View Full Version : PWS.LDPinchIE & W32.DELF.uc / Spybot and McAfee "Fixed" but still here, HJTlog incl
cd_in_chitown
2009-02-05, 03:22
Visited a site using Firefox linked from Google that fooled me into clicking a link, Spybot and McAfee started going off immediately got off the network and have scanned/cleaned using both of these tools but continues to reboot to winlogin which was never the case before, Spybot still shows these two products and identifies as Trojans, can't print except to image file, can attach Spybot output in MS Image doc if needed, HJT =
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:00 PM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.YOUR-4AB7CAB370\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6445
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hnsf983ind.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 8199 bytes
Any assistance is much appreciated.
Hello cd_in_chitown,
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You need to read the stickies in Before You Post
Do this first...Important
Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Please do not proceed until the TeaTimer is disabled
BitTorrent DNA <---Read this please
We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.
We do not ask you to do this without reason.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
Uninstall BitTorrent via the Add Remove Programs in the Control Panel, disable the TeaTimer and then post a new HJT log please
cd_in_chitown
2009-02-09, 07:45
Hi Ken and thanks for the assistance, I believe I am compliant with the stickies but please advise if I have failed to meet a requirement.
I have deleted BitTorent and cleared the TeaTimer as directed, while waiting and reading through these forums I've also installed AVG Free and uninstalled McAfee. AVG was able to heal something that recovered my desktop on reboot but still shows unheal-able infections in files and resident processes. The infected machine is not connected to the network and starting tonight the USB drive I'm using to pass logs is showing infected files on this machines A/V (CA)
Updated HJT Log follows;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:34 PM, on 2/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Documents and Settings\Owner.YOUR-4AB7CAB370\Desktop\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6445
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: C:\WINDOWS\system32\rah3b8ffdnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [services] friendly error page -->
O4 - HKCU\..\Policies\Explorer\Run: [services] friendly error page -->
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hnsf983ind.dll (file missing)
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 7825 bytes
Hi,
Never been a big fan of Mcaffe, AVG is a good program. You have a lot of bad stuff going on :lip:
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
cd_in_chitown
2009-02-09, 16:31
Ok successfully installed combofix, logs follow;
ComboFix 09-02-08.02 - Owner 2009-02-09 8:01:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1348 [GMT -6:00]
Running from: c:\documents and settings\Owner.YOUR-4AB7CAB370\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090202162425156.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\windows\kernel32.exe
c:\windows\services.exe
c:\windows\system32\_hnsf983ind.dll
c:\windows\system32\~.exe
c:\windows\system32\9.tmp
c:\windows\system32\E.tmp
c:\windows\system32\rah3b8ffdnd.dll
D:\Autorun.inf
c:\windows\system32\userinit.exe . . . is infected!!
c:\windows\system32\svchost.exe . . . is infected!!
c:\windows\system32\spoolsv.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_Passthru
((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.
