Hello!

I consider myself to be fairly handy with computers and especially ridding computers of spyware. However, this nasty little trojan is giving me some real troubles and I am hoping an expert here can help me get this silly thing off my system.

This trojan infected my system and seems to be unaffected by Spybot, AVG, and PrevX.

I had been running an unupdated version of windows with only a windows firewall on my cable modem that is not behind a router with only AVG to defend me. This nasty little malware infection caused me to update to SP3, re-enable Spybot, and even get a new firewall.

I had gone through my HJT log myself and determined that everything was okay yet the application was recurring repeatedly. I assumed someone was tracking my IP address and was exploiting a windows vulnerability to download it onto my machine. I'm not sure if this is right or not but I decided to download the COMODO firewall. COMODO has worked wonders really, it is the best firewall by far that I have ever used, is incredibly easy to configure and does not interfere with online game hosting!

COMODO also seems to have some extremely powerful system security software which seems to have neutered this thing which is hiding itself in my RECYCLER folder.

I usually am able to fix spyware myself but I have no trail to follow with this thing.... maybe someone can help me!

I will go ahead and get a HJT log for this.

Logfile of HijackThis v1.99.1
Scan saved at 11:52:00 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\My Documents\WC3 Mods\pickup.listchecker.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5656
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246861991625
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77AA22DB-DE23-4C8E-AC62-E63B7F35E1D4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SATARaid5 Configuration Service (SATARaid5 Config Service) - Unknown owner - C:\Program Files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe

This board has experts that are beyond my knowledge but I'm just not seeing anything that is really wrong in there. I can post a SS of what COMODO is blocking (gosh that is really an amazing peice of software) if necessary. Maybe you all see something I don't.

Anyways thanks in advance for the advice =)

P.S. I figured out to post what COMODO is blocking, check this log out:

COMODO Internet Security Logs

Table

:

Defence+ Logs


Date Created

:

7/10/2009 12:06:45 AM


Log Scope

:

All The Times


Records count

:

82

Date/Time Application Action Target
7/7/2009 7:47:04 PM C:\RECYCLER\S-1-5-21-7941645878-3926409301-578028261-2073\rundll32.exe Create Process C:\RECYCLER\S-1-5-21-7941645878-3926409301-578028261-2073\rundll32.exe
7/7/2009 9:51:27 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 9:51:30 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 10:10:53 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 10:30:53 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:11:18 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:11:42 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:06 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:10 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:25 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:27 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:31 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:33 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:36 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:39 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:42 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:46 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:49 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:53 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:54 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:12:57 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:13:05 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:13:08 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:13:13 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:13:16 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:13:20 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:13:22 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:13:25 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:14:36 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:14:40 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:14:42 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:14:45 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:14:48 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:14:49 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:14:56 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:03 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:06 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:08 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:17 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:19 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:24 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:25 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:31 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:34 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:36 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:43 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:45 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:49 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:52 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:15:55 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:16:01 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:16:06 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:16:08 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:16:13 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:18:26 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:31:34 PM C:\Documents and Settings\Administrator\Local Settings\Temp\pxinstall375.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/7/2009 11:42:56 PM C:\WINDOWS\explorer.exe Terminate Process C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
7/7/2009 11:42:56 PM C:\WINDOWS\explorer.exe Terminate Process C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
7/7/2009 11:42:56 PM C:\WINDOWS\explorer.exe Terminate Process C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
7/8/2009 6:27:45 AM C:\Program Files\AVG\AVG8\avgcsrvx.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/8/2009 6:27:45 AM C:\Program Files\AVG\AVG8\avgcsrvx.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/8/2009 8:09:34 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/8/2009 8:29:45 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/8/2009 8:29:50 PM C:\WINDOWS\explorer.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
7/9/2009 6:30:59 AM C:\Program Files\AVG\AVG8\avgcsrvx.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:30:59 AM C:\Program Files\AVG\AVG8\avgcsrvx.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:34 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:34 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:34 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:34 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:46 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:46 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:51 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:51 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:51 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:51 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:58 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:41:58 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:42:03 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:42:03 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:42:03 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
7/9/2009 6:42:03 PM C:\WINDOWS\explorer.exe Block File C:\RECYCLER\S-1-5-21-1844237615-115176313-839522115-500\Dc43.exe
End of The Report

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

Here are your DDS logs.

I noticed a few things wrong and marked next to them but I did not go though all the stuff at the end of the dds.log

Also, I'm supposed to notify you if I make any changes. COMODO has a way to delete files so I deleted dc43.exe. It's back now as DC50.exe =)

Also, I should probably do a fresh boot before I get you another log like this.

Nice utility!

Once again, thank you for the help.

Hi again,

Let's try some fixing :)


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Disable WinPatrol's realtime protection.
Right-click the running icon of Winpatrol in the system tray
Choose exit. It will automatically restart at next boot.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

both of the download links on that page are broken

Hello, disregard last post.

I was able to run Combofix and have the new DDS logs for you.

Also, I looked at my COMODO report and it blocked something very interesting:

C:\32788R22FWJFW\NircmdB.exe

take out the B from that .exe name and prevx.com lists it as a very nasty little application. First time i've seen it on here though.

one thing to note in the combofix log.txt file there are several times where the phrase "S-1-5-21-" or something close to this comes up. Maybe I'm just a noob but this is a recurring theme since my recycler folder is named "S-1-5-21-1844237615-115176313-839522115-500" and thats where the dc43.exe was operating out of.

Attached logs

Thanks for the assistance.

Also, I looked at my COMODO report and it blocked something very interesting:

C:\32788R22FWJFW\NircmdB.exe

take out the B from that .exe name and prevx.com lists it as a very nasty little application. First time i've seen it on here though.
Hi,

That's actually not bad item. You should had disabled Comodo during ComboFix run as instructed. It's possible that Comodo HIPS (Defence+ in firewall) was still running there. Please disable it before next ComboFix run.

Are you familiar with these DNS server addresses: 208.67.220.220 & 208.67.222.222 ?

Turn off TeaTimer before doing following (also make sure Defence+ in Comodo is disabled).

Open notepad and copy/paste the text in the quotebox below into it:



DDS::
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = http=127.0.0.1:5656

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"msupdate"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall this vulnerable Flash:
Adobe Flash Player 9 ActiveX

and these vulnerable Javas:
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Okay first some things regarding yesterday that I forgot...

1) I forgot to say that I was mildly disappointed that combofix aced winpcap... I understand it can be used for some malware but it is necessary for a few of the gaming related programs I use. Not a big deal but just wondering what your stance is on the program.

2) No worries, COMODO was disabled when I did the combofix run. I did not see any directions to disable it but when the program does the popup thing telling me to disable firewalls and such I disabled AVG and Comodo as well as Spybot.

3) Not sure why it aced G:\z.txt as this was simply an encrypted simple text document... this worries me somewhat about using it.

Today:

I noticed those 2 DNS servers earlier and decided to google them. They are used by OPENDNS, see here: https://www.opendns.com/start/ At first glance I just figured this was some important internet backbone company or something so I ignored it since the website is legit. I have no idea why those DNS servers are in my registry however. It could be from one of the many programs I have installed over the past 2 years on this machine.

ATF completed.

Kaspersky found some old stuff of mine... nothing dangerous though.

Attached are logs.

As usual, thanks for all of your assistance!

Hi again,



1) I forgot to say that I was mildly disappointed that combofix aced winpcap... I understand it can be used for some malware but it is necessary for a few of the gaming related programs I use. Not a big deal but just wondering what your stance is on the program.
You may reinstall it after cleaning process is over if needed.


3) Not sure why it aced G:\z.txt as this was simply an encrypted simple text document... this worries me somewhat about using it.
The name of the file could be culprit. Was it important file? We can attempt to restore it if needed.


I noticed those 2 DNS servers earlier and decided to google them. They are used by OPENDNS, see here: https://www.opendns.com/start/ At first glance I just figured this was some important internet backbone company or something so I ignored it since the website is legit. I have no idea why those DNS servers are in my registry however. It could be from one of the many programs I have installed over the past 2 years on this machine.
Yes, those belong to OPENDNS. It's ok having them there if you want.

Delete Kaspersky findings.

Reboot and post a fresh dds.txt log. How's the system running?

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.