View Full Version : Virtumonde / Vundo infestation
the Jack
2008-11-21, 19:57
I got my laptop infected sometime last week. Usually I use Firefox (2.0.0.18) with NoScript but I foolishly used IE -- for the first time in years -- to visit what I thought would be a trustworthy site (OkCupid) to look at a quiz. Soon I was being plagued with popups, though at least they defaulted into Firefox where I had some protection.
Unfortunately I've spent most of this week trying to fix it myself. I ran an AVG scan Sunday night / Monday morning and thought that had fixed it. The popups laid low for awhile, then started up again with a vengeance Monday evening, so I checked CNet's recs and downloaded HijackThis. I checked everything it found against reliable-site search results to figure out what was malware, and thought *that* had fixed it.
When it became obvious I was still infected with something causing popups and HJT wasn't finding it, I went back to CNet and gave Spybot Search and Destroy a try. Unlike HJT, Spybot found Virtumonde files and registry keys, along with some other malware probably allowed in by Vundo.
Over the last 2 days I've run I don't know how many Spybot scans, clicked 'fix', and rebooted only to find the virtumonde traces (or new copies) still there. I tried rebooting into safe mode, scanning and rebooting from safe mode, etc. I also looked at some of the Spybot 'tools' though I left most of what came up there alone.
It wasn't until I'd run Spybot scans and 'fixes' multiple times that I looked for more information about why I was still infected and found out I shouldn't have done it at all. Oops. I did save the very first HijackThis log under a unique filename, and the last one I did yesterday, too. I'm going to paste today's log in this post, but I can easily post the previous ones if they'd be useful.
HJT is now crashing whenever I run a scan, but the logfile does get saved and appears complete.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:17 PM, on 11/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL__BHODemonDisabled (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll urvwcg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 4658 bytes
And since I still have it open from this morning's scan, here's what Search & Destroy found...
Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP
Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\system32\wyyyyGgh.ini2
Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\system32\wyyyyGgh.ini
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-11-20 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-11-18 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-11-18 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-18 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-11-18 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-11 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-10-23 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-18 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
I know I'll have to disable TeaTimer, but I'd rather wait until I have specific instructions. (I rather like the idea that suspect processes will get stopped in the meantime!) I'm actually pretty worried about more malware getting onto my laptop while I'm online. I'm quite ready to uninstall or at least disable IE. I only use webmail but installed Thunderbird just so Outlook wasn't the default email program. If anyone knows whether Virtumonde / Vundo can possibly exploit a Trillian (chat) connection, I'd like to know whether that's safe or should stay off until I'm done 'cleaning house.' If there's any particular steps I can take to protect the desktop computer (so far unaffected) which serves as local network server, I'd appreciate instructions for that, too.
For now I seem to have found a way to prevent popups from connecting: even though NoScript was blocking most or all of the pages' contents, I used 'Force the following sites to use secure (HTPPS) connections' in NoScript's Options | Advanced | HTTPS tab and entered the addresses the Vundo popups were trying to load to (70-dot-38-dot-98-dot-32 and 85-dot-12-dot-43-dot-70) which has had the effect of the site refusing the connection whenever a popup hits me. If doing that was more dangerous than letting the popups connect, obviously, please let me know.
Thanks in advance. Sorry this is long, but I figured more info should make it easier for someone to help me. (:
Hello and Welcome to Safer Networking
My name is peku006and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.
1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
2 - download and run RSIT
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)
3 - Status Check
Please reply with
1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log
Thanks peku006
the Jack
2008-11-23, 00:17
Thanks for your help, peka006!
1.the logs from RSIT (log.txt ,info.txt)
Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-11-22 16:51:25
Microsoft Windows XP Professional Service Pack 2
System drive C: has 48 GB (67%) free of 72 GB
Total RAM: 446 MB (10% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:05 PM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner.tobeannounced\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe
O2 - BHO: (no name) - {2DC54C3E-B295-4011-881E-C55E84FAE475} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (disabled by BHODemon)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL__BHODemonDisabled (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll urvwcg.dll izmezl.dll
O20 - Winlogon Notify: nnnoNHBT - nnnoNHBT.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 5280 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\ISP signup reminder 1.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DC54C3E-B295-4011-881E-C55E84FAE475}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-11-16 2055960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-15 737776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-11-16 2055960]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-04-14 344064]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-11-05 98394]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-11-05 688218]
"SunKist"=C:\Program Files\Digital Media Reader\shwicon2k.exe [2004-05-26 139264]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2005-09-26 169984]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall []
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-03-15 185896]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-16 1234712]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-16 68856]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-03-12 153136]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1147261400\EE\AOLHostManager.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-09 153136]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe /checktask []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2
"AOL ACS"=2
"NBService"=3
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="wbsys.dll,avgrsstx.dll urvwcg.dll izmezl.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-04-15 46080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnoNHBT]
nnnoNHBT.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll [2006-10-10 135168]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\AVG Free\avginet.exe"="C:\Program Files\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\AVG Free\avgamsvr.exe"="C:\Program Files\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\AVG Free\avgcc.exe"="C:\Program Files\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Trillian\trillian.exe"="C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
======List of files/folders created in the last 1 months======
2008-11-22 16:51:25 ----D---- C:\rsit
2008-11-22 10:21:30 ----A---- C:\WINDOWS\system32\izmezl.dll
2008-11-22 10:21:28 ----A---- C:\WINDOWS\system32\uqcybcot.dll
2008-11-22 09:15:24 ----D---- C:\Documents and Settings\Owner.tobeannounced\Application Data\Malwarebytes
2008-11-22 09:14:37 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-22 09:14:36 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-20 19:24:53 ----ASH---- C:\WINDOWS\system32\dfqrkvjo.ini
2008-11-20 17:50:59 ----A---- C:\WINDOWS\system32\urvwcg.dll
2008-11-20 17:50:58 ----A---- C:\WINDOWS\system32\utynqups.dll
2008-11-20 15:24:28 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-20 15:24:28 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 15:17:58 ----A---- C:\Program Files\Firefox Setup 3.0.4.exe
2008-11-20 14:55:46 ----A---- C:\Program Files\spybotsd160.exe
2008-11-19 17:47:45 ----A---- C:\WINDOWS\system32\tkyidnup.dll
2008-11-19 17:47:40 ----A---- C:\WINDOWS\system32\dicfui.dll
2008-11-19 17:47:39 ----A---- C:\WINDOWS\system32\okbnyqsf.dll
2008-11-19 00:18:59 ----D---- C:\Program Files\Trend Micro
2008-11-19 00:17:40 ----A---- C:\Program Files\HJTInstall.exe
2008-11-16 21:45:47 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-11-16 14:57:42 ----A---- C:\WINDOWS\system32\7fbe8265-.txt
======List of files/folders modified in the last 1 months======
2008-11-22 16:05:55 ----D---- C:\WINDOWS\system32
2008-11-22 16:04:51 ----D---- C:\WINDOWS\Registration
2008-11-22 16:04:39 ----A---- C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt
2008-11-22 16:03:58 ----D---- C:\WINDOWS\Temp
2008-11-22 16:02:52 ----D---- C:\WINDOWS
2008-11-22 15:58:30 ----D---- C:\WINDOWS\system32\drivers
2008-11-22 15:57:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-22 15:55:21 ----D---- C:\Program Files\Trillian
2008-11-22 09:14:36 ----RD---- C:\Program Files
2008-11-21 05:37:12 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-21 02:32:27 ----A---- C:\WINDOWS\wininit.ini
2008-11-20 15:30:18 ----D---- C:\Program Files\Mozilla
2008-11-20 14:19:09 ----D---- C:\WINDOWS\Prefetch
2008-11-20 10:47:49 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-19 03:01:00 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-17 17:26:55 ----A---- C:\WINDOWS\win.ini
2008-11-17 06:19:50 ----HD---- C:\$AVG8.VAULT$
2008-11-12 19:21:34 ----D---- C:\WINDOWS\Minidump
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-08-11 39424]
R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-11-16 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-11-16 26824]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-01-24 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-11-10 24832]
R2 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-11-16 76040]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-04-15 1130496]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-06-06 38144]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-06-06 352000]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-11-05 185824]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-10 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2005-03-30 230400]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-10 42496]
S3 AMDMSRIO;AMDMSRIO; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys []
S3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-02-12 371712]
S3 EMCFILT;Alcor Micro Corp for Emachine- 9361; \??\C:\WINDOWS\System32\Drivers\EMcFilt.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-10 26496]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-10 20480]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-04-15 364544]
R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-08-05 235520]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-25 138168]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-10 14336]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-03-12 271920]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S4 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-03-14 779824]
S4 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-05-10 172032]
-----------------EOF-----------------
info.txt logfile of random's system information tool 1.04 2008-11-22 16:52:22
======Uninstall list======
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Abra Academy-->C:\PROGRA~1\Games\SHOCKW~1\ABRAAC~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\ABRAAC~1\INSTALL.LOG
Ad-Aware SE Personal-->C:\PROGRA~1\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Ancient Mosaic-->C:\PROGRA~1\Games\SHOCKW~1\ANCIEN~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\ANCIEN~1\INSTALL.LOG
AquaPark-->C:\PROGRA~1\Games\SHOCKW~1\AquaPark\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\AquaPark\INSTALL.LOG
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Aveyond-->C:\PROGRA~1\Games\SHOCKW~1\Aveyond\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\Aveyond\INSTALL.LOG
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Azteca-->C:\PROGRA~1\Games\SHOCKW~1\Azteca\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\Azteca\INSTALL.LOG
Bengal: Game of Gods-->C:\PROGRA~1\Games\SHOCKW~1\BENGAL~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\BENGAL~1\INSTALL.LOG
BigFix-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Bliss Island(TM)-->C:\PROGRA~1\Games\SHOCKW~1\BLISSI~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\BLISSI~1\INSTALL.LOG
Boggle® Supreme-->C:\PROGRA~1\Games\SHOCKW~1\BOGGLE~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\BOGGLE~1\INSTALL.LOG
Buzzy Bumble-->C:\PROGRA~1\Games\SHOCKW~1\BUZZYB~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\BUZZYB~1\INSTALL.LOG
CDisplay 1.8-->"C:\Program Files\CDisplay\unins000.exe"
Charm Tale-->C:\PROGRA~1\Games\SHOCKW~1\CHARMT~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\CHARMT~1\INSTALL.LOG
Conexant AC-Link Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -IARI2045A.INF
Cosmic Stacker-->C:\PROGRA~1\Games\SHOCKW~1\COSMIC~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\COSMIC~1\INSTALL.LOG
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A607AC66-0C76-4519-9751-E12A93BF8EB2}
Dragon Maze 1.0-->"C:\Program Files\Games\Sandlot Games\Dragon Maze\unins000.exe"
Dream Chronicles(TM)-->C:\PROGRA~1\Games\SHOCKW~1\DREAMC~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\DREAMC~1\INSTALL.LOG
Elven Mists-->C:\PROGRA~1\Games\SHOCKW~1\ELVENM~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\ELVENM~1\INSTALL.LOG
Fairy Jewels-->C:\PROGRA~1\Games\SHOCKW~1\FAIRYJ~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\FAIRYJ~1\INSTALL.LOG
Feeding Frenzy® 2: Shipwreck Showdown-->C:\PROGRA~1\Games\SHOCKW~1\FEEDIN~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\FEEDIN~1\INSTALL.LOG
Fiber Twig 2: Restoration of Magic Garden-->C:\PROGRA~1\Games\SHOCKW~1\FIBERT~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\FIBERT~1\INSTALL.LOG
FizzBall-->C:\PROGRA~1\Games\SHOCKW~1\FizzBall\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\FizzBall\INSTALL.LOG
Game Maker 7.0-->C:\Program Files\Game Maker 7.0\Uninstal.exe
Glyph(TM)-->C:\PROGRA~1\Games\SHOCKW~1\Glyph\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\Glyph\INSTALL.LOG
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GTK+ 2.10.6-1 runtime environment-->"C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB888795)-->"C:\WINDOWS\$NtUninstallKB888795$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB891593)-->"C:\WINDOWS\$NtUninstallKB891593$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB895961)-->"C:\WINDOWS\$NtUninstallKB895961$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB899337)-->"C:\WINDOWS\$NtUninstallKB899337$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB899510)-->"C:\WINDOWS\$NtUninstallKB899510$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB902841)-->"C:\WINDOWS\$NtUninstallKB902841$\spuninst\spuninst.exe"
Inform 7-->"C:\Program Files\Games\Interactive Fiction\Inform 7\Uninstall.exe"
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
KeyTweak - Keyboard Remapper (remove only)-->"C:\Program Files\KeyTweak\uninstall.exe"
Luck Charm Deluxe-->C:\PROGRA~1\Games\SHOCKW~1\LUCKCH~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\LUCKCH~1\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Digital Image Starter Edition 2006-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2005-->C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.18)-->C:\Program Files\Mozilla\Firefox\uninstall\helper.exe
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla\Firefox 3\uninstall\helper.exe
Mozilla Thunderbird (1.5)-->C:\Program Files\Mozilla\Thunderbird\uninstall\uninstall.exe /ua "1.5 (en-US)"
Napster Burn Engine-->MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Napster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Nero 7 Ultra Edition-->MsiExec.exe /I{43FFE159-3199-4188-A1CD-629166AD1033}
Nero BurnRights-->C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Oasis(TM)-->C:\PROGRA~1\Games\SHOCKW~1\Oasis\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\Oasis\INSTALL.LOG
Ocean Express-->C:\PROGRA~1\Games\SHOCKW~1\OCEANE~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\OCEANE~1\INSTALL.LOG
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Reaxxion-->C:\PROGRA~1\Games\SHOCKW~1\Reaxxion\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\Reaxxion\INSTALL.LOG
Rhye's of Civilization Expanded-->C:\Program Files\Games\Sid Meier's Civilization III\uninstall.exe
Rocket Mania® Deluxe-->C:\PROGRA~1\Games\SHOCKW~1\ROCKET~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\ROCKET~1\INSTALL.LOG
