Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: I Have a SERIOUS virus please help

  1. #11
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Quote Originally Posted by Anton_eric View Post
    i did but ill do it again
    Ok.

    Go ahead and rum them again and post a fresh HiJackThis Log after you've run them. If signs of Avira still show up, we'll remove them another way.
    Malware Removal University Master
    Member of ASAP & UNITE

  2. #12
    Member
    Join Date
    Jul 2009
    Posts
    74

    Default

    i dont think it worked but here is the log


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:49:29 AM, on 7/31/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\User\Desktop\JOEDURR.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunOnce: [delus] C:\DOCUME~1\User\LOCALS~1\Temp\delus.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\sched.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6448 bytes

  3. #13
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    It looks like it didn't work.

    This should take care of the rest of Avira leftovers:


    Delete CFScript.txt from your Desktop, you will be creating and running a new one.


    Step # 1: Run CFScript

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      KILLALL::
      
      Driver::
      
      AntiVirSchedulerService
      
      Folder::
      
      c:\documents and settings\All Users\Application Data\Avira
      c:\program files\Avira
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







      Note: This CFScript is for use on antoneric's computer only! Do not use it on your computer.

    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    In your next post/reply, I need to see the following:

    1. The ComboFix Log that appears after Step 1 has been completed.
    2. A fresh HiJackThis Log taken after Step 1 has been completed.
    Last edited by katana; 2009-08-01 at 20:42.
    Malware Removal University Master
    Member of ASAP & UNITE

  4. #14
    Member
    Join Date
    Jul 2009
    Posts
    74

    Default

    ComboFix 09-07-31.01 - User 07/31/2009 13:00.3.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2585 [GMT -6:00]
    Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Avira
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\addr_file.html
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\CONFIG\AVWIN.INI
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\avevtdb.dbe
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\IDX\master.idx
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\JOBS\produpd.avj
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\JOBS\scanjob.avj
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\JOBS\startupd.avj
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\JOBS\updjob.avj
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\folder.avp
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\rootkit.avp
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\REPORTS\47129293.avl
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\REPORTS\53304609.avl
    c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\REPORTS\b11e1b8b.avl

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ANTIVIRSCHEDULERSERVICE
    -------\Service_AntiVirSchedulerService


    ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
    .

    2009-07-30 14:16 . 2009-07-01 15:46 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
    2009-07-30 14:16 . 2009-07-01 15:46 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
    2009-07-30 14:16 . 2009-07-01 15:46 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
    2009-07-30 14:16 . 2009-07-01 15:46 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
    2009-07-30 14:16 . 2009-07-01 15:46 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
    2009-07-30 02:02 . 2009-07-30 16:04 -------- d-----w- c:\documents and settings\User\Application Data\BitTorrent
    2009-07-30 02:02 . 2009-07-30 02:02 -------- d-----w- c:\program files\BitTorrent
    2009-07-30 01:35 . 2009-07-30 01:35 -------- d-----w- c:\program files\SystemRequirementsLab
    2009-07-29 16:37 . 2009-07-29 16:37 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
    2009-07-29 16:37 . 2009-07-29 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-07-29 06:09 . 2009-07-29 16:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-07-29 01:12 . 2009-07-29 01:40 -------- d-----w- c:\program files\trend micro
    2009-07-28 23:51 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
    2009-07-28 23:41 . 2009-07-28 23:41 -------- d--h--w- c:\windows\PIF
    2009-07-27 01:12 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2009-07-27 01:12 . 2009-03-24 22:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-07-27 01:12 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2009-07-27 01:12 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2009-07-21 05:26 . 2009-07-21 05:26 -------- d-----w- c:\documents and settings\User\Application Data\Red Kawa
    2009-07-21 05:20 . 2009-07-21 05:20 -------- d-----w- c:\program files\Red Kawa
    2009-07-07 20:41 . 2009-07-07 20:53 35190 ----a-w- c:\windows\scunin.dat
    2009-07-07 20:41 . 2009-07-07 20:53 967 ----a-w- c:\windows\ScUnin.pif
    2009-07-07 20:41 . 2009-07-07 20:53 94208 ----a-w- c:\windows\ScUnin.exe
    2009-07-07 20:36 . 2009-07-21 15:18 -------- d-----w- c:\program files\Starcraft
    2009-07-06 22:10 . 2009-07-06 22:10 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
    2009-07-06 14:58 . 2009-07-06 14:58 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
    2009-07-05 15:52 . 2009-07-05 15:52 -------- d-----w- c:\documents and settings\User\Application Data\The Creative Assembly

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-07-31 18:50 . 2008-09-27 17:07 34 ----a-w- c:\documents and settings\User\jagex_runescape_preferences.dat
    2009-07-30 22:02 . 2008-09-29 00:41 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire
    2009-07-30 14:15 . 2008-09-27 17:15 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-07-30 01:35 . 2009-06-24 15:09 -------- d-----w- c:\documents and settings\User\Application Data\SystemRequirementsLab
    2009-07-29 06:13 . 2008-09-27 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-07-27 20:26 . 2009-03-26 00:21 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2009-07-27 13:47 . 2008-10-13 01:30 -------- d-----w- c:\program files\CCleaner
    2009-07-20 23:12 . 2008-09-26 16:31 -------- d-----w- c:\program files\InstallShield Installation Information
    2009-07-06 22:11 . 2008-09-27 17:05 -------- d-----w- c:\program files\Java
    2009-07-01 15:46 . 2008-09-27 17:15 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-06-29 16:12 . 2008-04-14 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-06-24 15:09 . 2009-06-24 15:09 207872 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
    2009-06-24 15:09 . 2009-06-24 15:09 207872 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
    2009-06-24 15:09 . 2009-06-24 15:09 207872 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
    2009-06-24 15:09 . 2009-06-24 15:09 207872 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
    2009-06-21 21:21 . 2009-03-17 04:14 -------- d-----w- c:\program files\DivX
    2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-16 00:39 . 2009-06-16 00:31 -------- d-----w- c:\documents and settings\User\Application Data\DAEMON Tools Pro
    2009-06-16 00:35 . 2009-06-16 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
    2009-06-16 00:31 . 2008-11-10 16:55 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
    2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
    2009-06-02 02:12 . 2009-06-02 01:05 -------- d-----w- c:\documents and settings\User\Application Data\Move Networks
    2009-06-02 01:05 . 2009-06-02 01:05 127903 ----a-w- c:\documents and settings\User\Application Data\Move Networks\uninstall.exe
    2009-06-02 01:05 . 2009-05-27 23:29 4183416 ----a-w- c:\documents and settings\User\Application Data\Move Networks\plugins\npqmp071502000008.dll
    2009-05-27 23:29 . 2009-05-27 23:29 97144 ----a-w- c:\documents and settings\User\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
    2009-05-11 14:52 . 2008-09-27 17:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-05-11 14:52 . 2008-09-27 17:15 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-05-07 15:32 . 2008-04-14 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
    2009-07-15 20:30 . 2008-09-27 17:37 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
    "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
    "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-11 16844800]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-05-11 14:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Starcraft\\StarCraft.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader
    "6112:TCP"= 6112:TCP:Blizzard Downloader

    R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [1/22/2009 7:06 PM 9344]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/27/2008 11:15 AM 335752]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/27/2008 11:15 AM 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/27/2008 11:15 AM 907032]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/27/2008 11:15 AM 298776]
    R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [1/22/2009 7:06 PM 394496]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\3u4ipr5s.default\
    FF - plugin: c:\documents and settings\User\Application Data\Move Networks\plugins\npqmp071502000008.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-07-31 13:04
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(144)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    c:\program files\AVG\AVG8\avgcsrvx.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Windows Live\Messenger\usnsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2009-07-31 13:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-07-31 19:07

    Pre-Run: 22,087,692,288 bytes free
    Post-Run: 22,131,175,424 bytes free

    239 --- E O F --- 2009-07-29 09:00


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:10:38 PM, on 7/31/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\AVG\AVG8\avgui.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\User\Desktop\JOEDURR.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6261 bytes

  5. #15
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Step # 1 Update Java

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    Please follow these steps to remove older version Java components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u14.
    • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Remove the following old versions of Java:

    • Java(TM) 6 Update 2

      Java(TM) 6 Update 7

      Java(TM) 6 Update 13


    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • From your desktop double-click on the download to install the newest version.



    Step # 2 Run CCleaner

    CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

    • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
    • Then select the items you wish to clean up.
    • In the Windows Tab:
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
    • In the Applications Tab:
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
    • Click the Run Cleaner button.
    • A pop up box will appear advising this process will permanently delete files from your system.
    • Click OK and it will scan and clean your system.
    • Click exit when done.
    • If it asks you to reboot at the end, click NO



    Step # 3 Download and Run Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.


    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


    In your next post/reply, I need to see the following:

    1. MalwareBytes' Log
    2. A fresh HiJackThis Log
    Malware Removal University Master
    Member of ASAP & UNITE

  6. #16
    Member
    Join Date
    Jul 2009
    Posts
    74

    Default

    okay i did as you said

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:24:50 PM, on 8/1/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\User\My Documents\Downloads\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6541 bytes



    Malwarebytes' Anti-Malware 1.39
    Database version: 2539
    Windows 5.1.2600 Service Pack 3

    8/1/2009 10:44:19 AM
    mbam-log-2009-08-01 (10-44-19).txt

    Scan type: Quick Scan
    Objects scanned: 84272
    Time elapsed: 3 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  7. #17
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Step # 1 Update Adobe Acrobat Reader

    There is a newer version of Adobe Acrobat Reader available. (See Note below)

    • First, go to Add/Remove Programs and uninstall all previous versions.
    • Please go to this link Adobe Acrobat Reader Download Link
    • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
    • Click the Continue button
    • Click Run, and click Run again
    • Next click the Install Now button and follow the on screen prompts


    Note: Adobe 9.1.3 is a large program and if you prefer a smaller program you can get Foxit 3.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

    If you decide to install Foxit 3.0 instead of Adobe, do the following during Foxit's Setup/Installation process:

    Uncheck the following boxes:

    I accept the License Terms and want to install Foxit Toolbar

    Make Ask.com my default search

    Create desktop, quick launch and start menu icon to eBay



    Step # 2: Remove Hijackthis Entries

    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):


      O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -

      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -

      O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -


    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.




    Step # 3: Run Kaspersky Online Scan

    Please go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.



    In your next post/reply, I need to see the following:

    1. Kaspersky Log
    2. A fresh HiJackThis Log
    3. How is your computer doing, any problems?
    Malware Removal University Master
    Member of ASAP & UNITE

  8. #18
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Anton_eric? How are things coming along?
    Malware Removal University Master
    Member of ASAP & UNITE

  9. #19
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    This topic has been archived due to inactivity.

    If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

    Applies only to the original poster, anyone else with similar problems please start a new topic.
    Last edited by tashi; 2009-08-11 at 21:32. Reason: Thank you km2357 :)
    Malware Removal University Master
    Member of ASAP & UNITE

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •