Page 1 of 2 12 LastLast
Results 1 to 10 of 24

Thread: Can't get rid of PWS.LDPinchIE

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 2009-05-25, 00:32 #1
    sbolton
    sbolton is offline
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default

    Hi Mr_Jak3

    I followed your instructions, and here are the scan and hijackthis logs. How's it looking now?

    Steve

    =============================

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0 REPORT
    Sunday, May 24, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Program database last update: Sunday, May 24, 2009 16:28:49
    Records in database: 2234316
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\

    Scan statistics:
    Files scanned: 565085
    Threat name: 13
    Infected objects: 34
    Suspicious objects: 0
    Duration of the scan: 06:13:23


    File name / Threat name / Threats count
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4a03e20f Infected: Exploit.Java.Gimsh.b 1
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-7a73e55c Infected: Exploit.Java.Gimsh.b 1
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-148d63e7 Infected: Exploit.Java.Gimsh.b 1
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\52\7c5dd1b4-72dc4052 Infected: Trojan.Java.ClassLoader.ao 1
    C:\Documents and Settings\Steve\Desktop\AV Tools\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
    C:\Documents and Settings\Steve\Desktop\To Sort Later\Anti-Spyware\backups\backup-20080113-173930-245-source.html Infected: Trojan-Clicker.HTML.IFrame.dn 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\BattleBotv8.2 - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Bagle.ai 2
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll.vir Infected: Trojan.Win32.Tdss.aald 1
    C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064885.dll Infected: Trojan.Win32.Tdss.aalc 1
    C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064886.dll Infected: Trojan.Win32.Tdss.aalg 1
    C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064887.dll Infected: Trojan.Win32.Tdss.aald 1
    C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210613.sys Infected: Trojan.Win32.Tdss.aalf 1
    C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210614.dll Infected: Trojan.Win32.Tdss.aalc 1
    C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210615.dll Infected: Trojan.Win32.Tdss.aalg 1
    C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210616.dll Infected: Trojan.Win32.Tdss.aald 1
    C:\WINDOWS\system32\pofegohu(junk).dllllll Infected: Packed.Win32.Krap.q 1
    E:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-11267197.zip Infected: Exploit.Java.Gimsh.b 1
    E:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-400827c9.zip Infected: Exploit.Java.Gimsh.b 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\BattleBotv8.2 - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Bagle.ai 2
    H:\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1

    The selected area was scanned.

    ================================================

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:26:51 PM, on 5/24/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\games\steam\steam.exe
    C:\Program Files\Executor\executor.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Stardock\Impulse\Impulse.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
    O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 5078 bytes

    ==========================================
  2. 2009-05-25, 11:25 #2
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Ok the Kaspersky findings are just leftovers.

    Delete everything inside this folder:
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache

    Delete this file if found:
    C:\WINDOWS\system32\pofegohu(junk).dllllll

    Then you should clean up your Outlook Express email folders as you have some infected emails there.

    You don't seem to have a third-party firewall installed. You must install one firewall.
    It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

    These are good (free) firewalls:

    Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    First remove the older versions:
    • Click Start
    • Go to Control Panel
    • Go to Add/Remove Programs
    • Find and click Remove for each version of Java that is present
    • Download JavaRa and unzip it to your desktop.
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.

    Now let's download and install the newest version:
    • Download Java SE Runtime Environment (JRE) 6 Update 12 from here: http://java.sun.com/javase/downloads/index.jsp
    • As Platform select your operating system, agree to the License Agreement and click Continue.
    • Now click on the link under Windows Offline Installation and download the installer to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Then from your desktop double-click on the download to install the newest version.
    • Reboot your computer.


    If there are no problems - we'll remove all used tools

    Please download OTCleanIt and save it to desktop.
    • Double-click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.


    Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

    Now lets uninstall ComboFix:

    * Click START then RUN
    * Now type Combofix /u in the runbox and click OK

    You may uninstall MBAM via Control Panel

    Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    • Use ATF Cleaner
      Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
    • Use Spybot S&D
      Download and install Spybot S&D. Update it and scan your computer regularly with it.
    • Install SpywareBlaster
      SpywareBlaster will prevent spyware from being installed.
    • Install MVPS Hosts file
      This prevents your computer from connecting to harmful sites.
    • Use Firefox browser
      Firefox is faster, safer and better browser than Internet Explorer.
    • Keep your systen up-to-date
      Visit Windows Update regularly.
    • Keep your antivirus and firewall up-to-date
      Scan your computer regularly with your antivirus.
    • Read this article by TonyKlein
      So how did I get infected in the first place?
    • Stand Up and Be Counted !
      The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


    Stay clean and be safe
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  3. 2009-05-27, 05:12 #3
    sbolton
    sbolton is offline
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Thumbs up Thanks!

    All is working well! Thanks, Mr_Jak3. Your help saved a reformat (never any fun). This is the first time I've had to come to this site for help. I really appreciate it.
    Steve
  4. 2009-05-28, 19:02 #4
    sbolton
    sbolton is offline
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default Oops! Spoke too soon!

    I spoke too soon. Today I was using Firefox and went to Google. About 1 in three links took me to the wrong site. Each time it was different. I ran Spybot and it reported Virtumonde.sci and Virtumonde.sdn. It cleaned these up, but there must still be something hiding. What's next?
    Steve
  5. 2009-06-03, 18:30 #5
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hiya

    Okay let's see what we have there. Please post a fresh HijackThis log...
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  6. 2009-06-04, 03:23 #6
    sbolton
    sbolton is offline
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default New HijackThis log

    Here's the log after a fresh boot.

    -----------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:18:05 PM, on 6/3/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\games\steam\steam.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Spybot\TeaTimer.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 5544 bytes
  7. 2009-06-04, 19:29 #7
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Ok this is going to look like a replay but something came back....

    We will begin with ComboFix. (again )

    Please download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper

    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  8. 2009-06-07, 23:49 #8
    sbolton
    sbolton is offline
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default

    Here's my logs.
    Steve

    ---------------------------


    ComboFix 09-06-07.02 - Steve 06/07/2009 16:38.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT -5:00]
    Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
    .

    2009-06-07 01:51 . 1999-03-23 05:00 401484 ----a-w- c:\windows\system32\msvcrtd.dll
    2009-06-03 23:03 . 2009-06-03 23:03 -------- d-----w- c:\program files\GameTap Web Player
    2009-06-03 23:03 . 2009-06-03 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\GameTap Web Player
    2009-06-03 23:03 . 2009-05-06 00:05 462848 ----a-w- c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
    2009-06-01 17:53 . 2009-06-01 17:53 390664 ----a-w- c:\documents and settings\Steve\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
    2009-05-24 15:36 . 2009-05-24 15:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2009-05-20 05:32 . 2009-05-20 05:32 -------- d-----w- c:\program files\Trend Micro
    2009-05-20 04:30 . 2009-05-20 04:31 -------- d-----w- c:\program files\RegBackup ERUNT
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
    2009-05-19 02:47 . 2009-04-06 20:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-05-19 02:47 . 2009-04-06 20:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-05-19 02:46 . 2009-05-19 02:46 -------- d-----w- c:\documents and settings\Steve\Application Data\Safer Networking
    2009-05-19 02:24 . 2009-05-19 02:45 -------- d-----w- c:\program files\Safer Networking
    2009-05-19 00:42 . 2009-05-19 00:42 -------- d-----w- c:\program files\ProcessExplorer
    2009-05-17 21:35 . 2009-05-17 21:35 -------- d--h--w- c:\windows\system32\GroupPolicy
    2009-05-17 21:35 . 2009-05-17 21:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-05-16 21:48 . 2009-05-16 21:57 -------- d-----w- c:\windows\SxsCaPendDel
    2009-05-15 22:01 . 2008-04-14 05:42 26112 ----a-w- c:\windows\system32\USERINIT.EXE
    2009-05-13 22:17 . 2009-05-13 22:17 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
    2009-05-13 21:53 . 2009-05-14 00:55 -------- d-----w- c:\documents and settings\Steve\Application Data\ptidle
    2009-05-13 20:41 . 2009-05-13 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SimCity Societies
    2009-05-12 02:57 . 2009-05-12 02:57 -------- d-----w- c:\windows\system32\KB905474
    2009-05-12 02:57 . 2009-03-11 03:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
    2009-05-12 02:57 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
    2009-05-11 00:06 . 2009-05-11 00:28 98304 ----a-w- c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEClient.dll
    2009-05-11 00:06 . 2009-05-11 00:06 -------- d-----w- c:\documents and settings\Steve\Application Data\Soldat
    2009-05-11 00:06 . 2009-03-29 00:52 94208 ----a-w- c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEServer.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-07 21:23 . 2009-03-29 22:46 -------- d-----w- c:\program files\Mozilla Sunbird
    2009-06-07 01:52 . 2005-01-30 21:40 246 ----a-w- c:\windows\PowerReg.dat
    2009-06-07 01:50 . 2004-07-25 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-06-05 16:42 . 2007-06-17 22:30 98304 ----a-w- c:\windows\System32CmdLineExt.dll
    2009-06-04 23:06 . 2007-03-13 20:38 64 ----a-w- c:\windows\popcinfot.dat
    2009-06-03 22:24 . 2004-09-22 14:40 84592 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-28 13:48 . 2009-02-01 02:50 -------- d-----w- c:\program files\Spybot
    2009-05-27 23:37 . 2008-08-07 00:46 -------- d-----w- c:\documents and settings\Steve\Application Data\OpenOffice.org2
    2009-05-27 23:36 . 2008-08-16 13:46 1 ----a-w- c:\documents and settings\Steve\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-05-27 23:35 . 2008-01-25 01:18 -------- d-----w- c:\program files\MSECACHE
    2009-05-20 01:46 . 2009-03-08 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2009-05-13 13:31 . 2008-12-13 16:32 -------- d-----w- c:\program files\Stardock Games
    2009-05-10 19:58 . 2009-04-30 21:25 -------- d-----w- c:\documents and settings\Steve\Application Data\Mumble
    2009-05-04 23:10 . 2009-05-04 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Ironclad Games
    2009-05-03 18:08 . 2009-03-08 22:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-05-03 18:08 . 2009-03-08 22:46 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-05-03 18:08 . 2009-03-08 22:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-05-03 18:08 . 2009-03-08 22:46 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-04-27 03:19 . 2008-02-12 19:09 -------- d-----w- c:\documents and settings\Steve\Application Data\WTablet
    2009-04-25 20:20 . 2009-02-17 18:36 -------- d-----w- c:\documents and settings\Steve\Application Data\Winamp
    2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w- c:\windows\system32\xlive.dll
    2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
    2009-04-19 16:07 . 2007-09-15 21:17 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
    2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut11_12BC79CA813840C5870CC7F821C0C143.exe
    2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut1_12BC79CA813840C5870CC7F821C0C143.exe
    2009-04-14 23:29 . 2009-04-14 23:29 10134 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\ARPPRODUCTICON.exe
    2009-03-30 22:54 . 2009-03-17 22:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2009-03-25 23:10 . 2007-09-15 21:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2009-03-25 23:10 . 2007-09-15 21:17 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2009-03-21 21:31 . 2004-07-29 01:10 80058 ----a-w- c:\windows\War3Unin.dat
    2009-03-10 17:09 . 2004-07-26 22:15 1725 ----a-w- c:\windows\eReg.dat
    2008-03-23 19:04 . 2008-03-23 19:04 0 ----a-w- c:\program files\temp01
    2005-04-16 16:11 . 2005-04-16 16:11 0 ----a-w- c:\program files\error.dat
    2003-12-18 17:33 . 2004-11-01 00:44 20102 ----a-w- c:\program files\Readme.txt
    2003-09-03 13:46 . 2004-11-01 00:44 10960 ----a-w- c:\program files\EULA.txt
    2003-07-29 06:15 . 2009-02-06 03:54 307200 ----a-w- c:\program files\internet explorer\plugins\djvu0407.dll
    2003-07-29 06:15 . 2009-02-06 03:54 303104 ----a-w- c:\program files\internet explorer\plugins\djvu0409.dll
    2003-07-29 06:15 . 2009-02-06 03:54 311296 ----a-w- c:\program files\internet explorer\plugins\djvu040c.dll
    2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w- c:\program files\internet explorer\plugins\djvu0411.dll
    2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w- c:\program files\internet explorer\plugins\djvu0412.dll
    2003-07-29 06:15 . 2009-02-06 03:54 290816 ----a-w- c:\program files\internet explorer\plugins\djvu0804.dll
    2003-07-29 06:15 . 2009-02-06 03:54 122880 ----a-w- c:\program files\internet explorer\plugins\DjVuCntl.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-05-22_00.25.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-08-10 22:19 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
    - 2007-08-10 22:19 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
    + 2009-05-27 23:36 . 2009-05-27 23:36 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    + 2009-06-03 22:25 . 2009-06-03 22:25 56320 c:\windows\assembly\NativeImages_v2.0.50727_32\Stardock.Central.Se#\5385eb9f34ad209ba7ea87cac00e1a64\Stardock.Central.Security.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 81920 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Uninstall\bcb8554f6f9d1fac5114830ff6c1d4bc\Sd.Uninstall.ni.dll
    + 2004-07-24 18:01 . 2009-05-28 11:56 296456 c:\windows\system32\FNTCACHE.DAT
    + 2009-06-03 22:25 . 2009-06-03 22:25 284672 c:\windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\1a7da1bd1409cb8aae83d12985e91785\VistaBridgeLibrary.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 485888 c:\windows\assembly\NativeImages_v2.0.50727_32\VDialog\b9f93ab4e871202f08bacb2eea45619f\VDialog.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd\b763c29a1b5ab7f3a4db1563af682177\Sd.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 422912 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Web\c71283976332f42816bf8eef4862aa2a\Sd.Web.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 155648 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.UI\3e7f2d58806d187d104688c6646cf0f4\Sd.UI.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 804352 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Irc\91e6d500574d1ef15828dcdbc154e44e\Sd.Irc.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 296960 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.InstallManager\3b63000c351829ab07838317ca9a3643\Sd.InstallManager.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 564224 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common.XmlSerial#\ae0f4540e4c7dbed2820722ac3eed7da\Sd.Common.XmlSerializers.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 788480 c:\windows\assembly\NativeImages_v2.0.50727_32\sd.central.cvp.serv#\b6e8a38d3cfc48123b5715b7cd18b6e1\sd.central.cvp.server.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 128512 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive\8101eb83b90821af4b7c6eab2024a41f\Sd.Central.Archive.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 345600 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive.#\aca17957fd7012185f82679a35a18b0f\Sd.Central.Archive.XmlSerializers.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 326144 c:\windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\523977d5edec6266fcc0c7588e361cd5\MyDock.Util.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 100864 c:\windows\assembly\NativeImages_v2.0.50727_32\Interop.IWshRuntime#\b57a1fe2527d40aae9b62b10f57be9b8\Interop.IWshRuntimeLibrary.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 726016 c:\windows\assembly\NativeImages_v2.0.50727_32\ICSharpCode.SharpZi#\5c1a3278ff6412107322a65dee39790d\ICSharpCode.SharpZipLib.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 1308160 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common\d0463aaf422bc51e171f0cad7a6775e1\Sd.Common.ni.dll
    + 2009-06-03 22:25 . 2009-06-03 22:25 6175232 c:\windows\assembly\NativeImages_v2.0.50727_32\Impulse\162b482fdd3a7302192bf6d202561efd\Impulse.ni.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="d:\games\steam\steam.exe" [2009-05-22 1217784]
    "Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1052672]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
    "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