Sandlot Games Client Services 1.2.2-->"C:\Program Files\Common Files\Sandlot Shared\unins001.exe"
Sandlot Games Client Services-->"C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
SandScript(TM)-->C:\PROGRA~1\Games\SHOCKW~1\SANDSC~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\SANDSC~1\INSTALL.LOG
Sid Meier's Civilization III Complete-->C:\PROGRA~1\Games\SIDMEI~1\UNWISE.EXE C:\PROGRA~1\Games\SIDMEI~1\INSTALL.LOG
Snapshot Adventures: The Secret of Bird Island-->C:\PROGRA~1\Games\SHOCKW~1\SNAPSH~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\SNAPSH~1\INSTALL.LOG
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_2045161F\HXFSETUP.EXE -U -Iari2045k.inf
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sproink(TM)-->C:\PROGRA~1\Games\SHOCKW~1\Sproink\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\Sproink\INSTALL.LOG
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Super Granny 2: Granny in Paradise(TM)-->C:\PROGRA~1\Games\SHOCKW~1\SUPERG~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\SUPERG~1\INSTALL.LOG
Super Granny® 4-->C:\PROGRA~1\Games\SHOCKW~1\SUPERG~3\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\SUPERG~3\INSTALL.LOG
Super Granny™ 3-->C:\PROGRA~1\Games\SHOCKW~1\SUPERG~2\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\SUPERG~2\INSTALL.LOG
Super Slyder™-->C:\PROGRA~1\Games\SHOCKW~1\SUPERS~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\SUPERS~1\INSTALL.LOG
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Talismania(TM) Deluxe-->C:\PROGRA~1\Games\SHOCKW~1\TALISM~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\TALISM~1\INSTALL.LOG
The Endless Forest launcher-->"C:\WINDOWS\unins000.exe"
The GIMP 2.2.13-->"C:\Program Files\GIMP-2.0\unins000.exe"
Tradewinds(TM) Legends-->C:\PROGRA~1\Games\SHOCKW~1\TRADEW~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\TRADEW~1\INSTALL.LOG
TriJinx: A Kristine Kross Mystery™-->C:\PROGRA~1\Games\SHOCKW~1\TriJinx\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\TriJinx\INSTALL.LOG
Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall
Turtle Odyssey 2-->C:\PROGRA~1\Games\SHOCKW~1\TURTLE~2\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\TURTLE~2\INSTALL.LOG
Turtle Odyssey-->C:\PROGRA~1\Games\SHOCKW~1\TURTLE~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\TURTLE~1\INSTALL.LOG
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Water Bugs-->C:\PROGRA~1\Games\SHOCKW~1\WATERB~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\WATERB~1\INSTALL.LOG
WindowBlinds-->C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\INSTALL.LOG
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Frotz (remove only)-->"C:\Program Files\Games\Interactive Fiction\Windows Frotz\uninstall.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Word Monaco-->C:\PROGRA~1\Games\SHOCKW~1\WORDMO~1\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\WORDMO~1\INSTALL.LOG
Zodiac-->C:\PROGRA~1\Games\SHOCKW~1\Zodiac\UNWISE.EXE C:\PROGRA~1\Games\SHOCKW~1\Zodiac\INSTALL.LOG
=====HijackThis Backups=====
O4 - HKCU\..\Run: [GetModule27] C:\Program Files\GetModule\GetModule27.exe
O4 - HKCU\..\Run: [gadcom] "C:\WINDOWS\system32\config\systemprofile\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://www.shockwave.com/content/sharkisland/sis/MysteryOfSharkIslandWeb.1.0.0.8.cab
O4 - HKLM\..\Run: [749d461b] rundll32.exe "C:\WINDOWS\system32\dqqdvugy.dll",b
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
======Security center information======
AV: AVG Anti-Virus Free (disabled)
AV: (disabled) (outdated)
FW: (disabled)
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\GTK\2.0\bin
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2402
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
-----------------EOF-----------------
2. the Malwarebytes' Anti-Malware Log
Malwarebytes' Anti-Malware 1.30
Database version: 1415
Windows 5.1.2600 Service Pack 2
11/22/2008 3:52:19 PM
mbam-log-2008-11-22 (15-52-17).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 153778
Time elapsed: 5 hour(s), 53 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 16
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\hgGyyyyw.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c205ace8-c169-446f-b3e7-d440b7f384d2} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c205ace8-c169-446f-b3e7-d440b7f384d2} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c205ace8-c169-446f-b3e7-d440b7f384d2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggyyyyw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggyyyyw -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\Owner.tobeannounced\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\hgGyyyyw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wyyyyGgh.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wyyyyGgh.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.tobeannounced\Local Settings\Temporary Internet Files\Content.IE5\CVQWOOA8\kb600179[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.tobeannounced\Local Settings\Temporary Internet Files\Content.IE5\NJBDKCX7\CA104VL9 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0023032.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0023033.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0023034.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0023035.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0023134.exe () -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP377\A0025099.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwjula.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpydvhet.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Macromed\Download\Install.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Messenger\Update.exe (Trojan.Agent) -> Delete on reboot.
FYI, AVG is not disabled, only its LinkScanner and ResidentShield components are, because running either slowed my system down to the point of unusability. As I mentioned in my first post, I run regular AVG scans, and ran one ahead of its scheduled time trying to troubleshoot this mess.
Also, maybe you can tell this from the logs, but I am still getting popup windows (though they're stopping before loading an actual page, possibly due to my force-https NoScript settings). And I did indeed have to reboot after the MBAM scan.
Thanks again!
Hi the Jack
1 - Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
Thanks peku006
the Jack
2008-11-23, 13:56
Sorry about the typo in your username in my last reply, peku006. I would've corrected it, but I couldn't edit my post. (:
Should I also disable TeaTimer at this point? And if so, should I just kill the process, or go in through the parent program, or what?
Finally, once I've followed the instructions in your last post and posted the 2 new logs, can I turn my anti-virus & anti-malware programs back on, or should I leave them off until we're done?
Thanks! I should be up and around for the rest of the day (it's 6:30am my time) and will be checking this thread roughly hourly.
Hi the Jack
can I turn my anti-virus & anti-malware programs back
Yes, after running ComboFix
Disable Spybot Teatimer temporarily
Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
Click on Mode > Advanced Mode. When it prompts you, click Yes.
On the left hand side, click on Tools.
Check (tick) this box if it is not yet ticked: Resident.
You will notice that Resident is now added under Tools. Click on Resident.
Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
Exit Spybot Search & Destroy.
Restart your computer for the changes to take effect.
the Jack
2008-11-23, 19:33
1. the ComboFix log(C:\ComboFix.txt)
ComboFix 08-11-22.02 - Owner 2008-11-23 11:05:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.166 [GMT -5:00]
Running from: c:\documents and settings\Owner.tobeannounced\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner.tobeannounced\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\dfqrkvjo.ini
c:\windows\system32\dicfui.dll
c:\windows\system32\izmezl.dll
c:\windows\system32\okbnyqsf.dll
c:\windows\system32\tkyidnup.dll
c:\windows\system32\uqcybcot.dll
c:\windows\system32\urvwcg.dll
c:\windows\system32\utynqups.dll
c:\windows\wiaserviv.log
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.
2008-11-22 16:51 . 2008-11-22 16:52 <DIR> d-------- C:\rsit
2008-11-22 09:15 . 2008-11-22 09:15 <DIR> d-------- c:\documents and settings\Owner.tobeannounced\Application Data\Malwarebytes
2008-11-22 09:14 . 2008-11-22 09:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-22 09:14 . 2008-11-22 09:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 09:14 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-22 09:14 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-20 15:24 . 2008-11-20 19:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-20 15:24 . 2008-11-20 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 15:17 . 2008-11-20 15:18 7,508,624 --a------ c:\program files\Firefox Setup 3.0.4.exe
2008-11-20 14:55 . 2008-11-20 14:57 15,083,520 --a------ c:\program files\spybotsd160.exe
2008-11-19 00:18 . 2008-11-19 00:18 <DIR> d-------- c:\program files\Trend Micro
2008-11-19 00:17 . 2008-11-19 00:17 812,344 --a------ c:\program files\HJTInstall.exe
2008-11-16 22:14 . 2008-11-17 03:39 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\gadcom
2008-11-16 21:45 . 2008-11-16 21:45 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-31 07:38 . 2008-10-31 07:38 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-31 07:38 . 2008-10-31 07:38 1,409 --a------ c:\windows\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 14:57 --------- d-----w c:\program files\Trillian
2008-11-20 20:30 --------- d-----w c:\program files\Mozilla
2008-11-17 02:47 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-11-17 02:45 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-06-18 15:37 48,831,512 ----a-w c:\program files\avg_free_stf_en_8_100a1323.exe
2007-01-15 07:53 0 ----a-w c:\documents and settings\Owner.tobeannounced\Application Data\wklnhst.dat
2007-01-02 13:59 7,930,697 ----a-w c:\program files\gimp-2.2.13-i586-setup-1.zip
2007-01-02 13:53 5,671,965 ----a-w c:\program files\gtk+-2.10.6-1-setup.zip
2007-01-01 18:20 12,258,584 ----a-w c:\program files\windowblinds5_public.exe
2007-01-01 08:36 157,485 ----a-w c:\program files\KeyTweak_install.exe
2006-12-22 12:16 102,145 ----a-w c:\program files\WinRAR_Crystal_Clear_32x32.theme.rar
2006-12-22 12:09 1,035,271 ----a-w c:\program files\wrar362.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-26 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 169984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-15 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-16 1234712]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2006-10-10 17:53 135168 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-02-25 20:24 966656 c:\windows\creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"NBService"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"<NO NAME>"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-18 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-18 76040]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2006-05-10 200192]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
2006-12-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 14:00]
.
- - - - ORPHANS REMOVED - - - -
BHO-{2DC54C3E-B295-4011-881E-C55E84FAE475} - (no file)
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
Notify-nnnoNHBT - nnnoNHBT.dll
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1147261400\EE\AOLHostManager.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\McAgent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner.tobeannounced\Application Data\Mozilla\Firefox\Profiles\phzf2lw6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 11:24:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\rsaenh.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-11-23 11:33:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-23 16:33:38
Pre-Run: 50,369,069,056 bytes free
Post-Run: 50,584,825,856 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
181
2. a fresh HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:05 PM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {2DC54C3E-B295-4011-881E-C55E84FAE475} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (disabled by BHODemon)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL__BHODemonDisabled (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 5313 bytes
[B][U]Notes:
I had a difficult time disabling all of AVG. I exited via the System Tray icon, which left three AVG processes running: avgemc.exe, avgrsx.exe & avgwdsvc.exe -- I ended two of these via Task Manager, but could NOT end avgrsx.exe; it just wouldn't go away.
Also, after ComboFix rebooted the system, AVG started running a scan, according to an icon in my System Tray (a separate icon from the one used to open the UI), yet according to the AVG User Interface there is no scan running... should I stop that scan, or let it go on, or what? I can't even see an active scan process in Task Manager.
Hi the Jack
You’ve done a good job so far..........
should I stop that scan
Yes, you can do that
How to Temporarily Disable your Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)
We will run one online scan to be sure that there is nothing left...........
1 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
2 - F-Secure Online Scan
Please go to F-Secure website (http://support.f-secure.com/ols3beta/start.html) to perform an online scan. Click on Start scanning at the bottom of the page.
You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
Click on Accept to accept the License Agreement.
Click on Custom Scan. Under Virus Scan Options, select the Scan whole system option.
Under Other Scan Options, select these options: Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics Click Start.
It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
Click on I want decide item by item.
Under Actions, select None for all infections found.
Click Next.
Click on Show Report.
Please copy and paste this report in your next reply.
Click Finish.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
2. the F-Secure online scanner report
3. a fresh HijackThis log
Thanks peku006
the Jack
2008-11-24, 00:12
Peku006, those are instructions for disabling AVG 7 (which is no longer supported, i.e. there are no longer current virus definition updates etc. for, so AVG has strongly encouraged users to upgrade to AVG 8 for continued supported free use). I use AVG 8. I've been through everything in the UI menu (which replaced the Control Center) and there doesn't seem to be any obvious way to disable the components that may interfere with the other tools you have me using.
Also, I finally figured out why the 'scan currently running' icon in my system tray looked so odd: it's the AVG version 7 icon. Telling it 'Stop all scans' does nothing, and, as previously mentioned, no scan is showing up in AVG 8's UI or in Task Manager. Could this be an out-of-date malicious process masquerading as AVG 7 -- and if so, what should I do about it?
I'm stuck at needing to disable AVG 8 right now, and cannot follow your most recent instructions until we figure out how to do that.
Hi the Jack
Make an uninstall list using HijackThis
To access the Uninstall Manager you should do the following:
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
Copy and Paste the contents of that notepad here on your next reply.
the Jack
2008-11-24, 01:38
Abra Academy
Ad-Aware SE Personal
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9
Adobe Shockwave Player
Ancient Mosaic
AquaPark
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Aveyond
AVG Free 8.0
Azteca
Bengal: Game of Gods
BigFix
Bliss Island(TM)
Boggle® Supreme
Buzzy Bumble
CDisplay 1.8
Charm Tale
Conexant AC-Link Audio
Cosmic Stacker
Digital Media Reader
Dragon Maze 1.0
Dream Chronicles(TM)
Elven Mists
Fairy Jewels
Feeding Frenzy® 2: Shipwreck Showdown
Fiber Twig 2: Restoration of Magic Garden
FizzBall
Game Maker 7.0
Glyph(TM)
Google Toolbar for Internet Explorer
GTK+ 2.10.6-1 runtime environment
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Inform 7
J2SE Runtime Environment 5.0 Update 2
KeyTweak - Keyboard Remapper (remove only)
Luck Charm Deluxe
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Digital Image Starter Edition 2006
Microsoft Money 2005
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.18)
Mozilla Firefox (3.0.4)
Mozilla Thunderbird (1.5)
Napster
Napster Burn Engine
Nero 7 Ultra Edition
Nero BurnRights
neroxml
Oasis(TM)
Ocean Express
PowerDVD
QuickTime
RealPlayer
Reaxxion
Rhye's of Civilization Expanded
Rocket Mania® Deluxe
Sandlot Games Client Services
Sandlot Games Client Services 1.2.2
SandScript(TM)
Sid Meier's Civilization III Complete
Snapshot Adventures: The Secret of Bird Island
Soft Data Fax Modem with SmartCP
Sonic Encoders
Sproink(TM)
Spybot - Search & Destroy
Super Granny 2: Granny in Paradise(TM)
Super Granny® 4
Super Granny™ 3
Super Slyder™
Synaptics Pointing Device Driver
Talismania(TM) Deluxe
The Endless Forest launcher
The GIMP 2.2.13
Tradewinds(TM) Legends
TriJinx: A Kristine Kross Mystery™
Trillian
Turtle Odyssey
Turtle Odyssey 2
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Water Bugs
WindowBlinds
Windows Backup Utility
Windows Frotz (remove only)
Windows Media Format Runtime
WinRAR archiver
Word Monaco
Zodiac
Hi the Jack
Have you both AVG 7 and AVG 8?
Have you tried uninstalling AVG 7 ?
A link to AVG`s own removal tool. http://www.avg.com/download-tools
disable AVG 8
To do this:
open AVG User Interface
double-click on the Resident Shield
un-tick the option "Resident Shield active"
save the changes
Don't forget to activate it again after online-scan........
the Jack
2008-11-24, 14:15
Well, this is weirder and weirder.
I'd already had Resident Shield disabled -- as previously mentioned, it slows my system down far too much. But when I went in to double-check following the instructions you gave, even though it said it was disabled and the box was unchecked, there was also a message saying "Resident Shield has been running for: 19 hour(s) 41 minute(s) __second(s)" (the seconds changed constantly, obviously). This is the length of time since I rebooted.
It looks like one of the programs you advised me to download and run inadvertently caused some weird interaction with AVG, possibly as a result of expecting AVG 7.x rather than the significantly different AVG 8. That seems the most likely explanation.
Since AVG won't give me a straight answer as to whether Resident Shield is really on or not (or in some halfway state) and there's also still that weird AVG systray icon which may represent the sort-of-on Resident Shield, I'm going to try doing a normal (user/manual) reboot and see if that normalises things.
Installing AVG 8 nicely uninstalls previous versions of AVG for you -- I had had AVG 7.5, yes, but it's already been uninstalled, as you should be able to see from my uninstall list -- but I did have a folder still in my Program Files with the original AVG 7.5 installer and EULA text file. I've deleted that folder.
Hopefully after reboot I can proceed with the next part of your instructions from yesterday. Thanks for your patience. (:
the Jack
2008-11-24, 15:49
Apparently AVG just displays the length of time the entire program has been running (or how long the CPU has) regardless of whether Resident Shield has been on or off during that time, according to friends who also run AVG 8. Lazy coding on AVG's part, which will hopefully be tackled in a future patch.
The tray icon referring to the apparently non-existent scan vanished after I rebooted.
From what you're saying, all I need to do to "disable AVG" is disable the Resident Shield component? The Anti-Virus and Anti-Spyware components are still active; I couldn't find a way to disable them, or to exit the program entirely, as opposed to exiting the User Interface window. If Resident Shield is the only thing that needs to be disabled, I'm all set.
I'm going to re-disable TeaTimer (which has been catching a few changes, mostly browser page redirect attempts, and which I've been allowing or disallowing based on whether the change seemed to replace a malicious redirect with a valid page or the opposite; I've checked 'remember this change' in every case, whether I denied or allowed the changes, so everything is logged) now and get started on the download, scan and online scan you asked for.
the Jack
2008-11-24, 16:32
1 - Clean temp files
* Download and Run ATF Cleaner
Under Main choose:
o Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
This part was no problem.
if you use Firefox:
o Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
The 'Firefox' menu option (and the one for Opera, which I don't use anyway) was greyed out and could not be used. I tried clicking on it anyway; no dice. As the program seems to be more of a convenience tool than a hardcore computer cleaner (and since just a few days ago during my solo troubleshooting I cleared pretty much everything in my Firefox "Private Data" including cookies but not passwords) I figured that if anything was in there, or you felt it was important, we could get rid of the stuff ATF Cleaner would've cleared out of Firefox the old-fashioned way.
When I went to start the online scan and found that the site doesn't support Firefox, I went to open Internet Explorer... and found that it had been set as my default browser. I corrected my default browser setting back to Firefox (2.0.0.18 -- I have Firefox 3 installed also but haven't tried it out yet) and re-opened ATF Cleaner to see if that was why it couldn't find my Firefox temp files etc., but the Firefox menu was still greyed out.
2 - F-Secure Online Scan
1. Please go to F-Secure website to perform an online scan. Click on Start scanning at the bottom of the page.
2. You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
3. Click on Accept to accept the License Agreement.
I opened IE to do the F-Secure scan, since viewing the page in Firefox produces a message that IE is the supported browser. I was not prompted to install anything. Instead, this error message was displayed: "Insufficient rights to use ActiveX controls! Please check your user rights and Internet Explorer security settings."
I might be able to figure out what the site needs in order to be able to proceed despite my unfamiliarity with IE (comparative to Firefox, anyway) but thought it would be much better to ask what to do rather than bumbling around with security settings in a notoriously vulnerable browser while all my browsing protection is turned off.
Hi the Jack
lets try this
Please make sure that all programs are closed when installing Java.
Click here (http://java.sun.com/javase/downloads/index.jsp) to visit Java's website.
Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
Select Windows from the drop-down list for Platform.
Select Multi-language from the drop-down list for Language.
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
Double click on jre-6u6-windows-i586-p.exe to install Java.
After the Java installation has finished, please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
the Jack
2008-11-26, 11:37
Click here (http://java.sun.com/javase/downloads/index.jsp) to visit Java's website.
Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
Are you keeping your instruction sets for C&P up to date? The latest JRE update is Java Runtime Environment (JRE) 6 Update 10. In fact the only other JRE download available on that page is JRE 6 Update 7 for Intel Itanium® (which I don't have). Previous releases still available at java.sun.com only go up to JRE 5.x. I proceeded on the assumption you meant for me to install the most recent version.
7. Double click on jre-6u6-windows-i586-p.exe to install Java.
The install file was jre-6u10-windows-i586-p.exe but installation went mostly according to your instructions otherwise.
There was an error message displayed during install which said
" Error: could not open 'C:\Program Files\Java\jre.1.5.0_02\lib\i386\jvm.cfg' "
In the ...\jre.1.5.0_02\ folder, the 'lib' sub-folder is apparently empty -- trying to look in it produces a long system lag and then the error message
" The disk in drive C is not formatted. Do you wish to format it now? "
(That was kind of unnerving, as C is my hard drive!) I clicked "No" on the format error-message box and "OK" (the only option) on the Java launcher error-message box, and the Java update appears to have installed correctly despite the missing file(s)/folders.
8. After the Java installation has finished, please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
...
17. Please post this log in your next reply.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 25, 2008 22:56:48
Records in database: 1416848
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 95258
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 04:52:20
File name / Threat name / Threats count
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
The selected area was scanned.
One other thing
While I was waiting for you to respond to my last message, I disconnected the laptop computer from the internet since all its browsing protection was disabled, and checked via the (uninfected) desktop computer for your reply. I'd forgotten that AVG was scheduled to run a scan (you told me to disable Resident Shield, which I did, but said nothing about scheduled scans) yesterday afternoon, however, and since the laptop computer was offline but not powered down, the scan proceeded, identified several threats, and quarantined them. Here is a transcript of the AVG scan results:
Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0023054.exe
Detection name __ Trojan horse Generic12.HOO
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault
Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0022844.dll
Detection name __ Trojan horse Downloader.Delf.BPB
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault
Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0025161.dll
Detection name __ Virus found Win32/Heur
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault
Action history __ Moved to virus vault
Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0028336.dll
Detection name __ Trojan horse Generic12.OXE
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault
Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0028338.dll
Detection name __ Trojan horse Generic12.OXE
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault
Should it be safe to let AVG delete these quarantined files, or might doing so cause them to reinfect my computer? (It appears one of them was previously quarantined yet somehow escaped.) If that's a possibility, what steps should I take to purge/destroy the quarantined files? AVG will automatically delete them in 29 days if I do nothing in the meantime.
Hi the Jack
Sorry about that Java Runtime Environment (JRE) 6 Update 6.
Please delete this file
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe
the scan proceeded, identified several threats, and quarantined them
Those items are being held in your System Restore points and are safe unless you perform a System Restore. Best way to clean them is to flush out your System Restore points and create a new one. (we Will do it a bit later.)
it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Please reply with
a fresh HijackThis log
Thanks peku006
the Jack
2008-11-26, 15:35
Please delete this file
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe
I hope there's a way for me to delete it without having to wait hours for another Kapersky scan? The D drive on my computer is a recovery partition; it's set up so end users can't even view the drive contents. I suppose the Kapersky scan would probably take about 2.5 hours if I have it scan only the D drive (E is an empty CD/DVD drive)...
If I can't delete the file using Windows Explorer (and it seems I can't) which program should I use? I have Spybot Search & Destroy (including the File Shredder utility), ComboFix, HijackThis, Malwarebytes' Anti-Malware, Random's System Information Tool, and of course AVG, though it doesn't recognise that file as even possibly dangerous.
A program that will let me specify the exact folder the bad file in would be preferred. Please tell me specific instructions for the program you want me to use (i.e. I think when using HJT to fix/kill files it's necessary to close all other programs and then reboot, and some programs would require me to disable AVG's Resident Shield and Spybot's TeaTimer) to delete the file from my D drive.
you don't have any evidence of a third party firewall
You don't see a firewall on my computer because I'm protected via the built-in firewall on our 2Wire DSL modem-router. The desktop computer serves as local network hub; we've found that trying to run an additional firewall on the laptop leads to problems accessing files that are shared via the local network. I know I'd need a firewall when travelling with the laptop, but I haven't done any. If you think it's necessary to have an additional firewall residing on my laptop, I suppose I could just turn it off when I need to access files on the network, i.e. in order to use the printer. I access files via the network on a nearly daily basis, though, so if an additional firewall is likely to interfere with this (or if turning it off all the time would render it useless) maybe I should skip it? Or maybe I should skip it since my internet connection is firewalled already?
Please reply with
a fresh HijackThis log
I presume you want me to post a new HJT log *after* I remove the file from the D drive partition.
Hi the Jack
Sorry about that: D:\i386\Apps\App00577\comps\toolbar\toolbr.exe
That actually is part of AOL, comes pre-installed on many systems. - not considered malicious.
I'm protected via the built-in firewall on our 2Wire DSL modem-router.
OK....it´s enough
I presume you want me to post a new HJT log *after* I remove the file from the D drive partition
It's not necessary
the scans are fine and it looks like your machine is clean
Next we remove all used tools.
Delete RSIT from your desktop, also delete this folder C:\rsit.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Here are some free programs I recommend that could help you improve your computer's security.
Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb: