View Full Version : Worm (klxbtez32) and others
gb_sachs
2008-11-14, 10:59
Greetings,
I have windows xp service pack 3.
I have written a post here a few months ago. I think that since it took a long time for you to answer back, i dropped the subject and forgot about my post. Now i remembered it and I saw that you responded and told me to do the following:
1. run sdfix and post report.
2. run highjack this and post log.
I hope you would like to continue assisting me because I think the problem still exists or there are other problems.
In my startup list I still have the entry klxtbez32. Also my computer reports many errors and missing files and what not. I did online scans with trendmicro and bitdefender and found nothing. I also checked for spyware with spybot and found nothing.
I hope you can help.
Thank you so much.
Here r the reports (by the way when I did the sdfix it was saying acces denied quite a lot maybe its because of my online armor firewall or the spybot tea timer?)
1. sdfix report:
SDFix: Version 1.115
Run by qa on Fri 11/14/2008 at 06:21 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
C:\WINDOWS\system32\svchost.exe
2. highjackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:57:06 AM, on 11/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\explorer.exe
C:\Program Files\spyware\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://video.eurosport.de/eurosport-player/streaming_prd1_lst3.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: The Israeli Radio Toolbar - {825e6f35-d825-4fe9-b51c-f6911d00122e} - C:\Program Files\The_Israeli_Radio\tbThe1.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: The Israeli Radio Toolbar - {825e6f35-d825-4fe9-b51c-f6911d00122e} - C:\Program Files\The_Israeli_Radio\tbThe1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.download.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.16/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195209670781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195210056671
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5335/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93CAD012-7B81-42AC-AF79-7129E1CFB097}: NameServer = 213.191.92.86 62.109.123.7
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Thanx!
pskelley
2008-11-15, 14:58
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Let's chat a few minutes, first here: http://forums.spybot.info/showthread.php?t=33537
You never bothered to respond to my post?
Even though I posted the instructions for you then, you are still not following them, including posting an out of date HJT log and:
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
I have no idea if I can help or not, if you want me to try, then you need to do this.
1) Read and follow the directions.
2) In System Configuration Utility (MSConfig) return to Normal Startup so I can see everything.
3) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
4) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5) Post the correct version of HJT located as instructed:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
gb_sachs
2008-11-15, 22:14
Hi,
Thanx so much for helping.
Sorry I didnt reply earlier to your earlier post but I dont think I got an email notification back than and so I forgot.
Anyway, I followed your instructions and here is (1) uninstall list and (2) the highjack this log.
1.Ad-Aware SE Professional
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe PhotoDeluxe 1.0
Adobe Reader 7.1.0
Adobe Shockwave Player
Advanced Spyware Remover Free Edition
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
AVI ReComp 1.4.3
AviSynth 2.5
Babylon
Bonjour
CCleaner (remove only)
CCS64 V3.5
CloneDVD 4.3.0.2
DivXLand Media Subtitler
ERUNT 1.1j
ESET Online Scanner
Eusing Free Registry Cleaner
EVEREST Ultimate Edition v4.60
Fontboard Hebrew Keyboard
Google Earth
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Kaspersky Online Scanner
Lexmark Z600 Series
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox (3.0.4)
Nero 7 Ultra Edition
Online Armor 2.0
Panda ActiveScan 2.0
Picasa 2
QuickTime
Realtek AC'97 Audio
Safari
Sandboxie 3.26
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype™ 3.8
SoundMAX
Spybot - Search & Destroy
Spyware Terminator
SUPERAntiSpyware Free Edition
Unlocker 1.8.5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VideoLAN VLC media player 0.8.6d
VobSub v2.23 (Remove Only)
Windows Commander (Remove or Repair)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinRAR archiver
WinZip
Xvid 1.1.3 final uninstall
2. Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:51 PM, on 11/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://video.eurosport.de/eurosport-player/streaming_prd1_lst3.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Network Host Service] klxtbez32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.download.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.16/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195209670781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195210056671
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5335/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HAGDYSL - Google - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
--
End of file - 14581 bytes
Thanx dude
pskelley
2008-11-15, 22:58
Thanks for returning your information and the feedback. Notifications sometimes fail, best to link this address to favorites until we finish. Let's look at the uninstall list first.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 7.1.0 <<< out of date and being exploited, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
Java(TM) 6 Update 3
Java(TM) 6 Update 5
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
A couple of comments before I look at the HJT log.
Spyware programs running:
Spyware Terminator, SUPERAntiSpyware, <<< do you own both of these programs
Firewalls:
I see this as probably your Firewall: Online Armor but you also have Zone Alarm running in Services:
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
any particular reason for that? Windows Firewall should be disabled with Online Armor running.
I see the junk running here: O4 - HKLM\..\Run: [Network Host Service] klxtbez32.exe
Let's have combofix take a look, more malware may be hidden.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
gb_sachs
2008-11-16, 15:07
Pskelley,
could you be the greatest person on earth?
why didnt u run for presidency? with so many people infected by malware...
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
I went over the uninstall list and it looks ok. I took out programs I dont use like safari etc.
https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications
Great Idea! I installed it and updated evreything that needed to be updated according to this program.
Adobe Reader 7.1.0 <<< out of date and being exploited, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
I installed the new version (number 9).
Java(TM) 6 Update 3
Java(TM) 6 Update 5
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
I removed the older versions and installed the new one.
A couple of comments before I look at the HJT log.
Spyware programs running:
Spyware Terminator, SUPERAntiSpyware, <<< do you own both of these programs
Yes, I do. you think I should delete them?
Firewalls:
I see this as probably your Firewall: Online Armor but you also have Zone Alarm running in Services:
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
any particular reason for that? Windows Firewall should be disabled with Online Armor running.
Yeah, this sucks man. I had zone alarm ages ago. I uninstalled it and switched to online armor. The other day I saw on the windows task manager that something called vsmon true vector, appears there and takes quite a bit of my memory as well. I tried to delete it but to no avail. I googled it and saw many people had the same problem. One guy advised me to run on safe mode and delete it from system32 or something. I did it and it is no longer in the windows task manager, although apparently, I still was unable to get rid of it. What can I do?
I see the junk running here: O4 - HKLM\..\Run: [Network Host Service] klxtbez32.exe
Let's have combofix take a look, more malware may be hidden.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
OK, I ran the combo fix but I dont think I could find the log. I did a search with windows for a notepad file named combofix and I found this:
ComboFix 08-11-14.01 - qa 2008-11-16 13:40:16.5 - NTFSx86
Running from: C:\Documents and Settings\qa.QA-WIN3\Desktop\ComboFix.exe
Hope its the one.
Here is the new highjackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:02, on 2008-11-16
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Secunia\PSI (RC4)\psi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://video.eurosport.de/eurosport-player/streaming_prd1_lst3.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF26294.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-21-2025429265-1390067357-839522115-1003 Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe (User '?')
O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.download.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.16/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195209670781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195210056671
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5335/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HAGDYSL - Google - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
--
End of file - 14636 bytes
Thanx so much,
Vote pskelley, to put a stop to malware!
pskelley
2008-11-16, 15:43
why didnt u run for presidency? with so many people infected by malware...
Actually I worry a little about anyone who would want that job right now. They would have to be a great patriot or less that the sharpest knife in the drawer?
Yes, I do. you think I should delete them?
Not of you own them, I hope they work well together, if you experience strange issues, try turning one off and see if the issues improve. Having used the SAS trail version I know it uses a lot of resources.
For your information:
http://www.spywarewarrior.com/viewtopic.php?t=24810
http://www.castlecops.com/t187654-free_spyware_scwnload_a013_com_unknown_questionable.html
For this one: O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
Disable the offending Service
Click Start < Run and type services.msc
Scroll down to TrueVector Internet Monitor and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
Then look to make sure this folder:
C:\WINDOWS\system32\ZoneLabs <<< is deleted from the computer
OK, I ran the combo fix but I dont think I could find the log. I did a search with windows for a notepad file named combofix and I found this:
C:\ComboFix.txt <<< that log should be right here? If not then something was not run right. Looking at the HJT log now but I need to see that combofix log.
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
This information is a tutorial that may benefit you if you can use it.
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
That item is missing from the HJT log now but I need to look, as I said, to be sure, let's proceed like this.
BitTorrent DNA <<< Uninstall all p2p programs including this one
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Your Spyware tools make block us, SH/SAS, I suggest you turn them off until you finish.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
(no idea what you were doing with SDFix here?)
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
(no idea what you were doing with Combofix here?)
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF26294.exe /c C:\ComboFix\Combobatch.bat
O15 - Trusted Zone: http://www.download.com
(next program is obsolete)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
(may be gone)
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Include the log from combofix and tell me how the computer is running.
Thanks
gb_sachs
2008-11-17, 12:20
Thanks so much dude. You rock!
I need to see that combofix log.
ComboFix 08-11-14.01 - qa 2008-11-16 18:09:42.6 - NTFSx86
Running from: c:\documents and settings\qa.QA-WIN3\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\qa.QA-WIN3\Application Data\inst.exe
c:\windows\system32\systeminfo3.dll
E:\install.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSN_RAV
-------\Legacy_MS_COMMON_SERVICE
-------\Service_MS Common Service
((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.
2008-11-16 17:58 . 2008-11-16 17:58 142 --a------ c:\windows\system32\spupdsvc.inf
2008-11-16 17:26 . 2007-04-09 13:23 28,040 --a------ c:\windows\system32\mdimon.dll
2008-11-16 17:24 . 2008-11-16 17:24 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-16 17:23 . 2008-11-16 17:23 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-11-16 17:22 . 2008-11-16 17:23 <DIR> d-------- c:\windows\SHELLNEW
2008-11-16 17:20 . 2008-11-16 17:20 <DIR> d-------- c:\program files\opppenofice2.2
2008-11-16 16:59 . 2008-11-16 17:00 16,450,085 --a------ c:\program files\OOo_2.2.0_he_langpack_en_windows_20070509.exe
2008-11-16 14:16 . 2008-11-16 17:57 <DIR> d-------- c:\windows\LastGood
2008-11-16 12:46 . 2008-11-16 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-16 12:45 . 2008-11-16 12:45 10,511,712 --a------ c:\program files\winzip version 12.exe
2008-11-16 12:23 . 2008-11-16 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-16 12:20 . 2008-03-02 09:51 <DIR> d-------- c:\program files\OOo_2.3.1_he_langpack_en_windows_20080302
2008-11-16 12:18 . 2008-11-16 12:18 13,596,592 --a------ c:\program files\spyware doctor 6 setup.exe
2008-11-16 12:14 . 2008-11-16 12:14 23,804,784 --a------ c:\program files\aaw2008.exe
2008-11-16 12:10 . 2008-03-02 09:46 <DIR> d-------- c:\program files\OOo_2.3.1_he_langpack_he_windows_20080302
2008-11-16 12:08 . 2008-11-16 12:13 86,567,705 --a------ c:\program files\OOo_2.0.4_he_install_win_20061107.exe
2008-11-16 12:07 . 2008-11-16 12:07 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-16 12:07 . 2008-11-16 12:07 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-16 12:06 . 2008-11-16 12:19 <DIR> d-------- c:\documents and settings\qa.QA-WIN3\Application Data\vlc
2008-11-16 11:54 . 2008-11-16 11:57 14,618,605 --a------ c:\program files\vlc-0.9.6-win32.exe
2008-11-16 11:51 . 2008-11-16 11:51 16,156,056 --a------ c:\program files\java update1 jre-6u10-windows-i586-p.exe
2008-11-16 11:48 . 2008-11-16 11:48 35,124,856 --a------ c:\program files\AdbeRdr90_en_US.exe
2008-11-16 11:43 . 2008-11-16 11:43 1,851,544 --a------ c:\program files\install_flash_player.exe
2008-11-16 11:43 . 2008-11-16 11:43 1,206,366 --a------ c:\program files\wrar371.exe
2008-11-16 11:35 . 2008-11-16 11:35 <DIR> d-------- c:\program files\Secunia
2008-11-16 11:33 . 2008-11-16 11:33 532,816 --a------ c:\program files\PSISetup-programs that tell u if something needs update.exe
2008-11-15 20:44 . 2008-11-16 12:26 <DIR> d-------- c:\documents and settings\qa.QA-WIN3\Application Data\Babylon
2008-11-15 20:34 . 2008-11-15 20:34 <DIR> d-------- c:\program files\Trend Micro
2008-11-15 20:33 . 2008-11-15 20:33 812,344 --a------ c:\program files\HJTInstall.exe
2008-11-14 13:36 . 2008-11-14 13:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-14 13:34 . 2008-11-14 13:34 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-14 13:34 . 2008-11-16 12:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-14 13:34 . 2008-11-14 13:34 <DIR> d-------- c:\documents and settings\qa.QA-WIN3\Application Data\SUPERAntiSpyware.com
2008-11-14 13:32 . 2008-11-14 13:33 6,637,592 --a------ c:\program files\SUPERAntiSpyware.exe
2008-11-14 13:31 . 2008-11-14 13:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-14 13:31 . 2008-11-14 13:31 <DIR> d-------- c:\documents and settings\qa.QA-WIN3\Application Data\Malwarebytes
2008-11-14 13:31 . 2008-11-14 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-14 13:31 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-14 13:31 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-14 13:30 . 2008-11-14 13:30 2,372,472 --a------ c:\program files\mbam-setup.exe
2008-11-14 13:19 . 2008-11-14 13:19 <DIR> d-------- c:\program files\CCleaner
2008-11-14 13:19 . 2008-11-14 13:19 893,096 --a------ c:\program files\ccsetup213_slim.exe
2008-11-14 06:13 . 2008-11-14 06:13 1,529,241 --a------ c:\program files\SDFix.exe
2008-11-12 15:04 . 2008-09-04 18:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 15:04 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 21:01 . 2008-11-11 21:01 <DIR> d-------- c:\program files\CloneDVD
2008-11-11 21:01 . 2008-11-11 21:02 <DIR> d-------- c:\documents and settings\qa.QA-WIN3\Application Data\Vso
2008-11-11 21:01 . 2008-11-11 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVDXStudio
2008-11-11 21:01 . 2008-11-11 21:01 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-11-11 21:01 . 2008-11-11 21:01 47,360 --a------ c:\documents and settings\qa.QA-WIN3\Application Data\pcouffin.sys
2008-11-11 20:56 . 2008-11-11 20:57 12,311,775 --a------ c:\program files\CloneDVDSetup.exe
2008-11-04 00:22 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-02 06:37 . 2008-11-02 06:37 10,252,213 --a------ c:\program files\AVI_ReComp_1.4.4_Setup.exe
2008-11-02 06:36 . 2008-11-02 06:36 948,113 --a------ c:\program files\EFRCSetup.exe
2008-10-27 09:04 . 2008-10-27 09:04 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-10-25 18:27 . 2008-10-25 18:27 <DIR> d-------- c:\documents and settings\qa.QA-WIN3\Application Data\dvdcss
2008-10-24 10:57 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-18 11:01 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-18 11:01 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-18 11:01 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-18 11:01 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-18 07:29 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-18 07:25 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 17:08 --------- d-----w c:\documents and settings\qa.QA-WIN3\Application Data\Skype
2008-11-16 16:46 --------- d-----w c:\documents and settings\All Users\Application Data\Babylon
2008-11-16 13:25 --------- d-----w c:\documents and settings\qa.QA-WIN3\Application Data\OnlineArmor
2008-11-16 11:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-16 11:23 --------- d-----w c:\program files\Lavasoft
2008-11-16 11:06 --------- d-----w c:\program files\Java
2008-11-15 16:28 --------- d-----w c:\documents and settings\qa.QA-WIN3\Application Data\BitTorrent
2008-11-15 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 21:42 --------- d-----w c:\documents and settings\qa.QA-WIN3\Application Data\AVI ReComp
2008-11-14 14:01 --------- d-----w c:\program files\EsetOnlineScanner
2008-11-14 10:09 --------- d-----w c:\program files\Mafia
2008-11-14 09:09 --------- d-----w c:\program files\Advanced Spyware Remover
2008-11-14 09:01 --------- d-----w c:\program files\spyware
2008-11-14 07:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-02 05:36 --------- d-----w c:\program files\Eusing Free Registry Cleaner
2008-11-01 22:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-01 22:36 --------- d-----w c:\documents and settings\qa.QA-WIN3\Application Data\My Games
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 07:40 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-20 22:28 --------- d-----w c:\program files\AVI_ReComp_1.4.3_Setup
2008-10-14 15:37 --------- d-----w c:\program files\iTunes
2008-10-14 15:37 --------- d-----w c:\program files\iPod
2008-10-14 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-14 15:10 --------- d-----w c:\program files\QuickTime
2008-10-14 15:10 --------- d-----w c:\program files\Bonjour
2008-10-14 15:09 --------- d-----w c:\program files\Common Files\Apple
2008-10-14 09:36 --------- d-----w c:\program files\Spyware Terminator
2008-10-14 09:36 --------- d-----w c:\documents and settings\qa.QA-WIN3\Application Data\Spyware Terminator
2008-10-14 09:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-10-12 13:15 8,461,992 ----a-w c:\program files\everestultimate460.exe
2008-10-12 13:15 --------- d-----w c:\program files\Lavalys
2008-10-10 11:34 --------- d-----w c:\program files\Sandboxie
2008-10-10 10:53 --------- d-----w c:\program files\Ubisoft
2008-10-10 10:20 --------- d-----w c:\documents and settings\qa.QA-WIN3\Application Data\Gearbox Software
2008-10-09 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-10-09 21:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-06 14:07 --------- d-----w c:\documents and settings\qa.QA-WIN3\Application Data\DNA
2008-10-03 16:15 --------- d-----w c:\program files\Kalypso
2008-10-03 14:09 --------- d-----w c:\program files\a-squared Anti-Malware
2008-09-19 19:50 --------- d-----w c:\program files\Gabest
2008-09-19 19:50 --------- d-----w c:\program files\AVI ReComp
2008-09-19 19:49 --------- d-----w c:\program files\Xvid
2008-09-19 19:49 --------- d-----w c:\program files\AviSynth 2.5
2008-09-19 19:47 8,840,507 ----a-w c:\program files\AVI_ReComp_1.4.3_Setup.zip
2008-09-19 19:06 --------- d-----w c:\program files\DivXLand
2008-09-19 19:05 1,783,574 ----a-w c:\program files\DivXLand_MediaSub_205.exe
2008-09-18 12:36 --------- d-----w c:\program files\eMule0.49b
2008-09-18 12:35 2,918,580 ----a-w c:\program files\eMule0.49b.zip
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-05 22:30 241,704 ------w c:\windows\system32\SET368.tmp
2008-09-05 22:30 1,480,232 ------w c:\windows\system32\SET367.tmp
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 08:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 07:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-19 13:32 1,495,112 ----a-w c:\program files\flash player version 9.exe
2008-08-10 08:19 4,891,216 ----a-w c:\program files\plugin to watch online video Silverlight.2.0.exe
2008-08-09 07:15 318,904 ----a-w c:\program files\wmpfirefoxplugin.exe
2008-07-11 04:44 567,096 ----a-w c:\program files\WindowsXP-KB918439-x86-ENU.exe
2008-07-02 08:12 3,558,791 ----a-w c:\program files\youtubedownloader.exe
2008-06-24 12:36 1,725,879 ----a-w c:\program files\CCS64 V3.5 Install.zip
2008-06-24 11:53 1,258,638 ----a-w c:\program files\DOSBox0.72-win32-installer.exe
2008-04-30 08:00 22,300,968 ----a-w c:\program files\SkypeSetup.exe
2008-04-29 15:19 296,446 ----a-w c:\program files\fbhebrew.zip
2008-04-29 13:24 6,039,048 ----a-w c:\program files\Firefox Setup 2.0.0.14.exe
2008-04-29 12:17 106,610 ----a-w c:\program files\bookmarks.html
2008-04-28 16:39 105,906 ----a-w c:\program files\bookmarks-2008-04-29.html
2008-04-26 21:21 8,000,520 ----a-w c:\program files\Picasa2.lnk
2008-04-23 21:14 94,429 ----a-w c:\program files\bookmarks-2008-04-24.html
2008-04-17 11:05 2,972,312 ----a-w c:\program files\photocopierdemo.exe
2008-04-17 10:38 691,200 ----a-w c:\program files\PERF610SCANII235E.EXE
2008-04-06 17:46 874,448 ----a-w c:\program files\BitTorrent-6.0.3.exe
2008-04-03 13:14 1,649,814 ----a-w c:\program files\ProcessExplorer.zip
2008-04-01 23:52 5,831,160 ----a-w c:\program files\rminstall.exe
2008-04-01 23:47 231,390 ----a-w c:\program files\RootkitRevealer.zip
2008-04-01 22:29 491,120 ----a-w c:\program files\smpro_dm.exe
2008-04-01 22:28 34,822,568 ----a-w c:\program files\PD2008_WS.exe
2008-02-27 11:05 3,654,696 ----a-w c:\program files\procexp.exe
2008-02-09 23:18 10,050,902 ----a-w c:\program files\Codecs6030_allin1.exe
2008-02-09 20:12 642,796 ----a-w c:\program files\XviD-1.1.3-28062007.exe
2008-02-09 20:08 1,416,944 ----a-w c:\program files\WM9Codecs.exe
2008-02-05 10:53 1,113,360 ----a-w c:\program files\The_Israeli_Radio.exe
2008-01-23 23:51 195,645 ----a-w c:\program files\unlocker1.8.5.exe
2008-01-19 19:28 12,157,664 ----a-w c:\program files\Babylon7_setup.exe
2008-01-19 19:20 9,628,792 ----a-w c:\program files\TranslateDotNetFullInstall.exe
2008-01-19 19:20 399,661 ----a-w c:\program files\BDicty_EnHeb.zip
2008-01-03 11:53 3,566,536 ----a-w c:\program files\daemon4112-lite.exe
2007-12-10 13:16 739 ----a-w c:\program files\Logitech Print Service.lnk
2007-12-01 11:35 1,735,726 ----a-w c:\program files\love-quotes.exe
2007-11-26 14:18 2,400,784 ----a-w c:\program files\WLinstaller.exe
2007-11-26 12:24 25,755,448 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2007-10-20 10:58 882,600 ----a-w c:\program files\Google Updater.exe
2007-08-31 03:36 72,138 ----a-w c:\program files\procexp.chm
2003-09-30 20:34 38,463 ----a-w c:\program files\Subtitler.vdf
2002-03-03 21:30 29,797 ----a-w c:\program files\readme.txt
2001-09-23 12:46 10,530 ----a-w c:\program files\demo.ssa
2001-09-10 22:58 145,408 ----a-w c:\program files\gray.avi
2001-04-02 00:49 423,936 ----a-w c:\program files\Conversor.exe
2001-04-02 00:41 157 ----a-w c:\program files\Perfiles.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-04-27 512512]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-29 486856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-10-06 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-18 458752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SDFix"="c:\sdfix\RunThis.bat" [2008-11-06 964661]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-18 217088]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2007-10-10 2997984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-16 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2007-11-16 5029952]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 443968]
c:\documents and settings\qa.QA-WIN3\Start Menu\Programs\Startup\
Secunia PSI (RC4).lnk - c:\program files\Secunia\PSI (RC4)\psi.exe [2008-11-12 728408]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSN RAV"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
*Newly Created Service* - OSE
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 08:42]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
HKLM-Run-RegistryMechanic - (no file)
HKLM-Run-MMTrayLSI - MMTrayLSI.exe
HKLM-Run-MMTray2K - MMTray2k.exe
HKLM-Run-MMTray - MMTray.exe
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\qa.QA-WIN3\Application Data\Mozilla\Firefox\Profiles\g3a30id7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/|http://www.ynet.co.il/home/0,7340,L-8,00.html|http://www.google.co.il/|http://www.bbc.co.uk/weather/5day.shtml?world=0053|http://www.toytowngermany.com/forum/index.php?showforum=134
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 18:12:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\wbem\secrcw32.mfl 33524 bytes
c:\windows\system32\wbem\secrcw32.mof 58746 bytes
c:\windows\system32\wbem\smtpcons.dll 40960 bytes executable
c:\windows\system32\wbem\smtpcons.mfl 2762 bytes
c:\windows\system32\wbem\smtpcons.mof 4100 bytes
c:\windows\system32\wbem\snmp
c:\windows\system32\wbem\sr.mof 3799 bytes
c:\windows\system32\wbem\stdprov.dll 86528 bytes executable
c:\windows\system32\wbem\subscrpt.mof 2228 bytes
c:\windows\system32\wbem\system.mof 63684 bytes
c:\windows\system32\wbem\texttable.xsl 6000 bytes
c:\windows\system32\wbem\wbemcore.dll 531456 bytes executable
c:\windows\system32\wbem\wbemdisp.dll 178176 bytes executable
c:\windows\system32\wbem\wbemdisp.tlb 59904 bytes executable
c:\windows\system32\wbem\wbemess.dll 273920 bytes executable
c:\windows\system32\wbem\wbemperf.dll 43008 bytes executable
c:\windows\system32\wbem\wbemprox.dll 18944 bytes executable
c:\windows\system32\wbem\wbemsvc.dll 43520 bytes executable
c:\windows\system32\wbem\wbemtest.exe 116224 bytes executable
c:\windows\system32\wbem\wbemupgd.dll 197120 bytes executable
c:\windows\system32\wbem\whqlprov.mof 9632 bytes
c:\windows\system32\wbem\winmgmt.exe 13312 bytes executable
c:\windows\system32\wbem\winmgmtr.dll 16384 bytes executable
c:\windows\system32\wbem\wmi.mfl 4370 bytes
c:\windows\system32\wbem\wmi.mof 10688 bytes
c:\windows\system32\wbem\wmiadap.exe 196608 bytes executable
c:\windows\system32\wbem\wmiapres.dll 6656 bytes executable
c:\windows\system32\wbem\wmiaprpl.dll 88576 bytes executable
c:\windows\system32\wbem\wmiapsrv.exe 126464 bytes executable
c:\windows\system32\wbem\wmic.exe 358912 bytes executable
c:\windows\system32\wbem\wmiclimofformat.xsl 9442 bytes
c:\windows\system32\wbem\wmiclitableformatnosys.xsl 3921 bytes
c:\windows\system32\wbem\wmiclivalueformat.xsl 485 bytes
c:\windows\system32\wbem\wmicookr.dll 60928 bytes executable
c:\windows\system32\wbem\wmidcprv.dll 140800 bytes executable
c:\windows\system32\wbem\wmimsg.dll 61440 bytes executable
c:\windows\system32\wbem\wmipcima.dll 156672 bytes executable
c:\windows\system32\wbem\wmipcima.mfl 28846 bytes
c:\windows\system32\wbem\wmipcima.mof 41402 bytes
c:\windows\system32\wbem\wmipdskq.dll 132096 bytes executable
c:\windows\system32\wbem\wmipdskq.mfl 8210 bytes
c:\windows\system32\wbem\wmipdskq.mof 13342 bytes
c:\windows\system32\wbem\wmipicmp.dll 75264 bytes executable
c:\windows\system32\wbem\wmipicmp.mfl 13926 bytes
scan completed successfully
hidden files: 44
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
Completion time: 2008-11-16 18:13:55
ComboFix-quarantined-files.txt 2008-11-16 17:13:45
ComboFix2.txt 2007-11-23 07:51:08
Pre-Run: 10,369,990,656 bytes free
Post-Run: 10,387,320,832 bytes free
363 --- E O F --- 2008-11-13 02:03:35
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
That item is missing from the HJT log now but I need to look, as I said, to be sure, let's proceed like this.
What item? what does it mean that it is missing from the HJT log?
Your Spyware tools make block us, SH/SAS, I suggest you turn them off until you finish.
I turned the Super anti spyware before doing the scan. Is that not enough? what can I do than?
what program you refer to by SH. To my knowledge I dont have a program with this initials.
(no idea what you were doing with SDFix here?)
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
What do u mean by that? didnt u tell me to download sd fix?
(no idea what you were doing with Combofix here?)
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF26294.exe /c C:\ComboFix\Combobatch.bat
Sorry, I dont understand what you mean. I'm not really advanced in this stuff.
O15 - Trusted Zone: http://www.download.com
(next program is obsolete)
Why is there a link to download.com here?
What do u mean next program is obsolete?
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
(may be gone)
Why do u want me to download that? what is it?
* Please post contents of that file & a new HJT log in your next reply.
1. malwarebytes log:
Malwarebytes'Anti-Malware 1.30
Database version: 1403
Windows 5.1.2600 Service Pack 3
2008-11-17 10:14:03
mbam-log-2008-11-17 (10-14-03).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 149187
Time elapsed: 1 hour(s), 6 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detec
2. new highjack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38, on 2008-11-17
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://video.eurosport.de/eurosport-player/streaming_prd1_lst3.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" (User '?')
O4 - HKUS\S-1-5-21-2025429265-1390067357-839522115-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-21-2025429265-1390067357-839522115-1003 Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe (User '?')
O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.16/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195209670781
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195210056671
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5335/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HAGDYSL - Google - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 13220 bytes
Do u need also the new combofix log i did after running atf, malwarebytes and highjackthis?
If its ok i have another issue I would like to ask u about: I have a lot of files in my computer (and its not just in one hardrive) that I cannot delete. I get the message that the files r being used by another program. It happens when I move this files or folders from one folder to another. after doing this, I can only remove them with a program called unlocker, but even after the files have been deleted, the [B][I][I]folders cannot be deleted, and sometimes not even accessed. I get the same message that the files r being used by another program. I tryed evreything (e.g., running on safe mode and trying to delete, or anything else posted on the net on this matter but to no avail. I guess if you can solve this you are not a human being but the angel or the god of malware.
I shall from now on pray for u, oh might god.
pskelley
2008-11-17, 16:37
What item? what does it mean that it is missing from the HJT log?
O4 - HKLM\..\Run: [Network Host Service] klxtbez32.exe
SH: Sorry, meant Spyware Terminator, but I did specify:
Your Spyware tools make block us,
What do u mean by that? didnt u tell me to download sd fix?
NO I DID NOT, in fact this was some of the first information I posted:
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
You are making this much harder than it is, please read the directions and follow them, that is all you need to do.
O15 - Trusted Zone: http://www.download.com <<< because it does not belong in the trusted zone
(next program is obsolete)
What do u mean next program is obsolete?
THIS >>> ewido <<< is obsolete and has been for a long time.
HJT and MBAM are both clean of malware.
Your question >>> If you are positive the files are bad, then try this tool:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
You can also try to delete bad files in safe mode when they are not running:
http://spyware-free.us/tutorials/safemode/
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
gb_sachs
2008-11-17, 18:02
Hi,
Thanx again for your help.
I'm sorry that u seem to think I don't take it seriously or don't follow your instructions. I think that it is normal to have confusions when having only written communications, especially considering I'm far than being an expert. No offense dude, but sometimes your instructions or explanations were not so clear or informative (No offense0. for example:
O15 - Trusted Zone: http://www.download.com
which means:
"it does not belong in the trusted zone"
With regards to sdfix and what you said:
NO I DID NOT, in fact this was some of the first information I posted:
Actually, in the first post (the one posted some time ago) you told me to:
"Download SDFix and run it.
http://downloads.andymanchesta.com/R...ools/SDFix.exe"
you can see the post here:
http://forums.spybot.info/showthread.php?t=33537
In your last post you told me to download this:
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
(may be gone)
I asked: "Why do u want me to download that? what is it?" but U didn't answer. In any cas I downloaded this ewido thing, so if its not important than don't answer that.
Your question >>> If you are positive the files are bad, then try this tool:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
What question do u mean? the last one about not being able to delete the files? if so, than I don't think the files are bad. It can happen with any file. it only happens when i try to move them.
What tool did u mean? the link shows me the tutorial to highkack this. with my knowledge of pc's i think i better stay away.
You can also try to delete bad files in safe mode when they are not running:
http://spyware-free.us/tutorials/safemode/
As I said before, I tried that but to no avail. but thanx.
You asked me before how my pc is running? well, it's actually worse than before. It now sometimes freezes completely, something that didn't happen before. I did a check with adware 2008 and found win32.worm.kdcrypt. I deleted it but since than my computer completely froze 3 times. maybe it is as u say a problem of having to many spywares together. Ill take some off and keep spybot and adware. what do u think?
Also, I don't know if its important but while i was running combofix i get something like 10 different messages that say things like this: c:windows\system32\wbem is corrupt...
I also get some of these messages when I startup my pc.
is that normal?
Thank you for your help. i still support your candidacy.
pskelley
2008-11-17, 18:09
wbem: here is the Google, have a look at that information.
http://www.google.com/search?hl=en&q=wbem&btnG=Google+Search&aq=f&oq=
I don't think I can help you with these issues, give one of these forums a try for Windows issues.
http://www.bleepingcomputer.com/forums/forum56.html
http://www.techsupportforum.com/microsoft-support/windows-xp-support/
Thanks
gb_sachs
2008-11-18, 12:30
Hey man,
I was wondering? could you have another look at my computer? its not working well at all. It freezes completely all the time (something that didn't happen before) and all i can do is restart it.
Cheers,
Gabriel.
pskelley
2008-11-18, 15:25
Gabriel, I will say once again that I am not convinced malware has anything to do with your issues and I believe it is likely hardware/software causing it. It could even be a situation where Spyware Terminator and SUPERAntiSpyware are conflicting and causing the issues. You also appear to have used this tool:
c:\program files\Eusing Free Registry Cleaner
See this: Registry Cleaners, not recommended
http://forums.spybot.info/showthread.php?t=30113
I provided you with links to excellant Windows forums and there is a good possibility it may take a repair install or a complete reinstallation of the operating system, or even a reformat to correct these issues if damage was done to your registry. We remove malware here and once that is done my expertise, since I have been away from general troubleshooting for ten years (because malware requires your full attention) is very limited, hense the referal to experts with Windows XP. Having said all of that, I will continue to look a bit, if you will follow the directions. I do not need a running commentary, just the directions followed and a comment when you can not follow them and for what reason. By now you should have removed that old version of combofix, I may want to look at a scan from a newer version, but please start like this:
Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
http://images.malwareremoval.com/random/RSIT.exe
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks...Phil
gb_sachs
2008-11-19, 19:40
Hi Phill,
Maybe you are right and it is a software problem, but thanx a lot for having a look.
I wasnt able to run RSIT.exe. I get: "wbemcomn.dll was not found, re-installing the application may fix the problem". and another message titled "Autolt Error" that says: Error: Incorrect numer of parameters in function call"
I'll just say that I get other weird messages. for example when the computer starts. messages like: wbem is not working properly (or something like this) please run checkdisk utility". Perhaps these things could be connected?
Cheers,
Gabriel.
Gabriel, I will say once again that I am not convinced malware has anything to do with your issues and I believe it is likely hardware/software causing it. It could even be a situation where Spyware Terminator and SUPERAntiSpyware are conflicting and causing the issues. You also appear to have used this tool:
c:\program files\Eusing Free Registry Cleaner
See this: Registry Cleaners, not recommended
http://forums.spybot.info/showthread.php?t=30113
I provided you with links to excellant Windows forums and there is a good possibility it may take a repair install or a complete reinstallation of the operating system, or even a reformat to correct these issues if damage was done to your registry. We remove malware here and once that is done my expertise, since I have been away from general troubleshooting for ten years (because malware requires your full attention) is very limited, hense the referal to experts with Windows XP. Having said all of that, I will continue to look a bit, if you will follow the directions. I do not need a running commentary, just the directions followed and a comment when you can not follow them and for what reason. By now you should have removed that old version of combofix, I may want to look at a scan from a newer version, but please start like this:
Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
http://images.malwareremoval.com/random/RSIT.exe
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks...Phil
pskelley
2008-11-19, 20:07
I posted this link before:
http://www.google.com/search?hl=en&q=wbem&btnG=Google+Search&aq=f&oq=
Here is a Google search engine for you: http://www.google.com/
wbemcomn.dll was not found, re-installing the application may fix the problem.
http://www.google.com/search?hl=en&q=wbemcomn.dll+was+not+found%2C+re-installing+the+application+may+fix+the+problem.&btnG=Search
http://www.google.com/search?hl=en&q=wbem+is+not+working+properly+&btnG=Search
http://www.google.com/search?hl=en&q=wbemcomn.dll+was+not+found&btnG=Search
http://www.google.com/search?hl=en&q=wbemcomn.dll+error+messages&btnG=Search
http://www.processlibrary.com/directory/files/wbemcomn/28317 <<< see this, you can also try System File Checker in the event a file has been deleted or corrupted:
http://dwightblackburn.com/winxp/ <<< tutorial
gb_sachs
2008-11-20, 00:32
Thanks for your quick reply.
I tried reading this links u send me about wbem and I don't understand anything. I also try the other links you send me but the problem persists.
I cannot install the program you sent me in the previous post.
Unless you have another idea, since it seems to be a software problem, I will try the other forums you sent me.
Thanx for all your help dude. At least you helped me clean up my computer!
you're doing a very important job and it's really appreciated.
cheers mate,
Gabriel.
I posted this link before:
http://www.google.com/search?hl=en&q=wbem&btnG=Google+Search&aq=f&oq=
Here is a Google search engine for you: http://www.google.com/
wbemcomn.dll was not found, re-installing the application may fix the problem.
http://www.google.com/search?hl=en&q=wbemcomn.dll+was+not+found%2C+re-installing+the+application+may+fix+the+problem.&btnG=Search
http://www.google.com/search?hl=en&q=wbem+is+not+working+properly+&btnG=Search
http://www.google.com/search?hl=en&q=wbemcomn.dll+was+not+found&btnG=Search
http://www.google.com/search?hl=en&q=wbemcomn.dll+error+messages&btnG=Search
http://www.processlibrary.com/directory/files/wbemcomn/28317 <<< see this, you can also try System File Checker in the event a file has been deleted or corrupted:
http://dwightblackburn.com/winxp/ <<< tutorial