2009-02-09 07:59 . 2009-02-09 07:59 41,472 --a--c--- c:\windows\Xsekakobilob.dll
2009-02-09 07:59 . 2009-02-09 07:59 0 --a--c--- c:\windows\system32\4B.tmp
2009-02-08 23:31 . 2009-02-08 23:31 268 --ah-c--- C:\sqmdata16.sqm
2009-02-08 23:31 . 2009-02-08 23:31 244 --ah-c--- C:\sqmnoopt16.sqm
2009-02-08 23:23 . 2009-02-08 23:23 268 --ah-c--- C:\sqmdata15.sqm
2009-02-08 23:23 . 2009-02-08 23:23 244 --ah-c--- C:\sqmnoopt15.sqm
2009-02-08 20:01 . 2009-02-08 20:01 <DIR> d--h-c--- c:\windows\PIF
2009-02-08 19:47 . 2009-02-08 19:47 0 --a--c--- c:\windows\system32\17.tmp
2009-02-08 19:47 . 2009-02-08 19:47 0 --a--c--- c:\windows\system32\15.tmp
2009-02-08 19:46 . 2009-02-08 19:46 398,852 --a--c--- c:\windows\sysguard.exe
2009-02-06 08:45 . 2009-02-06 08:45 32,768 --ah-c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\vpu.exe
2009-02-06 08:39 . 2009-02-06 08:39 168 --a--c--- c:\windows\system32\7.tmp
2009-02-05 22:16 . 2009-02-05 22:16 32,768 --ah-c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\vmwe.exe
2009-02-05 22:13 . 2009-02-05 22:13 168 --a--c--- c:\windows\system32\2.tmp
2009-02-05 19:28 . 2009-02-09 07:01 <DIR> d--h-c--- C:\$AVG8.VAULT$
2009-02-05 19:23 . 2009-02-06 08:45 66,560 ---h-c--- c:\windows\system32\secupdat.dat
2009-02-05 19:23 . 2009-02-05 19:23 32,768 --ah-c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\lkan.exe
2009-02-05 19:23 . 2009-02-05 19:23 32,768 --ah-c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\lfbiu.exe
2009-02-05 19:23 . 2009-02-05 19:23 23,553 --a--c--- c:\windows\system32\1D.tmp
2009-02-05 19:23 . 2009-02-05 19:23 168 --a--c--- c:\windows\system32\1A.tmp
2009-02-05 19:23 . 2009-02-06 08:40 130 --a--c--- c:\windows\adobe.bat
2009-02-05 19:23 . 2009-02-05 22:28 5 --a--c--- c:\windows\_id.dat
2009-02-05 19:21 . 2009-02-05 19:21 168 --a--c--- c:\windows\system32\C.tmp
2009-02-05 19:19 . 2009-02-05 19:19 325,128 --a--c--- c:\windows\system32\drivers\avgldx86.sys
2009-02-05 19:19 . 2009-02-05 19:19 107,272 --a--c--- c:\windows\system32\drivers\avgtdix.sys
2009-02-05 19:19 . 2009-02-05 19:19 10,520 --a--c--- c:\windows\system32\avgrsstx.dll
2009-02-05 19:18 . 2009-02-06 08:43 <DIR> d----c--- c:\windows\system32\drivers\Avg
2009-02-05 19:18 . 2009-02-05 19:18 <DIR> d----c--- c:\program files\AVG
2009-02-05 19:18 . 2009-02-05 19:18 <DIR> d----c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\AVGTOOLBAR
2009-02-05 19:18 . 2009-02-05 19:18 <DIR> d----c--- c:\documents and settings\All Users\Application Data\avg8
2009-01-16 11:00 . 2009-01-16 11:00 <DIR> d----c--- c:\program files\FileZilla FTP Client
2009-01-16 11:00 . 2009-01-25 15:58 <DIR> d----c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\FileZilla
2009-01-14 16:22 . 2009-01-14 16:22 36 --a--c--- c:\windows\filog.ini
2009-01-14 14:57 . 2009-01-14 14:57 <DIR> d----c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\Media Player Classic
2009-01-13 12:58 . 2009-01-13 12:58 <DIR> d----c--- c:\program files\HP Wireless Keyboard
2009-01-13 12:58 . 2005-02-18 16:40 65,536 -----c--- c:\windows\system32\KmRemove.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 05:33 6,656 -c--a-w c:\windows\system32\drivers\asyncmac.sys
2009-02-06 01:16 --------- dc----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-06 01:15 --------- dc----w c:\program files\McAfee
2009-02-05 02:16 --------- dc----w c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\BitTorrent
2009-01-23 22:59 --------- dc----w c:\program files\CyberLink
2009-01-15 06:01 --------- dc----w c:\documents and settings\All Users\Application Data\PacketTrap
2009-01-15 05:34 --------- dc-h--w c:\program files\InstallShield Installation Information
2009-01-13 19:00 --------- dc----w c:\program files\Common Files\LogiShrd
2008-12-27 01:25 --------- dc----w c:\documents and settings\Jenny\Application Data\HP
2008-12-24 17:38 --------- dc----w c:\program files\Common Files\InstallShield
2008-12-24 17:19 0 -c--a-w c:\documents and settings\Owner.YOUR-4AB7CAB370\XOG-full_170.exe
2008-12-23 18:42 --------- dc----w c:\program files\HP
2008-12-23 18:41 --------- dc----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-22 03:30 --------- dc----w c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\HP
2008-12-22 03:28 --------- dc----w c:\documents and settings\All Users\Application Data\HP
2008-12-22 03:22 --------- dc----w c:\program files\Common Files\Sonic Shared
2008-12-22 03:22 --------- dc----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-22 03:21 --------- dc----w c:\program files\Common Files\HP
2008-12-22 03:17 --------- dc----w c:\program files\Hewlett-Packard
2008-12-22 03:16 --------- dc----w c:\program files\Common Files\Hewlett-Packard
2008-12-22 02:41 --------- dc----w c:\program files\PacketTrap Networks
2008-12-11 10:57 333,952 -c--a-w c:\windows\system32\drivers\srv.sys
2008-03-24 18:12 0 -c--a-w c:\documents and settings\Jenny\Application Data\wklnhst.dat
.
------- Sigcheck -------
2004-08-10 13:00 31744 f5a5b7cdf094d66bd71e331e030f4271 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31744 6f87d3cd409dcff57fd5f60c445b96d1 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 18:12 31744 206cd9f43ff1b208b819aeea0115466b c:\windows\system32\svchost.exe
2008-04-13 18:12 1051136 81714ecdaa8100f9a02e2ae03f8ee6a8 c:\windows\explorer.exe
2007-06-13 05:26 1050624 8f6aab07a02ac47806166fab6d6d0f9c c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 04:23 1050624 9788536dbb8a9a98199839c0a804aabe c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-10 13:00 1049600 bf71e9eeeadd84f1bcaf18bb10176996 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 18:12 1051136 6fb2656bfbdae7a78974afccd3458888 c:\windows\ServicePackFiles\i386\explorer.exe
2004-08-10 13:00 32768 b73d46cb42da3f1b64e7df0b8cd4a42c c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32768 07bed93f984d466cad18be469b2dee9a c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32768 8a2ab1e36ddea67790e825797e4b2348 c:\windows\system32\ctfmon.exe
2008-04-13 18:12 32768 5239cb86b297f429d0cf491f9cb16b8b c:\windows\system32\dllcache\ctfmon.exe
2005-06-10 18:17 75264 4ac1c75c477dc1776890dbf3e538b18d c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 17:53 75264 761f02d4f72b192893f33f22f29e7e41 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 18:12 75264 5bbc0df5017a0dbd3a55e7d1712a0648 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 75264 07c7d172884130c8c07324d6f14a1f19 c:\windows\system32\spoolsv.exe
2004-08-10 13:00 41984 f4e6fa255581cf6edea5138b09d87b5c c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43520 559c2ba71bac158bd9cd5342322bf155 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 18:12 43520 d1d691fede3682343a07fcae2ff8cb46 c:\windows\system32\userinit.exe
2008-04-13 18:12 43520 50830eb037463e88a9a7021e1eb5a218 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 81920]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 118874]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 708698]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 987136]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 233472]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 364544]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BtcMaestro"="c:\program files\HP Wireless Keyboard\KMaestro.exe" [2005-02-21 266240]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"Bdacexowali"="c:\windows\Xsekakobilob.dll" [2009-02-09 41472]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"services"="friendly error page -->" [X]
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"services"="friendly error page -->" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-02 131072]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 47104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 94208]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 19:19 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-05 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-05 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-05 298264]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-08-09 200576]
S1 ethhcwly;ethhcwly;c:\windows\system32\drivers\ethhcwly.sys --> c:\windows\system32\drivers\ethhcwly.sys [?]
S1 ethihcdz;ethihcdz;c:\windows\system32\drivers\ethihcdz.sys --> c:\windows\system32\drivers\ethihcdz.sys [?]
S1 ethjycst;ethjycst;c:\windows\system32\drivers\ethjycst.sys --> c:\windows\system32\drivers\ethjycst.sys [?]
S1 ethnlnxa;ethnlnxa;c:\windows\system32\drivers\ethnlnxa.sys --> c:\windows\system32\drivers\ethnlnxa.sys [?]
S1 ethoqshu;ethoqshu;c:\windows\system32\drivers\ethoqshu.sys --> c:\windows\system32\drivers\ethoqshu.sys [?]
S1 ethqptgh;ethqptgh;c:\windows\system32\drivers\ethqptgh.sys --> c:\windows\system32\drivers\ethqptgh.sys [?]
S1 ethvqrmu;ethvqrmu;c:\windows\system32\drivers\ethvqrmu.sys --> c:\windows\system32\drivers\ethvqrmu.sys [?]
S1 ethvvkvt;ethvvkvt;c:\windows\system32\drivers\ethvvkvt.sys --> c:\windows\system32\drivers\ethvvkvt.sys [?]
S1 ethymtcr;ethymtcr;c:\windows\system32\drivers\ethymtcr.sys --> c:\windows\system32\drivers\ethymtcr.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2005-11-22 69692]
S3 ovtqfjtq;ovtqfjtq;\??\c:\windows\System32\Drivers\ovtqfjtq.sys --> c:\windows\System32\Drivers\ovtqfjtq.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41395ace-bb80-11dd-8c08-00c0a8c08ff0}]
\Shell\AutoRun\command - F:\start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a37a1133-d155-11dd-8c28-00c0a8c08ff0}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL mapselect.url
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
HKU-Default-Run-tezrtsjhfr84iusjfo84f - c:\windows\TEMP\csrssc.exe
HKU-Default-Run-services - c:\windows\services.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZUfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\Mozilla\Firefox\Profiles\1y96xe0j.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 08:07:09
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\WLTRAY.EXE
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-02-09 8:11:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-09 14:11:40
Pre-Run: 50,897,207,296 bytes free
Post-Run: 50,861,273,088 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
284 --- E O F --- 2008-12-19 03:31:18
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:33 AM, on 2/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.YOUR-4AB7CAB370\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Bdacexowali] rundll32.exe "C:\WINDOWS\Xsekakobilob.dll",e
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [services] friendly error page -->
O4 - HKCU\..\Policies\Explorer\Run: [services] friendly error page -->
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6983 bytes
Thanks for your continued assistance
Hi,
Please do not alter the logs in anyway by highlighting them in red or anything else, I need to see them exactly as they come up.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\Xsekakobilob.dll
c:\windows\system32\4B.tmp
c:\windows\system32\17.tmp
c:\windows\system32\15.tmp
c:\windows\sysguard.exe
c:\windows\system32\2.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1A.tmp
c:\windows\_id.dat
c:\windows\system32\C.tmp
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41395ace-bb80-11dd-8c08-00c0a8c08ff0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a37a1133-d155-11dd-8c28-00c0a8c08ff0}]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.
c:\windows\system32\drivers\ethihcdz.sys
c:\windows\System32\Drivers\ovtqfjtq.sys
Let me see the Malwarebytes log, the New Combofix log, the VirusTotal report and finally a new HJT log.
cd_in_chitown
2009-02-09, 20:59
Thanks Ken for the continued assistance, I may have inadvertently changed the logs from *.log to *.txt but haven't highlighted in notepad and was surprised to see the red in the thread. I think I have captured these exactly as they came from the apps. However upon finishing the steps as described the files named were not found on the infected machine therefore no virus total log is included.
Logs follow;
Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 3
2/9/2009 12:35:59 PM
mbam-log-2009-02-09 (12-35-59).txt
Scan type: Quick Scan
Objects scanned: 63121
Time elapsed: 3 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\asyncmac (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\asyncmac (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asyncmac (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdacexowali (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\drivers\asyncmac.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Xsekakobilob.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 09-02-08.02 - Owner 2009-02-09 12:41:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1493 [GMT -6:00]
Running from: c:\documents and settings\Owner.YOUR-4AB7CAB370\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-4AB7CAB370\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\_id.dat
c:\windows\sysguard.exe
c:\windows\system32\15.tmp
c:\windows\system32\17.tmp
c:\windows\system32\1A.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\2.tmp
c:\windows\system32\4B.tmp
c:\windows\system32\C.tmp
c:\windows\Xsekakobilob.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\_id.dat
c:\windows\system32\15.tmp
c:\windows\system32\17.tmp
c:\windows\system32\1A.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\4B.tmp
c:\windows\system32\userinit.exe . . . is infected!!
c:\windows\system32\svchost.exe . . . is infected!!
c:\windows\system32\spoolsv.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.
2009-02-09 12:32 . 2009-02-09 12:32 0 --a--c--- c:\windows\system32\16.tmp
2009-02-09 12:32 . 2009-02-09 12:32 0 --a--c--- c:\windows\system32\12.tmp
2009-02-09 12:30 . 2009-02-09 12:30 <DIR> d----c--- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 12:30 . 2009-02-09 12:30 <DIR> d----c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\Malwarebytes
2009-02-09 12:30 . 2009-02-09 12:30 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-09 12:30 . 2009-01-14 16:11 38,496 --a--c--- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 12:30 . 2009-01-14 16:11 15,504 --a--c--- c:\windows\system32\drivers\mbam.sys
2009-02-08 23:31 . 2009-02-08 23:31 268 --ah-c--- C:\sqmdata16.sqm
2009-02-08 23:31 . 2009-02-08 23:31 244 --ah-c--- C:\sqmnoopt16.sqm
2009-02-08 23:23 . 2009-02-08 23:23 268 --ah-c--- C:\sqmdata15.sqm
2009-02-08 23:23 . 2009-02-08 23:23 244 --ah-c--- C:\sqmnoopt15.sqm
2009-02-08 20:01 . 2009-02-08 20:01 <DIR> d--h-c--- c:\windows\PIF
2009-02-06 08:45 . 2009-02-06 08:45 32,768 --ah-c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\vpu.exe
2009-02-05 22:16 . 2009-02-05 22:16 32,768 --ah-c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\vmwe.exe
2009-02-05 19:28 . 2009-02-09 07:01 <DIR> d--h-c--- C:\$AVG8.VAULT$
2009-02-05 19:23 . 2009-02-06 08:45 66,560 ---h-c--- c:\windows\system32\secupdat.dat
2009-02-05 19:23 . 2009-02-05 19:23 32,768 --ah-c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\lkan.exe
2009-02-05 19:23 . 2009-02-05 19:23 32,768 --ah-c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\lfbiu.exe
2009-02-05 19:23 . 2009-02-06 08:40 130 --a--c--- c:\windows\adobe.bat
2009-02-05 19:19 . 2009-02-05 19:19 325,128 --a--c--- c:\windows\system32\drivers\avgldx86.sys
2009-02-05 19:19 . 2009-02-05 19:19 107,272 --a--c--- c:\windows\system32\drivers\avgtdix.sys
2009-02-05 19:19 . 2009-02-05 19:19 10,520 --a--c--- c:\windows\system32\avgrsstx.dll
2009-02-05 19:18 . 2009-02-06 08:43 <DIR> d----c--- c:\windows\system32\drivers\Avg
2009-02-05 19:18 . 2009-02-05 19:18 <DIR> d----c--- c:\program files\AVG
2009-02-05 19:18 . 2009-02-05 19:18 <DIR> d----c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\AVGTOOLBAR
2009-02-05 19:18 . 2009-02-05 19:18 <DIR> d----c--- c:\documents and settings\All Users\Application Data\avg8
2009-01-16 11:00 . 2009-01-16 11:00 <DIR> d----c--- c:\program files\FileZilla FTP Client
2009-01-16 11:00 . 2009-01-25 15:58 <DIR> d----c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\FileZilla
2009-01-14 16:22 . 2009-01-14 16:22 36 --a--c--- c:\windows\filog.ini
2009-01-14 14:57 . 2009-01-14 14:57 <DIR> d----c--- c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\Media Player Classic
2009-01-13 12:58 . 2009-01-13 12:58 <DIR> d----c--- c:\program files\HP Wireless Keyboard
2009-01-13 12:58 . 2005-02-18 16:40 65,536 -----c--- c:\windows\system32\KmRemove.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 01:16 --------- dc----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-06 01:15 --------- dc----w c:\program files\McAfee
2009-02-05 02:16 --------- dc----w c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\BitTorrent
2009-01-23 22:59 --------- dc----w c:\program files\CyberLink
2009-01-15 06:01 --------- dc----w c:\documents and settings\All Users\Application Data\PacketTrap
2009-01-15 05:34 --------- dc-h--w c:\program files\InstallShield Installation Information
2009-01-13 19:00 --------- dc----w c:\program files\Common Files\LogiShrd
2008-12-27 01:25 --------- dc----w c:\documents and settings\Jenny\Application Data\HP
2008-12-24 17:38 --------- dc----w c:\program files\Common Files\InstallShield
2008-12-24 17:19 0 -c--a-w c:\documents and settings\Owner.YOUR-4AB7CAB370\XOG-full_170.exe
2008-12-23 18:42 --------- dc----w c:\program files\HP
2008-12-23 18:41 --------- dc----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-22 03:30 --------- dc----w c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\HP
2008-12-22 03:28 --------- dc----w c:\documents and settings\All Users\Application Data\HP
2008-12-22 03:22 --------- dc----w c:\program files\Common Files\Sonic Shared
2008-12-22 03:22 --------- dc----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-22 03:21 --------- dc----w c:\program files\Common Files\HP
2008-12-22 03:17 --------- dc----w c:\program files\Hewlett-Packard
2008-12-22 03:16 --------- dc----w c:\program files\Common Files\Hewlett-Packard
2008-12-22 02:41 --------- dc----w c:\program files\PacketTrap Networks
2008-12-11 10:57 333,952 -c--a-w c:\windows\system32\drivers\srv.sys
2008-03-24 18:12 0 -c--a-w c:\documents and settings\Jenny\Application Data\wklnhst.dat
.
------- Sigcheck -------
2004-08-10 13:00 31744 f5a5b7cdf094d66bd71e331e030f4271 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31744 6f87d3cd409dcff57fd5f60c445b96d1 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 18:12 31744 206cd9f43ff1b208b819aeea0115466b c:\windows\system32\svchost.exe
2008-04-13 18:12 1051136 81714ecdaa8100f9a02e2ae03f8ee6a8 c:\windows\explorer.exe
2007-06-13 05:26 1050624 8f6aab07a02ac47806166fab6d6d0f9c c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 04:23 1050624 9788536dbb8a9a98199839c0a804aabe c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-10 13:00 1049600 bf71e9eeeadd84f1bcaf18bb10176996 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 18:12 1051136 6fb2656bfbdae7a78974afccd3458888 c:\windows\ServicePackFiles\i386\explorer.exe
2004-08-10 13:00 32768 b73d46cb42da3f1b64e7df0b8cd4a42c c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32768 07bed93f984d466cad18be469b2dee9a c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32768 8a2ab1e36ddea67790e825797e4b2348 c:\windows\system32\ctfmon.exe
2008-04-13 18:12 32768 5239cb86b297f429d0cf491f9cb16b8b c:\windows\system32\dllcache\ctfmon.exe
2005-06-10 18:17 75264 4ac1c75c477dc1776890dbf3e538b18d c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 17:53 75264 761f02d4f72b192893f33f22f29e7e41 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 18:12 75264 5bbc0df5017a0dbd3a55e7d1712a0648 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 75264 07c7d172884130c8c07324d6f14a1f19 c:\windows\system32\spoolsv.exe
2004-08-10 13:00 41984 f4e6fa255581cf6edea5138b09d87b5c c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43520 559c2ba71bac158bd9cd5342322bf155 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 18:12 43520 d1d691fede3682343a07fcae2ff8cb46 c:\windows\system32\userinit.exe
2008-04-13 18:12 43520 50830eb037463e88a9a7021e1eb5a218 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-09_ 8.10.19.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 02:02:28 163,328 -c--a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 02:02:28 184,320 -c--a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2009-02-09 14:05:26 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-09 18:38:19 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-09 14:05:26 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-09 18:38:19 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-09 14:05:26 65,536 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-09 18:38:19 65,536 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 81920]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 118874]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 708698]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 987136]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 233472]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 364544]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BtcMaestro"="c:\program files\HP Wireless Keyboard\KMaestro.exe" [2005-02-21 266240]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"services"="friendly error page -->" [X]
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"services"="friendly error page -->" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-02 131072]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 47104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 94208]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 19:19 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-05 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-05 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-05 298264]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-08-09 200576]
S1 ethhcwly;ethhcwly;c:\windows\system32\drivers\ethhcwly.sys --> c:\windows\system32\drivers\ethhcwly.sys [?]
S1 ethihcdz;ethihcdz;c:\windows\system32\drivers\ethihcdz.sys --> c:\windows\system32\drivers\ethihcdz.sys [?]
S1 ethjycst;ethjycst;c:\windows\system32\drivers\ethjycst.sys --> c:\windows\system32\drivers\ethjycst.sys [?]
S1 ethnlnxa;ethnlnxa;c:\windows\system32\drivers\ethnlnxa.sys --> c:\windows\system32\drivers\ethnlnxa.sys [?]
S1 ethoqshu;ethoqshu;c:\windows\system32\drivers\ethoqshu.sys --> c:\windows\system32\drivers\ethoqshu.sys [?]
S1 ethqptgh;ethqptgh;c:\windows\system32\drivers\ethqptgh.sys --> c:\windows\system32\drivers\ethqptgh.sys [?]
S1 ethvqrmu;ethvqrmu;c:\windows\system32\drivers\ethvqrmu.sys --> c:\windows\system32\drivers\ethvqrmu.sys [?]
S1 ethvvkvt;ethvvkvt;c:\windows\system32\drivers\ethvvkvt.sys --> c:\windows\system32\drivers\ethvvkvt.sys [?]
S1 ethymtcr;ethymtcr;c:\windows\system32\drivers\ethymtcr.sys --> c:\windows\system32\drivers\ethymtcr.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2005-11-22 69692]
S3 ovtqfjtq;ovtqfjtq;\??\c:\windows\System32\Drivers\ovtqfjtq.sys --> c:\windows\System32\Drivers\ovtqfjtq.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZUfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-4AB7CAB370\Application Data\Mozilla\Firefox\Profiles\1y96xe0j.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 12:44:41
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-02-09 12:47:23
ComboFix-quarantined-files.txt 2009-02-09 18:46:30
ComboFix2.txt 2009-02-09 14:11:44
Pre-Run: 50,823,540,736 bytes free
Post-Run: 50,801,438,720 bytes free
250 --- E O F --- 2008-12-19 03:31:18
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:47 PM, on 2/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Documents and Settings\Owner.YOUR-4AB7CAB370\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [services] friendly error page -->
O4 - HKCU\..\Policies\Explorer\Run: [services] friendly error page -->
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6798 bytes
Lets do this
Remove these with HJT
O4 - HKLM\..\Policies\Explorer\Run: [services] friendly error page -->
O4 - HKCU\..\Policies\Explorer\Run: [services] friendly error page -->
Delete these
c:\windows\system32\16.tmp
c:\windows\system32\12.tmp
This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Hello,
We're beating a dead horse here, this is whats going on. You can forget the SDFix.
Got bad news for you, read this please.
You have a real nasty infection on your system. Virut/Virtob is a file infector virus with IRC bot functionality which infects all .exe and .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. When disinfection is attempted, the files become corrupted and the system may become irreparable.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format? (http://www.dslreports.com/faq/10063)" and "Reformatting the computer or troubleshooting; which is best? (http://www.helium.com/tm/650267/determine-whether-troubleshoot-reformat)".
If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.
You can try the AVG Virut Remover (http://www.avg.com/us.virus-removal.ndi-67762). Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights. If that does not work, there may be no recovery from this infection. The only thing you can do then is reformat and reinstall Windows.
Virut/Virtob is contracted and spread by visiting remote, crack and keygen sites. Those who attempt to get software for free may end up with a computer system so badly damaged that recovery is not possible and a Repair Install will NOT help! Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install removes everything.
More info
http://www.f-secure.com/v-descs/virus_w32_virut.shtml
Let me know if the AVG tool helped
cd_in_chitown
2009-02-10, 02:35
Ok successfully deleted the reg keys with HJT and deleted the .tmp files through explorer, installed and ran SDFix as directed, logs follow;
SDFix: Version 1.240
Run by Owner on Mon 02/09/2009 at 06:02 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\DOCUME~1\OWNER~1.YOU\XOG-FU~1.EXE - Deleted
C:\Program Files\Microsoft Common\svchost.exe - Deleted
Folder C:\Program Files\Microsoft Common - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 18:17:34
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 5 Feb 2009 32,768 A..H. --- "C:\Documents and Settings\Owner.YOUR-4AB7CAB370\lfbiu.exe"
Thu 5 Feb 2009 32,768 A..H. --- "C:\Documents and Settings\Owner.YOUR-4AB7CAB370\lkan.exe"
Thu 5 Feb 2009 32,768 A..H. --- "C:\Documents and Settings\Owner.YOUR-4AB7CAB370\vmwe.exe"
Fri 6 Feb 2009 32,768 A..H. --- "C:\Documents and Settings\Owner.YOUR-4AB7CAB370\vpu.exe"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SH. --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 23 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 20 Nov 2003 74,752 ...H. --- "C:\Documents and Settings\Owner.YOUR-4AB7CAB370\My Documents\Warrior Chapters\~WRL1438.tmp"
Sat 10 Nov 2007 540,160 ...H. --- "C:\Documents and Settings\Owner.YOUR-4AB7CAB370\My Documents\Jeep Stuff\D & D OffRoad\D & D Off-Road\~WRL2778.tmp"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:45 PM, on 2/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Owner.YOUR-4AB7CAB370\Desktop\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6818 bytes
Thanks again for your continued support, I've not connected the infected machine back to the network except a quick connect to download updates during previous steps. I'm seeing a system.exe file get repeatedly added to the thumb drive I'm using to transfer the logs to this machine...haven't seen that happen since these last steps though.
Please read my previous post, it looks like you missed it. Post # 9
cd_in_chitown
2009-02-10, 17:51
I saw it but not until I'd posted up, spent the rest of the night trying to run rmvirut.exe, it ran ok on the 2nd or 3rd attempt, and then said there were 2 files it couldn't clean but asked if I wanted them cleaned/deleted on reboot, the text on reboot was quick so not sure what it said but when I scanned with AVG again it found the instances had multiplied from 6 - 9 - and now 86 this morning and only 9 minutes into the scan. I'm ensuring my data archives are solid and then planning to wipe.
Not sure what my choices are here as I don't have a full OS disk for XP, I'm hesitant to restore to a corrupted version, considering a full wipe and ubuntu install. Any thoughts or advice?
You can back up any documents and pictures, but not much else. This has to be a full format, doing just a repair install will just copy over the infection.
Contact the Manufacturer of your system, I am sure they can send you a re install disk for your computer. ubunto is up to you. Read just recently that infections are starting to infect MACs.
Try this first .
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
If you can, run this free online virus scanner.
Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
cd_in_chitown
2009-02-10, 19:28
Am downloading Dr. Web cure now, I'm unsure on the Kapersky advice as I have a home network with my wife having 2 machines (XP & Vista) on the same segment. I really don't want to infect additional machines in the house, running CA Anti-Virus on the Vista machine and Norton on her desktop, ZoneAlarm firewall on the desktop but Comodo on the Vista machine, we also have an HP printer plugged into the router. Is it advisable to connect the infected machine through the network or should I disconnect all other devices and run the infected machine straight to the modem?
I would then bypass Kaspersky , after you download Dr.WebCureIt, disconnect from the net, pull your cables and stay offline until you do a clean install. Not really sure at this point what this virus is capable of.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.