsproxy.dll
+ 2008-08-26 09:10:32 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msfeeds.dll
+ 2008-08-26 09:10:32 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msfeedsbs.dll
+ 2008-08-26 09:10:33 3,594,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
+ 2008-08-26 09:10:33 477,696 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mshtmled.dll
+ 2008-08-26 09:10:33 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\msrating.dll
+ 2008-08-26 09:10:34 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\mstime.dll
+ 2008-08-26 09:10:34 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\occache.dll
+ 2008-08-26 09:10:34 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\pngfilt.dll
+ 2008-08-26 09:10:34 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\url.dll
+ 2008-08-26 09:10:34 1,162,752 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\urlmon.dll
+ 2008-08-26 09:10:34 827,904 ----a-w C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
+ 2007-11-30 12:39:33 16,760 ----a-w C:\WINDOWS\$hf_mig$\KB956391\spmsg.dll
+ 2007-11-30 12:39:33 230,264 ----a-w C:\WINDOWS\$hf_mig$\KB956391\spuninst.exe
+ 2007-11-30 12:39:33 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB956391\update\spcustom.dll
+ 2007-11-30 12:39:36 749,944 ----a-w C:\WINDOWS\$hf_mig$\KB956391\update\update.exe
+ 2007-11-30 12:39:36 374,648 ----a-w C:\WINDOWS\$hf_mig$\KB956391\update\updspapi.dll
+ 2008-08-14 10:34:26 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
+ 2007-11-30 11:19:16 16,760 ----a-w C:\WINDOWS\$hf_mig$\KB956803\spmsg.dll
+ 2007-11-30 11:19:16 230,264 ----a-w C:\WINDOWS\$hf_mig$\KB956803\spuninst.exe
+ 2007-11-30 11:19:15 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB956803\update\spcustom.dll
+ 2007-11-30 11:19:20 749,944 ----a-w C:\WINDOWS\$hf_mig$\KB956803\update\update.exe
+ 2007-11-30 11:19:20 374,648 ----a-w C:\WINDOWS\$hf_mig$\KB956803\update\updspapi.dll
+ 2008-09-08 11:37:19 333,824 ----a-w C:\WINDOWS\$hf_mig$\KB957095\SP3QFE\srv.sys
+ 2007-11-30 11:19:16 16,760 ----a-w C:\WINDOWS\$hf_mig$\KB957095\spmsg.dll
+ 2007-11-30 11:19:16 230,264 ----a-w C:\WINDOWS\$hf_mig$\KB957095\spuninst.exe
+ 2007-11-30 11:19:15 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB957095\update\spcustom.dll
+ 2007-11-30 11:19:20 749,944 ----a-w C:\WINDOWS\$hf_mig$\KB957095\update\update.exe
+ 2007-11-30 11:19:20 374,648 ----a-w C:\WINDOWS\$hf_mig$\KB957095\update\updspapi.dll
+ 2007-11-30 12:39:33 230,264 -c----w C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe
+ 2007-11-30 12:39:36 374,648 -c----w C:\WINDOWS\$NtUninstallKB956391$\spuninst\updspapi.dll
+ 2008-06-20 11:40:08 138,496 -c----w C:\WINDOWS\$NtUninstallKB956803$\afd.sys
+ 2007-11-30 11:19:16 230,264 -c----w C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe
+ 2007-11-30 11:19:20 374,648 -c----w C:\WINDOWS\$NtUninstallKB956803$\spuninst\updspapi.dll
+ 2007-11-30 11:19:16 230,264 -c----w C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe
+ 2007-11-30 11:19:20 374,648 -c----w C:\WINDOWS\$NtUninstallKB957095$\spuninst\updspapi.dll
+ 2008-04-13 19:15:11 334,848 -c----w C:\WINDOWS\$NtUninstallKB957095$\srv.sys
- 2008-06-23 16:28:17 124,928 ------w C:\WINDOWS\system32\advpack.dll
+ 2008-08-26 08:11:45 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-06-20 11:40:08 138,496 -c----w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-08-14 10:04:36 138,496 -c----w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2008-08-14 10:04:36 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
- 2008-09-05 06:52:22 332,280 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-18 20:39:15 332,280 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-06-23 16:28:17 63,488 ------w C:\WINDOWS\system32\icardie.dll
+ 2008-08-26 08:11:46 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-06-23 16:28:17 383,488 ------w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-08-26 08:11:46 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-06-23 16:28:19 6,066,176 ------w C:\WINDOWS\system32\ieframe.dll
+ 2008-10-03 17:16:39 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-06-23 16:28:19 267,776 ------w C:\WINDOWS\system32\iertutil.dll
+ 2008-08-26 08:11:49 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-06-23 16:28:20 459,264 ------w C:\WINDOWS\system32\msfeeds.dll
+ 2008-08-26 08:11:50 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-06-23 16:28:20 52,224 ------w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-08-26 08:11:50 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-06-24 07:28:22 3,592,192 ------w C:\WINDOWS\system32\mshtml.dll
+ 2008-08-27 09:11:54 3,593,216 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-10-18 20:25:08 73,560 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-19 04:48:57 73,560 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-18 20:25:08 71,248 ----a-w C:\WINDOWS\system32\perfc00d.dat
+ 2008-10-19 04:48:57 71,248 ----a-w C:\WINDOWS\system32\perfc00d.dat
- 2008-10-18 20:25:08 448,168 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-19 04:48:57 448,168 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-10-18 20:25:09 354,598 ----a-w C:\WINDOWS\system32\perfh00d.dat
+ 2008-10-19 04:48:57 354,598 ----a-w C:\WINDOWS\system32\perfh00d.dat
- 2008-06-23 16:28:21 105,984 ------w C:\WINDOWS\system32\url.dll
+ 2008-08-26 08:11:54 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-06-23 16:28:22 1,159,680 ------w C:\WINDOWS\system32\urlmon.dll
+ 2008-08-26 08:11:54 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-10-19 18:27:51 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_614.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 04:17 AM 15360]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [08/12/2007 01:28 PM 1465280]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [10/18/2007 10:34 AM 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/23/2007 04:03 PM 68856]
"Google Update"="C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [09/05/2008 08:26 AM 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM 155648]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [09/28/2006 09:21 PM 57344]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/06/2006 06:11 AM 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/06/2006 06:13 AM 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [10/06/2006 06:10 AM 94208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/23/2008 08:00 PM 185896]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [08/01/2008 03:23 PM 61440]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [09/30/2008 08:39 AM 1234712]
"SkyTel"="SkyTel.EXE" [05/16/2006 12:04 PM 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [10/30/2006 01:49 PM 16269312 C:\WINDOWS\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [04/14/2008 04:17 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMddBrS]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^DigiCell.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\DigiCell.lnk
backup=C:\WINDOWS\pss\DigiCell.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^MSI Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\MSI Wireless Utility.lnk
backup=C:\WINDOWS\pss\MSI Wireless Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^PC Alert 4.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\PC Alert 4.lnk
backup=C:\WINDOWS\pss\PC Alert 4.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Program Neighborhood Agent.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\Program Neighborhood Agent.lnk
backup=C:\WINDOWS\pss\Program Neighborhood Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^yehuda^תפריט התחלה^תוכניות^הפעלה^MotionBased Agent.lnk]
path=C:\Documents and Settings\yehuda\תפריט התחלה\תוכניות\הפעלה\MotionBased Agent.lnk
backup=C:\WINDOWS\pss\MotionBased Agent.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 09/03/2005 02:18 PM 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 02/19/2006 01:41 AM 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 07/08/2006 01:15 AM 600896 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 07/08/2006 01:14 AM 576320 C:\Program Files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 03/14/2007 09:01 PM 54832 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 05/27/2008 09:50 AM 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 03/14/2007 09:01 PM 71216 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
--a------ 02/20/2008 11:22 AM 356352 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 06/23/2007 04:03 PM 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Documents and Settings\\yehuda\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe"=
"C:\\Documents and Settings\\nir\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\CompeGPS\\CompeGPSLAND.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [08/29/2008 07:25 AM 97928]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [09/19/2007 09:37 PM 41456]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [08/29/2008 07:25 AM 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [08/29/2008 07:25 AM 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [07/04/2008 08:18 AM 76040]
R2 mgnt;mgnt;C:\WINDOWS\system32\drivers\mgnt.sys [09/22/1997 10:55 AM 19232]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [12/28/2007 04:48 AM 23552]
S3 DigiCellDriver;DigiCellDriver;C:\Program Files\MSI\DigiCell\NTGLM7X.sys [06/07/2006 10:00 AM 28672]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [10/25/2004 02:40 PM 17664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1797ffd9-1a0c-11dd-b9ba-0019db231763}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [04/11/2008 04:57 PM]
2008-10-19 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [09/05/2008 08:26 AM]
.
- - - - ORPHANS REMOVED - - - -
BHO-{3D663865-4C76-4403-8A4F-33711B5AD700} - (no file)
BHO-{BCE97A72-640B-4DED-923F-8196FC01F76B} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 22:35:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 10/19/2008 22:36:26
ComboFix-quarantined-files.txt 2008-10-19 20:36:16
ComboFix2.txt 2008-10-18 20:29:18
Pre-Run: 183,827,296,256 bytes free
Post-Run: 183,838,474,240 bytes free
336 --- E O F --- 2008-10-18 20:26:14
heyehuda
2008-10-21, 07:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:59:31, on 21/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\SomethingElse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\J\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\J\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\J\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\J\bin\ssv.dll
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176406713156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176406699640
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://audiocodes.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://ssl.audiocodes.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: qoMddBrS - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 8380 bytes
Hi
Delete C:\WINDOWS\system32\pmnoPjHA.dll file if found.
Start hjt, do a system scan, check:
O20 - Winlogon Notify: qoMddBrS - C:\WINDOWS\
Close browsers and fix checked.
Reboot and post a fresh hjt log. How's the system running?
heyehuda
2008-10-22, 20:58
Hi
pmnoPjHA.dll was not present.
See bellow freash HJT log.
System seems fine now.
Please let me know when can I enable AVG and teatimer.
Thanks,
Yehuda.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54:00, on 22/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\SomethingElse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {3D663865-4C76-4403-8A4F-33711B5AD700} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\J\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {BCE97A72-640B-4DED-923F-8196FC01F76B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\yehuda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\J\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\J\bin\ssv.dll
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176406713156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176406699640
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://audiocodes.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://ssl.audiocodes.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 8414 bytes
Hi
Before you're able to turn on TeaTimer you have to reset its "memory" first.
Reset Teatimer
* Right-click >here (http://downloads.subratam.org/ResetTeaTimer.bat)< and select "Save as" and save it without changing the name to your desktop
* Double click ResetTeaTimer.bat
* Open Spybot S&D
o Click Mode > check Advanced Mode
o Go to the left Panel and click Tools then, also in left panel, click Resident (OK any firewall prompts)
o Check the box labeled Resident Tea-Timer and OK any prompts
o Use File > Exit to terminate Spybot
* Reboot your machine for the changes to take effect
* You can now delete ResetTeaTimer.bat
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type "C:\Documents and Settings\yehuda\שולחן העבודה\ComboFix.exe" /u in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one if you don't have a 3rd party firewall.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
heyehuda
2008-10-24, 17:00
Thanks a lot Blade81 for all the assistance to clean up my PC. I followed your last instructions and all seem OK now!
One last question - is there a real advantage using one of the Registry cleanup tools? Can you recommend one?
Thanks again,
Yehuda.
Hi
Not the first time I hear that question :) I don't recommend registry cleaners in general. It's easy to cause more troubles with them than gain advantage.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.