    c:\documents and settings\Steve\Start Menu\Programs\Startup\
    AWC.lnk - g:\awc (auto wallpaper changer)\AWC.exe [2009-4-1 1261568]
    ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-5-4 356352]
    Mozilla Sunbird.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-29 6354540]
    Shortcut to Ut3 Map TO DOs.lnk - c:\documents and settings\Steve\Desktop\TO DO.txt [2008-8-13 6087]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-14 528384]
    Spybot - Search & Destroy.lnk - c:\program files\Spybot\SpybotSD.exe [2009-1-31 5365592]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-05-03 18:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=ctwdm32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^ImpulseNow.lnk]
    path=c:\documents and settings\Steve\Start Menu\Programs\Startup\ImpulseNow.lnk
    backup=c:\windows\pss\ImpulseNow.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Ventrilo Server.lnk]
    path=c:\documents and settings\Steve\Start Menu\Programs\Startup\Ventrilo Server.lnk
    backup=c:\windows\pss\Ventrilo Server.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "DGPN"=2 (0x2)
    "TabletServiceWacom"=2 (0x2)
    "PnkBstrB"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "Brother XP spl Service"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Games\\Steam\\SteamApps\\battlebotv82\\counter-strike source\\hl2.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo Server\\ventrilo_srv.exe"=
    "d:\\Games\\WarHammer 40,000 Dawn of War\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "d:\\Games\\Earth 2160\\Earth2160_NO_SSE.exe"=
    "d:\\Games\\Earth 2160\\Earth2160_SSE.exe"=
    "d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Games\\World in Conflict\\wic.exe"=
    "d:\\Games\\World in Conflict\\wic_online.exe"=
    "d:\\Games\\World in Conflict\\wic_ds.exe"=
    "d:\\Games\\Quake Wars - Enemy Territory\\etqwded.exe"=
    "d:\\Games\\Quake Wars - Enemy Territory\\etqw.exe"=
    "d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
    "c:\\Games\\Sid Meier's Railroads!\\RailRoads.exe"=
    "d:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "g:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
    "g:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
    "g:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\brothers in arms earned in blood\\System\\EiB.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\prince of persia the warrior within\\PrinceOfPersia.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\roboblitz\\Binaries\\RoboLaunch.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter\\graw.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon\\GhostRecon.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter 2\\graw2.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\multiwinia\\multiwinia.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\wallace and gromit demo\\WallaceGromitDemo.exe"=
    "g:\\Games\\Spellforce 2 - Shadow Wars\\spellforce2.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
    "d:\\Games\\Sins of a Solar Empire\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2009 5:46 PM 325896]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2009 5:46 PM 108552]
    R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/8/2009 5:45 PM 908568]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/8/2009 5:45 PM 298776]
    R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/14/2006 4:50 PM 2368]
    S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2/10/2008 1:49 PM 23040]
    S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
    S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/12/2008 2:08 PM 1373480]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder

    2005-08-07 c:\windows\Tasks\cleanup-test.job
    - d:\data\cleanup.bat [2004-09-07 02:12]

    2009-05-04 c:\windows\Tasks\cleanup.job
    - d:\data\cleanup.bat [2004-09-07 02:12]

    2009-05-12 c:\windows\Tasks\DataOnly.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

    2009-06-07 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.wrinsiders.com/Teens/?RP=SignIn
    FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\
    FF - prefs.js: browser.startup.homepage - file:///d:/Data/HomePage/index.html
    FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
    FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
    FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
    FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-06-07 16:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "????????????????????????"=hex:63,a2,df,ea,77,f0,95,25,eb,6c,dc,66,29,e5,12,1d,
    2c,29,70,2c,5c,5c,25,f7,2c,2c,5c,d1,25,c3,2e,2e,00,00,00,00,00,00,00,00,00,\
    "???n"=hex:67,c5,3f,af,2f,06,f4,bd,6a,bc,3c,06,c9,a8,f3,94,cf,fc,28,65,23,1f,
    51,a4,66,c3,ff,fd,10,6b,09,b0,09,00,c0,46,db,0a,6f,85,96,63,1a,e5,64,d4,d7,\
    "?????"=hex:9b,9d,a9,7e,82,9e,bf,2c,e9,55,17,f0,77,5c,30,60
    "???n"=hex:ca,7f,b1,85,35,af,19,95,9b,a8,37,7a,99,ab,d7,56,38,b0,d3,96,72,26,
    af,0f,16,9e,d6,36,d2,33,4f,56,ef,d6,90,a9,11,dc,dd,ab,e0,b9,e6,2f,ab,b3,26,\
    "??"=hex:1b,ee,fb,ee,5e,a8,db,76,e9,8e,a8,56,0f,22,bd,59,a7,f5,31,8b,68,3d,0d,
    66,8f,a9,af,3a,cd,97,dd,26,b6,8f,e0,00,53,f0,17,e0,33,21,7c,c4,ec,bb,45,d6,\
    "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

    [HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\License information*]
    "datasecu"=hex:60,0d,47,33,43,d6,05,78,97,20,41,75,fe,20,a2,c4,e6,c4,14,cd,72,
    bc,80,4a,7f,c2,b8,b7,b8,67,45,6b,87,24,7d,2b,e6,ac,26,26,0f,b6,9f,85,ba,26,\
    "rkeysecu"=hex:65,d6,a2,52,b5,22,4b,f2,49,55,2b,25,75,bf,64,56
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(780)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(2304)
    c:\program files\Logitech\SetPoint\GameHook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\MSVCP71.dll
    c:\windows\system32\msi.dll
    .
    Completion time: 2009-06-07 16:41
    ComboFix-quarantined-files.txt 2009-06-07 21:41
    ComboFix2.txt 2009-05-22 23:57
    ComboFix3.txt 2009-05-22 00:28

    Pre-Run: 12,837,810,176 bytes free
    Post-Run: 12,909,498,368 bytes free

    Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    294 --- E O F --- 2009-05-23 02:53

    -------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:48:50 PM, on 6/7/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 4928 bytes

    -------------------------
  9. 2009-06-08, 18:41 #9
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Okey...

    Backup Your Registry with ERUNT:
    • Download erunt.zip to your Desktop from here:
      http://aumha.org/downloads/erunt.zip
    • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
    • Inside the new folder, double-click ERUNT.exe to start the program
    • OK all the prompts to back up your registry to the default location.
    Note: to restore your registry, go to the backup folder and start ERDNT.exe


    Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]

    Make sure there are NO blank lines before REGEDIT4
    Make sure there IS one blank line at the end of the file.

    Save the document to your desktop as Fix.reg and filetype: All Files
    Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

    Then uninstall all previous versions of Malwarebytes' Anti-Malware (MBAM).

    Restart the pc.

    • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
    • Double click on mbam-setup.exe to install it.
    • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      • Update Malwarebytes' Anti-Malware
        Launch Malwarebytes' Anti-Malware
    • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
    • Select the Scanner tab. Click on Perform full scan, then click on Scan.
    • Leave the default options as it is and click on Start Scan.
    • When done, you will be prompted. Click OK, then click on Show Results.
    • Checked (ticked) all items and click on Remove Selected.
    • After it has removed the items, Notepad will open. Please post this log in your next reply along with a fresh HijackThis log. You can also find the log in the Logs tab. The bottom most log is the latest.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  10. 2009-06-11, 01:53 #10
    sbolton
    sbolton is offline
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default

    Malwarebytes' Anti-Malware 1.37
    Database version: 2259
    Windows 5.1.2600 Service Pack 3

    6/10/2009 6:44:19 PM
    mbam-log-2009-06-10 (18-44-19).txt

    Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
    Objects scanned: 752702
    Time elapsed: 2 hour(s), 23 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 1
    Files Infected: 12

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\Steve\Application Data\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Qoobox\quarantine\C\WINDOWS\system32\afnoinkdsfe.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{2d1bca4f-b413-410a-8075-a3efb933ae76}\RP205\A0064886.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{2d1bca4f-b413-410a-8075-a3efb933ae76}\RP205\A0064887.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210613.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210614.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210615.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210616.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210789.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.

    -----------------------------------------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:52:34 PM, on 6/10/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    D:\games\steam\steam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 4964 bytes
    ---------------------------------
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules