View Full Version : Infected from Disk On key
grassman22
2009-02-17, 16:10
Hi,
Got infected from a Disk On Key. Please help me remove the infection.
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03:27, on 17/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hddstatus.com/hdrepshowreport.php?ReportCode=2390511&ReportVerification=37FBDEDB
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205866140937
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1233562810_d5b872c9ce76482cf4c6c222f19f6e47&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8516 bytes
Thnx,
Grassman22
pskelley
2009-02-21, 15:04
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
For your benefit, the instructions are pinned (sticky) to the top of the Malware Removal forum,
please read and be sure you have followed those instructions. I have also posted the "Before you Post"
instructions at the top of this thread.
1) Tea Timer is NOT disabled as instructed in the directions?
2) AVG7 <<< why are you running an out of date antivirus program?
3) I see no malware in the HJT log and you have provided no information? What program is finding this infection and what exactly is it finding?
4) Is this what you are talking about, a flash drive?
http://www.macnn.com/reviews/m-systems-disk-on-key.html
5) If that flash drive is infected, it will have to be disinfected as will the computer.
6) Since several days have passed, read and follow the direction, disable TeaTimer, provide the information I reqested along with a new HJT log.
Thanks
grassman22
2009-02-22, 14:54
Hi,
Sorry for not posting right. I've installed AVG 8 and disabled Tea Timer. Here is the information I gathered about the viruses:
1. Yes, it's from a flash drive (you plug it to the USB socket).
2. AVG detected autorun.inf, wich i moved to the vault.
3. Comodo BOClean found these:
------------------------------
02/17/2009 15:46:58: PSW-GAMES.CLA VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\DOCUME~1\F1CC~1\LOCALS~1\TEMP\HELP.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: דורון
------------------------------
02/17/2009 15:47:38: PSW-GAMES.CLA VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
F:\HYETN1I.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: דורון
------------------------------
02/17/2009 15:48:33: NIRCOMMAND VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\DOCUME~1\F1CC~1\LOCALS~1\TEMP\NIRCMD.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: דורון
4. Spybot promped these:
17/02/2009 15:46:26 Denied (based on user decision) value "cdoosoft" (new data: "C:\WINDOWS\system32\olhrwef.exe") added in System Startup user entry!
17/02/2009 15:47:10 Denied (based on user decision) value "load" (new data: " ") added in NT startup!
17/02/2009 15:47:14 Denied (based on user decision) value "run" (new data: " ") added in NT startup!
17/02/2009 15:47:48 Denied (based on user decision) value "load" (new data: " ") added in NT startup!
17/02/2009 15:47:58 Denied (based on user decision) value "run" (new data: " ") added in NT startup!
17/02/2009 15:48:15 Denied (based on user decision) value "DisableCMD" (new data: "") deleted in Disable Command!
17/02/2009 15:48:22 Denied (based on user decision) value "DisableCMD" (new data: "") deleted in Disable Command!
17/02/2009 15:48:25 Denied (based on user decision) value "DisableRegistryTools" (new data: "") deleted in Disable Registrytool!
17/02/2009 15:48:28 Denied (based on user decision) value "DisableCMD" (new data: "") deleted in Disable Command!
17/02/2009 15:48:37 Denied (based on user decision) value "load" (new data: " ") added in NT startup!
17/02/2009 15:48:37 Denied (based on user blacklist) value "run" (new data: " ") added in NT startup!
17/02/2009 16:19:12 Denied (based on user decision) value "load" (new data: "") added in NT startup!
And now, a fresh HJT report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:48, on 22/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hddstatus.com/hdrepshowreport.php?ReportCode=2390511&ReportVerification=37FBDEDB
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205866140937
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://tango.huji.ac.il/sre/ICSScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1233562810_d5b872c9ce76482cf4c6c222f19f6e47&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8447 bytes
Hope the information helps.
Thanks,
Grassman22
pskelley
2009-02-22, 15:30
OK, thanks for the information, first see this:
http://www.google.com/search?hl=en&q=autorun.inf&btnG=Google+Search&aq=f&oq=
If AVG is correct and that file was infected, it likely got that way when you stuck the infected drive into your computer and loaded a file.
I do not see AVG 8 in running processes? Do you have it turned off? Make sure it is running.
Comodo\CBOClean <<< I see Zone Alarm, you are not running more than one firewall...correct?
Follow these directions carefully:
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) Download Flash_Disinfector.exe by sUBs from here (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
3) * Right click the icon for AVG in System Tray and choose Open AVG User Interface.
* Click on Update now, allow AVG to download and install any new updates.
* Click on Computer Scanner then choose "Scan whole computer", this takes a round one hour on the computer I am using now.
* Near the bottom above the words "The scan is complete" choose "Export overview to file"
* Choose Desktop and give it a name you will recognize like AVG Scan Results, then choose SAVE.
* Close results and close the Interface.
* Copy and paste the contents of that file unless it is clean, then just let me know.
4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
grassman22
2009-02-22, 18:18
Hi,
Here is the AVG report:
"Scan ""Scan whole computer"" was finished."
"Infections";"7";"7";"0"
"Spyware";"2";"2";"0"
"Information";"3"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"יום*ראשון 22 פברואר 2009, 15:48:10"
"Scan finished:";"יום*ראשון 22 פברואר 2009, 18:00:24 (2 hour(s) 12 minute(s) 13 second(s))"
"Total object scanned:";"941227"
"User who launched the scan:";"דורון"
"Infections"
"File";"Infection";"Result"
"C:\hyetn1i.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\MSOCache\All Users\9000040d-6000-11D3-8CFE-0150048383C9\YC561425.CAB";"Trojan horse BackDoor.Bifrose.AHC";"Moved to Virus Vault"
"C:\MSOCache\All Users\9000040d-6000-11D3-8CFE-0150048383C9\YC561425.CAB:\F331_input98.cpl.mui.8F14C9F4_86F9_4071_A52A_A6CB92DDBCA9";"Trojan horse BackDoor.Bifrose.AHC";"Moved to Virus Vault"
"C:\MSOCache\All Users\9000040d-6000-11D3-8CFE-0150048383C9\YC561425.CAB:\F332_input.cpl.mui.8F14C9F4_86F9_4071_A52A_A6CB92DDBCA9";"Trojan horse BackDoor.Bifrose.AHC";"Moved to Virus Vault"
"C:\WINDOWS\system32\nmdfgds1.dll";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\WINDOWS\system32\olhrwef.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"D:\hyetn1i.exe";"Virus found Win32/Heur";"Moved to Virus Vault"
"Spyware"
"File";"Infection";"Result"
"C:\Documents and Settings\דורון\My Documents\תוכנות\Adobe.Photoshop.Extended.CS3.Middle.East.ME.v10.0\Photoshop CS3 Extended Keygen VLK.exe";"Potentially harmful program Crack.F";"Moved to Virus Vault"
"C:\Program Files\Driver Magician\DM31_CRK.exe";"Potentially harmful program HackTool.crack";"Moved to Virus Vault"
"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\דורון\Cookies\דורון@2o7[2].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@2o7[2].txt:\2o7.net.1a6a6c0d";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@2o7[2].txt:\2o7.net.7ea8995a";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@2o7[2].txt:\2o7.net.eac1437";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@2o7[2].txt:\2o7.net.ebf63e2a";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@advertising[1].txt";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@advertising[1].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@advertising[1].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@advertising[1].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@advertising[1].txt:\advertising.com.7ae8f949";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@advertising[1].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@bs.serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@ivwbox[1].txt";"Found Tracking cookie.Ivwbox";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@ivwbox[1].txt:\ivwbox.de.41d82fe2";"Found Tracking cookie.Ivwbox";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@overture[2].txt";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@overture[2].txt:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@overture[2].txt:\overture.com.e626e6be";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@revsci[2].txt";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@revsci[2].txt:\revsci.net.26b016c3";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@revsci[2].txt:\revsci.net.80477c7f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@revsci[2].txt:\revsci.net.3f4566dd";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@revsci[2].txt:\revsci.net.a64c3767";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@searchportal.information[1].txt";"Found Tracking cookie.Information";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@searchportal.information[1].txt:\searchportal.information.com.3a8d7204";"Found Tracking cookie.Information";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@searchportal.information[1].txt:\searchportal.information.com.44e78b2";"Found Tracking cookie.Information";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@searchportal.information[1].txt:\searchportal.information.com.dc1f9450";"Found Tracking cookie.Information";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@serving-sys[2].txt";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@serving-sys[2].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@serving-sys[2].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@serving-sys[2].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@serving-sys[2].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@serving-sys[2].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@serving-sys[2].txt:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@spylog[2].txt";"Found Tracking cookie.Spylog";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@spylog[2].txt:\spylog.com.a99d3bed";"Found Tracking cookie.Spylog";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@tacoda[1].txt";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@tacoda[1].txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@tacoda[1].txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@tacoda[1].txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@tacoda[1].txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@tacoda[1].txt:\tacoda.net.cd7ce44f";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@tacoda[1].txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@weborama[2].txt";"Found Tracking cookie.Weborama";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@weborama[2].txt:\weborama.fr.2bb7a5bc";"Found Tracking cookie.Weborama";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@weborama[2].txt:\weborama.fr.30104bcb";"Found Tracking cookie.Weborama";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@yadro[1].txt";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
"C:\Documents and Settings\דורון\Cookies\דורון@yadro[1].txt:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
"Information"
"File";"Infection";"Result"
"C:\Documents and Settings\דורון\My Documents\תוכנות\Adobe.Photoshop.Extended.CS3.Middle.East.ME.v10.0\MasterCollectionCS3KEYGEN.EXE";"Runtime packed fsg";""
"C:\Documents and Settings\דורון\שולחן העבודה\c\My Documents\תוכנות\David Say No Erase! -Programs 2 Steal\WinRAR\WinRar 3.5 b\Patch.exe";"Runtime packed mew";""
"C:\RECYCLER\S-1-5-21-854245398-1957994488-839522115-1004\Dc1\WinRar 3.5 b\Patch.exe";"Runtime packed mew";""
And here is the uninstall list:
##CAMERADRIVERNAME##
Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop 7.0 ME
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Premiere Pro 2.0
Adobe Reader 8.1.0
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Software Update
AVG Free 8.0
BOClean
Crazy Browser version 2.0.1
CTP Pro 1.8
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Driver Magician 3.1
DVD Solution
FreeMind
Gadwin PrintScreen
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
InCD
Intel(R) PRO Network Connections Drivers
Java(TM) 6 Update 11
Kaspersky Online Scanner
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia Launcher
MV2Player (remove only)
Nero OEM
Nero Suite
NVIDIA Drivers
OGA Notifier 1.7.0105.35.0
Optibase VideoPump YUV CODECs
Panda ActiveScan 2.0
PDF Settings
PowerDVD
PowerProducer
QuickTime
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
SpeedFan (remove only)
Spybot - Search & Destroy
SpywareBlaster 4.1
Stop Motion Pro v4
Tablet
TuneUp Utilities 2008
Tweak UI
VC 9.0 Runtime
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip
Xvid 1.1.2 final uninstall
ZoneAlarm
עדכון אבטחה עבור Windows Internet Explorer 7 (KB938127)
עדכון אבטחה עבור Windows Internet Explorer 7 (KB942615)
עדכון אבטחה עבור Windows Internet Explorer 7 (KB944533)
עדכון אבטחה עבור Windows Internet Explorer 7 (KB950759)
עדכון אבטחה עבור Windows Internet Explorer 7 (KB953838)
עדכון אבטחה עבור Windows Internet Explorer 7 (KB956390)
עדכון אבטחה עבור Windows Internet Explorer 7 (KB958215)
עדכון אבטחה עבור Windows Internet Explorer 7 (KB960714)
עדכון אבטחה עבור Windows Internet Explorer 7 (KB961260)
עדכון אבטחה עבור Windows Media Player (KB952069)
עדכון אבטחה עבור Windows Media Player 11 (KB936782)
עדכון אבטחה עבור Windows Media Player 11 (KB954154)
עדכון אבטחה עבור Windows XP (KB938464)
עדכון אבטחה עבור Windows XP (KB941569)
עדכון אבטחה עבור Windows XP (KB946648)
עדכון אבטחה עבור Windows XP (KB950760)
עדכון אבטחה עבור Windows XP (KB950762)
עדכון אבטחה עבור Windows XP (KB950974)
עדכון אבטחה עבור Windows XP (KB951066)
עדכון אבטחה עבור Windows XP (KB951376)
עדכון אבטחה עבור Windows XP (KB951376-v2)
עדכון אבטחה עבור Windows XP (KB951698)
עדכון אבטחה עבור Windows XP (KB951748)
עדכון אבטחה עבור Windows XP (KB952954)
עדכון אבטחה עבור Windows XP (KB953839)
עדכון אבטחה עבור Windows XP (KB954211)
עדכון אבטחה עבור Windows XP (KB954459)
עדכון אבטחה עבור Windows XP (KB954600)
עדכון אבטחה עבור Windows XP (KB955069)
עדכון אבטחה עבור Windows XP (KB956391)
עדכון אבטחה עבור Windows XP (KB956802)
עדכון אבטחה עבור Windows XP (KB956803)
עדכון אבטחה עבור Windows XP (KB956841)
עדכון אבטחה עבור Windows XP (KB957095)
עדכון אבטחה עבור Windows XP (KB957097)
עדכון אבטחה עבור Windows XP (KB958644)
עדכון אבטחה עבור Windows XP (KB958687)
עדכון אבטחה עבור Windows XP (KB960715)
עדכון עבור Windows XP (KB951072-v2)
עדכון עבור Windows XP (KB951978)
עדכון עבור Windows XP (KB955839)
תיקון חם עבור Windows Internet Explorer 7 (KB947864)
תיקון חם עבור Windows Media Player 11 (KB939683)
תיקון חם עבור Windows XP (KB952287)
When running Flash Disinfector I got this repeating message from Comodo BOClean:
02/22/2009 16:00:00: NIRCOMMAND VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\DOCUME~1\F1CC~1\LOCALS~1\TEMP\NIRCMD.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: דורון
------------------------------
02/22/2009 16:01:22: NIRCOMMAND VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\DOCUME~1\F1CC~1\LOCALS~1\TEMP\NIRCMD.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: דורון
In your last post you implied that Comodo BOClean is also a firewall, like Zone Alarm? 'Cause I do have both running on my system. Should I delete one?
Thank you,
Grassman22
pskelley
2009-02-22, 18:40
http://www.comodo.com/boclean/boclean.html <<< looks like antimalware, you don't know what you are running on your computer? I have never run the program myself.
You need ONE antivirus, one Firewall and at least one antimalware programs.
Did you have AVG quarantine all of the junk it located? Many of those were tracking cookies, this information will show you how to stop those:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
This is the results of illegal activities, see this:
http://forums.spybot.info/showpost.php?p=25290&postcount=4
Note:
We do not support the use of illegal Pirated/Warez/Cracked software.
Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Therefore you will be asked to remove any cracked programs and in the case of your operating system, to obtain a valid licensed copy.
"File";"Infection";"Result"
"C:\Documents and Settings\דורון\My Documents\תוכנות\Adobe.Photoshop.Extended.CS3.Middle.East.ME.v10.0\Photoshop CS3 Extended Keygen VLK.exe";"Potentially harmful program Crack.F";"Moved to Virus Vault"
"C:\Program Files\Driver Magician\DM31_CRK.exe";"Potentially harmful program HackTool.crack";"Moved to Virus Vault"
If I am to proceed those must be removed from your computer.
grassman22
2009-02-22, 21:23
Hi,
AVG quarantined/deleted the junk.
I have erased the illegal files.
Thnx,
Grassman22
pskelley
2009-02-22, 22:25
Let's have combofix take a look at this computer.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This can be done as time permits, but it is important.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 8.1.0 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
grassman22
2009-02-22, 23:22
Hi,
Here is the ComboFix log:
ComboFix 09-02-21.01 - דורון 02/22/2009 23:04:59.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.1.1037.18.1022.496 [GMT 2:00]
Running from: c:\documents and settings\דורון\שולחן העבודה\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 19:56 --------- d-----w c:\program files\SpeedFan
2009-02-22 19:56 --------- d-----w c:\documents and settings\דורון\Application Data\WTablet
2009-02-22 15:32 --------- d-----w c:\program files\Driver Magician
2009-02-22 12:36 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-22 12:36 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-22 12:36 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-22 12:36 --------- d-----w c:\program files\AVG
2009-02-22 12:36 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-19 08:33 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-17 13:46 --------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2009-02-01 14:35 666,624 ----a-w c:\windows\system32\OGACheckControl.dll
2009-01-30 01:01 --------- d-----w c:\program files\Zone Labs
2009-01-20 10:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 10:25 --------- d-----w c:\program files\SpywareBlaster
2009-01-20 10:21 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 14:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 14:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-31 15:04 528,744 ----a-w c:\windows\system32\OGAVerify.exe
2008-12-31 15:04 502,120 ----a-w c:\windows\system32\OGAAddin.dll
2008-12-22 09:45 --------- d-----w c:\program files\Panda Security
2008-12-20 22:47 826,368 ----a-w c:\windows\system32\wininet.dll
2004-10-01 13:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2008-02-02 10:45 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:45 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:45 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:45 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:45 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-24 16:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102420081025\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [04/14/2008 04:17 AM 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [12/05/2007 01:41 AM 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [12/05/2007 01:41 AM 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM 49152]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [10/08/2004 11:52 AM 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [04/01/2008 11:21 PM 385024]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [07/08/2005 04:25 PM 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [07/09/2001 11:50 AM 155648]
"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [07/14/2008 05:09 AM 351480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [11/10/2008 05:43 AM 136600]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [11/13/2008 03:18 PM 981904]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [02/22/2009 02:36 PM 1601304]
"RTHDCPL"="RTHDCPL.EXE" [09/22/2005 07:36 AM 14854144 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM 1626112 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [04/14/2008 04:17 AM 15360]
c:\documents and settings\All Users\ \\\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-04-15 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2007-09-17 2902528]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
02/22/2009 02:36 PM 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 12/08/2003 05:35 PM 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-22 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-22 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-22 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-22 298264]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [2008-08-12 73464]
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl --> c:\program files\CyberLink\PowerDVD\000.fcl [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2009-02-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [12/21/2007 03:17 PM]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.il/
uInternet Connection Wizard,ShellNext = hxxp://www.hddstatus.com/hdrepshowreport.php?ReportCode=2390511&ReportVerification=37FBDEDB
uInternet Settings,ProxyOverride = *.local
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: huji.ac.il\tango
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://tango.huji.ac.il/sre/ICSScanner.cab
FF - ProfilePath -
.
.
------- File Associations -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 23:08:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-854245398-1957994488-839522115-1004\Software\Microsoft\ M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\devmgmt.msc"
"File2"="c:\\WINDOWS\\system32\\compmgmt.msc"
.
Completion time: 02/22/2009 23:09:30
ComboFix-quarantined-files.txt 2009-02-22 21:09:28
ComboFix2.txt 2008-12-21 20:41:31
Pre-Run: 41,501,655,040 bytes free
Post-Run: 42,328,285,184 bytes free
152 --- E O F --- 2009-02-19 08:12:43
And here is a fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:15:49, on 22/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hddstatus.com/hdrepshowreport.php?ReportCode=2390511&ReportVerification=37FBDEDB
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205866140937
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://tango.huji.ac.il/sre/ICSScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1233562810_d5b872c9ce76482cf4c6c222f19f6e47&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8399 bytes
Thank You,
Grassman22
pskelley
2009-02-23, 00:28
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
grassman22
2009-02-23, 09:43
Hi,
I have an original Windows CD, so I'm able to inatall RC myself. I don't wish to install in presently. Please continue with the cleanup.
Thnx,
Grassman22
pskelley
2009-02-23, 15:59
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
Update AVG 8 and scan the system, to be sure it is running right and scanning clean.
Some good AVG information if you can use it:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
grassman22
2009-02-23, 23:00
hi,
The scans found nothing (AVG found some cookies but no thearts).
I thank you very much for your help.
Grassman22
pskelley
2009-02-23, 23:42
Thanks for taking the time to let me know, safe surfing:bigthumb: