Results 1 to 5 of 5

Thread: Bifrose.LA problem

  1. #1
    Junior Member
    Join Date
    Oct 2008
    Posts
    2

    Default Bifrose.LA problem

    Hello,
    I am another that is having a problem with Bifrose.LA
    I have run Spybot S&D in Safe Mode, and after reboot Bifrose.LA appears again.
    Could you please review my HJT scan log and help with any possible info? Thanks!

    Here is the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:17:26 PM, on 10/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    D:\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    d:\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    D:\FIREFOX\FIREFOX.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    D:\AVG\AVG8\avgtray.exe
    D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    d:\AVG\AVG8\avgrsx.exe
    D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    D:\Microsoft Office\Office\FINDFAST.EXE
    D:\Microsoft Office\Office\OSA.EXE
    d:\AVG\AVG8\avgemc.exe
    C:\WINDOWS\System32\alg.exe
    D:\Eudora_Dave\Eudora.exe
    D:\Eudora_GP\Eudora.exe
    D:\Firefox\firefox.exe
    d:\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\AVG\AVG8\avgtoolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - d:\AVG\AVG8\avgtoolbar.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AVG8_TRAY] d:\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = D:\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = D:\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217800604652
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 3907 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
    The junk can be tough to remove, so do not expect fast or easy.

    I am not seeing malware in this HJT log, but you need to know this about the item you mention.
    http://research.sunbelt-software.com...threatid=54142
    A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    http://www.dslreports.com/faq/10451

    When Should I Format, How Should I Reinstall
    http://www.dslreports.com/faq/10063

    http://www.safer-networking.org/en/ <<< I see here that item was added:
    15. October 2008 >>> Trojan Bifrose.LA
    If you have not done so, update Spybot S&D, immunize, then run the program as directed in the "Before you Post" instructions and let me know the results.

    Along with those results, post an uninstall list.

    Open Hijackthis.
    Click the "Open the Misc Tools" section Button.
    Click the "Open Uninstall Manager" Button.
    Click the "Save list..." Button.
    Save it to your desktop. Copy and paste the contents into your reply.
    (You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
    Update for Windows XP and Windows XP Hotfix to shorten the list
    )

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Oct 2008
    Posts
    2

    Default

    Thanks pskelley.
    I did read through the "Before You Post". I hope I didn't miss something. Did I omit a step or process?

    I updated Spybot S&D to 1.6 and ran it in Safe Mode. That did not detect any problems.
    Then, after reboot into normal mode, I ran Spybot S&D again, and the problem was discovered and "fixed". This is the same sequence of events that has been occurring lately.

    Here is the report from Spybot S&D (in purple text):

    --- Search result list ---
    Hint of the Day: Click the bar at the right of this to see more information! ()


    Bifrose.LA: [SBI $D9EB7AA3] User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-1547161642-790525478-839522115-1004\Software\Bifrost

    Bifrose.LA: [SBI $B9E7EB8B] Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost


    --- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

    2008-07-07 blindman.exe (1.0.0.8)
    2008-01-28 SDDelFile.exe (1.0.2.4)
    2008-07-07 SDFiles.exe (1.6.0.4)
    2008-07-07 SDMain.exe (1.0.0.6)
    2008-07-07 SDShred.exe (1.0.2.3)
    2008-07-07 SDUpdate.exe (1.6.0.8)
    2008-07-07 SDWinSec.exe (1.0.0.12)
    2008-07-07 SpybotSD.exe (1.6.0.30)
    2008-09-16 TeaTimer.exe (1.6.3.25)
    2008-10-19 unins000.exe (51.49.0.0)
    2008-07-07 Update.exe (1.6.0.7)
    2008-07-07 advcheck.dll (1.6.1.12)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2008-09-15 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2008-07-07 Tools.dll (2.1.5.7)
    2008-09-02 Includes\Adware.sbi (*)
    2008-10-14 Includes\AdwareC.sbi (*)
    2008-06-03 Includes\Cookies.sbi (*)
    2008-09-02 Includes\Dialer.sbi (*)
    2008-09-09 Includes\DialerC.sbi (*)
    2008-07-22 Includes\HeavyDuty.sbi (*)
    2008-09-02 Includes\Hijackers.sbi (*)
    2008-10-07 Includes\HijackersC.sbi (*)
    2008-09-09 Includes\Keyloggers.sbi (*)
    2008-10-14 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2008-10-08 Includes\Malware.sbi (*)
    2008-10-14 Includes\MalwareC.sbi (*)
    2008-09-02 Includes\PUPS.sbi (*)
    2008-10-14 Includes\PUPSC.sbi (*)
    2007-11-07 Includes\Revision.sbi (*)
    2008-06-18 Includes\Security.sbi (*)
    2008-09-30 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2008-09-09 Includes\Spyware.sbi (*)
    2008-10-14 Includes\SpywareC.sbi (*)
    2008-06-03 Includes\Tracks.uti
    2008-10-15 Includes\Trojans.sbi (*)
    2008-10-14 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll



    --- System information ---
    Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Update for Windows XP (KB898461)


    --- Startup entries list ---
    Located: HK_LM:Run, Alcmtr
    command: ALCMTR.EXE
    file: C:\WINDOWS\ALCMTR.EXE
    size: 69632
    MD5: 8B4CBBA1EA526830C7F97E7822E2493A

    Located: HK_LM:Run, AVG8_TRAY
    command: d:\AVG\AVG8\avgtray.exe
    file: d:\AVG\AVG8\avgtray.exe
    size: 1234712
    MD5: 84A91D110D27B11713C349523F4EA47F

    Located: HK_LM:Run, NeroFilterCheck
    command: C:\WINDOWS\system32\NeroCheck.exe
    file: C:\WINDOWS\system32\NeroCheck.exe
    size: 155648
    MD5: 3E4C03CEFAD8DE135263236B61A49C90

    Located: HK_LM:Run, NvCplDaemon
    command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    file: C:\WINDOWS\system32\NvCpl.dll
    size: 7630848
    MD5: 19398A75AF74EB4715FFC6C7E4F0F410

    Located: HK_LM:Run, NvMediaCenter
    command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    file: C:\WINDOWS\system32\NvMcTray.dll
    size: 86016
    MD5: 1DEE2AD9AB0D4AD1C8F3F4CC50ECDB63

    Located: HK_LM:Run, NWEReboot
    command:
    file:
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: HK_LM:Run, nwiz
    command: nwiz.exe /install
    file: C:\WINDOWS\system32\nwiz.exe
    size: 1519616
    MD5: 66DB459386D7BF62852B1BFA029FB887

    Located: HK_LM:Run, RTHDCPL
    command: RTHDCPL.EXE
    file: C:\WINDOWS\RTHDCPL.EXE
    size: 16342528
    MD5: E6721391BD329F53B2854386DC4CA577

    Located: HK_LM:Run, Share-to-Web Namespace Daemon
    command: D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    file: D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    size: 69632
    MD5: 2F2BC80803F0638F6738E37F769E4BD0

    Located: HK_LM:Run, SpybotSnD
    command: "D:\Spybot - Search & Destroy\SpybotSD.exe"
    file: D:\Spybot - Search & Destroy\SpybotSD.exe
    size: 4891472
    MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855

    Located: HK_CU:Run, SpybotSD TeaTimer
    where: S-1-5-21-1547161642-790525478-839522115-1004...
    command: d:\Spybot - Search & Destroy\TeaTimer.exe
    file: d:\Spybot - Search & Destroy\TeaTimer.exe
    size: 1833296
    MD5: 63B3FF83B87AFCEBA89CED54695DA0F6

    Located: Startup (common), Adobe Gamma Loader.lnk
    where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    size: 113664
    MD5: C2FF17734176CD15221C10044EF0BA1A

    Located: Startup (common), Microsoft Find Fast.lnk
    where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: D:\Microsoft Office\Office\FINDFAST.EXE
    file: D:\Microsoft Office\Office\FINDFAST.EXE
    size: 111376
    MD5: 18B96ACB413F6CC6BBAEB620D1F72929

    Located: Startup (common), Office Startup.lnk
    where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
    command: D:\Microsoft Office\Office\OSA.EXE
    file: D:\Microsoft Office\Office\OSA.EXE
    size: 51984
    MD5: D06276D4CAD46CDCEABEFDEB1A0D3C0D

    Located: WinLogon, crypt32chain
    command: crypt32.dll
    file: crypt32.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: WinLogon, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: WinLogon, cscdll
    command: cscdll.dll
    file: cscdll.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: WinLogon, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: WinLogon, Schedule
    command: wlnotify.dll
    file: wlnotify.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: WinLogon, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: WinLogon, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: WinLogon, termsrv
    command: wlnotify.dll
    file: wlnotify.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!

    Located: WinLogon, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll
    size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
    Warning: if the file is actually larger than 0 bytes,
    the checksum could not be properly calculated!



    --- Browser helper object list ---
    {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (WormRadar.com IESiteBlocker.NavFilter)
    location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    BHO name: WormRadar.com IESiteBlocker.NavFilter
    CLSID name: AVG Safe Search
    Path: d:\AVG\AVG8\
    Long name: avgssie.dll
    Short name:
    Date (created): 8/3/2008 3:40:56 PM
    Date (last access): 10/19/2008 8:40:08 AM
    Date (last write): 8/29/2008 5:38:14 PM
    Filesize: 455960
    Attributes: archive
    MD5: 19A9C541D4EE8E3471B26986D785AB4D
    CRC32: 93FD7D83
    Version: 8.0.0.152

    {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    BHO name:
    CLSID name: Spybot-S&D IE Protection
    description: Spybot-S&D IE Browser plugin
    classification: Legitimate
    known filename: SDhelper.dll
    info link: http://spybot.eon.net.au/
    info source: Patrick M. Kolla
    Path: d:\Spybot - Search & Destroy\
    Long name: SDHelper.dll
    Short name:
    Date (created): 8/3/2008 3:22:18 PM
    Date (last access): 10/19/2008 11:21:28 AM
    Date (last write): 9/15/2008 2:25:44 PM
    Filesize: 1562960
    Attributes:
    MD5: 35F73F1936BDE91F1B6995510A61E7A8
    CRC32: BE6A5D15
    Version: 1.6.2.14

    {A057A204-BACC-4D26-9990-79A187E2698E} (AVG Security Toolbar)
    location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    BHO name:
    CLSID name: AVG Security Toolbar
    Path: d:\AVG\AVG8\
    Long name: avgtoolbar.dll
    Short name: AVGTOO~1.DLL
    Date (created): 8/3/2008 3:40:58 PM
    Date (last access): 10/19/2008 8:40:08 AM
    Date (last write): 8/3/2008 3:40:58 PM
    Filesize: 2055960
    Attributes: archive
    MD5: 8741B6028EFBDA19150E4BDFDCF5E12F
    CRC32: 18BAD567
    Version: 5.0.2.400



    --- ActiveX list ---
    {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
    DPF name:
    CLSID name: WUWebControl Class
    Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
    Codebase: http://www.update.microsoft.com/wind...?1217800604652
    description:
    classification: Legitimate
    known filename: wuweb.dll
    info link:
    info source: Safer Networking Ltd.
    Path: C:\WINDOWS\system32\
    Long name: wuweb.dll
    Short name:
    Date (created): 8/3/2008 12:14:04 PM
    Date (last access): 10/19/2008 9:19:56 AM
    Date (last write): 7/30/2007 7:19:46 PM
    Filesize: 203096
    Attributes: archive
    MD5: FD984F9BFC9C62BD6546BD183CE5ADE7
    CRC32: 8092F837
    Version: 7.0.6000.381



    --- Process list ---
    PID: 0 ( 0) [System]
    PID: 632 ( 4) \SystemRoot\System32\smss.exe
    size: 50688
    PID: 700 ( 632) \??\C:\WINDOWS\system32\csrss.exe
    size: 6144
    PID: 724 ( 632) \??\C:\WINDOWS\system32\winlogon.exe
    size: 502272
    PID: 828 ( 724) C:\WINDOWS\system32\services.exe
    size: 108032
    MD5: C6CE6EEC82F187615D1002BB3BB50ED4
    PID: 840 ( 724) C:\WINDOWS\system32\lsass.exe
    size: 13312
    MD5: 84885F9B82F4D55C6146EBF6065D75D2
    PID: 988 ( 828) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1080 ( 828) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1176 ( 828) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1256 ( 828) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1344 ( 828) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1400 ( 828) D:\Lavasoft\Ad-Aware\aawservice.exe
    size: 611664
    MD5: 17067069B9A7865028C1F2E6971D0CCC
    PID: 1732 ( 828) C:\WINDOWS\system32\spoolsv.exe
    size: 57856
    MD5: 7435B108B935E42EA92CA94F59C8E717
    PID: 1896 (1872) C:\WINDOWS\Explorer.EXE
    size: 1032192
    MD5: A0732187050030AE399B241436565E64
    PID: 160 ( 828) d:\AVG\AVG8\avgwdsvc.exe
    size: 231704
    MD5: 9B40D378D4E521464212E878BE8216A4
    PID: 260 ( 828) C:\WINDOWS\system32\nvsvc32.exe
    size: 155715
    MD5: 60D62603950220B51DF57E461A601659
    PID: 360 ( 828) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 424 (1896) D:\FIREFOX\FIREFOX.EXE
    size: 7209069
    MD5: B8E1B08FD736DBAB8DBC850CC078E5CE
    PID: 432 (1896) C:\WINDOWS\RTHDCPL.EXE
    size: 16342528
    MD5: E6721391BD329F53B2854386DC4CA577
    PID: 1940 (1896) C:\WINDOWS\system32\RUNDLL32.EXE
    size: 33280
    MD5: DA285490BBD8A1D0CE6623577D5BA1FF
    PID: 492 (1896) D:\AVG\AVG8\avgtray.exe
    size: 1234712
    MD5: 84A91D110D27B11713C349523F4EA47F
    PID: 592 (1896) D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    size: 69632
    MD5: 2F2BC80803F0638F6738E37F769E4BD0
    PID: 616 (1896) D:\Spybot - Search & Destroy\SpybotSD.exe
    size: 4891472
    MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
    PID: 892 ( 160) d:\AVG\AVG8\avgrsx.exe
    size: 287000
    MD5: BA1CE056CE1466CA28CE118585EA86C4
    PID: 1200 ( 988) D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    size: 77824
    MD5: A302AE354F6A164DB1AE2A778EA48B9D
    PID: 1304 (1896) D:\Spybot - Search & Destroy\TeaTimer.exe
    size: 1833296
    MD5: 63B3FF83B87AFCEBA89CED54695DA0F6
    PID: 1440 ( 828) d:\AVG\AVG8\avgemc.exe
    size: 875288
    MD5: EC5B6AFF1A0BD1480B3B40CE78FAA527
    PID: 1608 (1896) D:\Microsoft Office\Office\FINDFAST.EXE
    size: 111376
    MD5: 18B96ACB413F6CC6BBAEB620D1F72929
    PID: 1536 (1896) D:\Microsoft Office\Office\OSA.EXE
    size: 51984
    MD5: D06276D4CAD46CDCEABEFDEB1A0D3C0D
    PID: 3696 ( 828) C:\WINDOWS\System32\alg.exe
    size: 44544
    MD5: F1958FBF86D5C004CF19A5951A9514B7
    PID: 1916 (1896) D:\Firefox\firefox.exe
    size: 7209069
    MD5: B8E1B08FD736DBAB8DBC850CC078E5CE
    PID: 2476 (1896) D:\Trend Micro\HijackThis\HijackThis.exe
    size: 396288
    MD5: C4CA7416A6DF6D95075F81D9E3B41AD1
    PID: 2532 (2476) C:\WINDOWS\system32\notepad.exe
    size: 69120
    MD5: 388B8FBC36A8558587AFC90FB23A3B99
    PID: 4 ( 0) System


    --- Browser start & search pages list ---
    Spybot - Search & Destroy browser pages report, 10/19/2008 11:21:28 AM

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    about:blank
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    %SystemRoot%\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    --- Winsock Layered Service Provider list ---
    Protocol 0: MSAFD Tcpip [TCP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 1: MSAFD Tcpip [UDP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 2: MSAFD Tcpip [RAW/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 3: RSVP UDP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 4: RSVP TCP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{37E35AF4-C0AD-436B-A0C6-85852EF828F2}] SEQPACKET 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{37E35AF4-C0AD-436B-A0C6-85852EF828F2}] DATAGRAM 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C4400A9-C260-4394-B3FD-0AB6FDB1AFC1}] SEQPACKET 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4C4400A9-C260-4394-B3FD-0AB6FDB1AFC1}] DATAGRAM 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{80FFE09E-9E42-4DA1-9C3A-B5885EE8EFB8}] SEQPACKET 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{80FFE09E-9E42-4DA1-9C3A-B5885EE8EFB8}] DATAGRAM 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AEB13803-8D66-4650-BCB7-3D2DD80B9E2C}] SEQPACKET 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AEB13803-8D66-4650-BCB7-3D2DD80B9E2C}] DATAGRAM 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Namespace Provider 0: Tcpip
    GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: TCP/IP

    Namespace Provider 1: NTDS
    GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\winrnr.dll
    DB protocol: NTDS

    Namespace Provider 2: Network Location Awareness (NLA) Namespace
    GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: NLA-Namespace



    Also, here is the uninstall_list.txt from HJT (in blue text) (Yes, I left in the MS associated entries since the list didn't look too long):

    7-Zip 4.57
    Ad-Aware
    Adobe Photoshop 7.0
    AVG Free 8.0
    DivX Codec
    DivX Converter
    DivX Player
    DivX Web Player
    Eudora
    Foxit Reader
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    HP Photo and Imaging 1.0 - Scanjet 2300c Series
    Microsoft Office 97, Professional Edition
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (1.5.0.12)
    Nero 7 Premium
    NVIDIA Drivers
    REALTEK GbE & FE Ethernet PCI NIC Driver
    Realtek High Definition Audio Driver
    Spybot - Search & Destroy
    Update for Windows XP (KB898461)
    Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    Windows Installer 3.1 (KB893803)


    So, how does this look?
    Please correct me if I've made a mistake in this info. Or, please let me know if I've omitted something.

    Thanks again!

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Please do not change the font color, it does not make it easier for me to read.
    Did I omit a step or process?
    Please take the following steps before you post. Not doing so may delay assistance.
    If you have not yet installed Spybot-S&D
    Spybot-Search & Destroy 1.6.0 Download
    I made no request for this Spybot report, since Spybot is supposed to remove this trojan, if is not doing so, post a request for help here:
    http://forums.spybot.info/forumdisplay.php?f=4

    Uninstall list: I look for malware and security issues, hackers are exploiting out of date programs. If you are going to run them, you must keep them up to date.
    Here is a small free tool that lets you know when something needs an update if you are interested:
    https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

    Mozilla Firefox (1.5.0.12) <<< out of date
    http://www.mozilla.com/en-US/firefox/

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •