Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Virtumonde Infection

  1. #11
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    You do realize this computer was a mess!!
    Please follow these directions:

    Open notepad and copy/paste the text in the codebox below into it:

    Code:
    File::
    c:\winnt\system32\epojobej.ini
    c:\winnt\system32\utiwabon.ini
    c:\winnt\system32\jebojope.dll
    c:\winnt\system32\kerodaru.exe
    Save this as CFScript



    Referring to the picture above, drag CFScript into ComboFix.exe.

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  2. #12
    Junior Member
    Join Date
    Apr 2009
    Posts
    20

    Default

    ComboFix 09-04-23.02 - Frank Leutheuser 04/22/2009 19:04.3 - NTFSx86
    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1674 [GMT -5:00]
    Running from: c:\documents and settings\Frank Leutheuser\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Frank Leutheuser\Desktop\CFScript.txt

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    c:\winnt\system32\epojobej.ini
    c:\winnt\system32\jebojope.dll
    c:\winnt\system32\kerodaru.exe
    c:\winnt\system32\utiwabon.ini
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\winnt\system32\kerodaru.exe
    c:\winnt\system32\utiwabon.ini

    .
    ((((((((((((((((((((((((( Files Created from 2009-03-23 to 2009-04-23 )))))))))))))))))))))))))))))))
    .

    2009-04-23 00:04 . 2009-04-23 00:04 16384 ----atw c:\winnt\system32\Perflib_Perfdata_360.dat
    2009-04-22 00:43 . 2009-04-22 12:09 -------- d-----w c:\program files\Mozilla Sunbird
    2009-04-22 00:27 . 2009-04-22 00:27 -------- d-----w c:\program files\Secunia
    2009-04-22 00:17 . 2009-04-22 00:17 -------- d-----w c:\documents and settings\Frank Leutheuser\Application Data\Foxit
    2009-04-22 00:17 . 2009-04-22 00:17 -------- d-----w c:\program files\Foxit Software
    2009-04-20 22:23 . 2009-04-20 22:23 -------- d-----w c:\program files\ERUNT
    2009-04-15 01:44 . 2009-04-20 03:24 -------- d-----w c:\program files\Incomplete
    2009-04-14 00:08 . 2009-04-06 20:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
    2009-04-14 00:08 . 2009-04-06 20:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
    2009-04-03 07:17 . 2009-04-03 07:17 -------- d-----w c:\documents and settings\Frank Leutheuser\Application Data\Sibelius Software
    2009-04-02 07:19 . 2009-04-02 07:19 604 ---ha-w c:\winnt\T4
    2009-04-02 07:19 . 2009-04-02 07:19 604 ---ha-w c:\winnt\system32\T3
    2009-04-02 07:19 . 2009-04-02 07:19 -------- d-----w c:\documents and settings\All Users\Application Data\Sibelius Software
    2009-04-02 07:13 . 2004-02-26 00:19 69632 ----a-w c:\winnt\system32\NI_DFD_1_2_9.dll
    2009-04-02 07:13 . 2009-04-02 07:20 -------- d-----w c:\program files\Native Instruments
    2009-04-02 07:11 . 2009-04-02 07:14 -------- d-----w c:\program files\Sibelius Software
    2009-04-02 04:42 . 2009-04-02 04:42 -------- d-----w C:\PSFONTS
    2009-04-02 04:42 . 2009-04-05 17:14 -------- d-----w c:\program files\Finale SongWriter 2007
    2009-04-01 06:36 . 2009-04-22 22:09 -------- d--h--w C:\$AVG8.VAULT$
    2009-04-01 06:36 . 2008-10-16 20:06 208744 ----a-w c:\winnt\system32\muweb.dll
    2009-04-01 06:23 . 2009-04-01 06:23 10520 ----a-w c:\winnt\system32\avgrsstx.dll
    2009-04-01 06:23 . 2009-04-01 06:23 108552 ----a-w c:\winnt\system32\drivers\avgtdix.sys
    2009-04-01 06:22 . 2009-04-01 06:22 325640 ----a-w c:\winnt\system32\drivers\avgldx86.sys
    2009-04-01 06:22 . 2009-04-22 22:12 -------- d-----w c:\winnt\system32\drivers\Avg
    2009-03-31 04:23 . 2009-04-05 17:15 -------- d-----w c:\program files\Hero Editor
    2009-03-30 23:33 . 2009-04-14 00:33 -------- d-----w c:\program files\Diablo II
    2009-03-30 23:10 . 2009-04-14 01:06 -------- d-----w c:\program files\Diablo
    2009-03-30 16:22 . 2009-03-30 16:22 -------- d-----w c:\program files\7-Zip
    2009-03-24 11:03 . 2009-03-24 11:03 7808 ----a-w c:\winnt\system32\drivers\psi_mf.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-04-22 22:23 . 2009-02-02 06:08 -------- d---a-w c:\documents and settings\All Users\Application Data\avg8
    2009-04-22 22:08 . 2008-10-01 12:36 -------- d-----w c:\program files\Mozilla Thunderbird
    2009-04-22 00:21 . 2004-09-15 00:11 -------- d---a-w c:\documents and settings\All Users\Application Data\Viewpoint
    2009-04-22 00:21 . 2004-09-15 00:11 -------- d-----w c:\program files\Viewpoint
    2009-04-22 00:20 . 2004-09-20 01:55 -------- d-----w c:\program files\Java
    2009-04-21 22:47 . 2007-04-02 22:49 -------- d-----w c:\program files\StepMania
    2009-04-20 23:09 . 2007-08-06 12:23 -------- d-----w c:\program files\Guild Wars
    2009-04-14 00:39 . 2008-01-02 18:49 -------- d-----w c:\program files\DivX
    2009-04-14 00:34 . 2004-08-11 17:46 -------- d--h--w c:\program files\InstallShield Installation Information
    2009-04-14 00:34 . 2009-02-25 00:14 -------- d-----w c:\program files\StepMania CVS
    2009-04-14 00:08 . 2009-02-02 23:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-04-05 17:13 . 2008-11-28 17:53 -------- d-----w c:\documents and settings\Frank Leutheuser\Application Data\BitZipper
    2009-04-02 23:19 . 2004-08-28 22:10 21840 ----atw c:\winnt\system32\SIntfNT.dll
    2009-04-02 23:19 . 2004-08-28 22:10 17212 ----atw c:\winnt\system32\SIntf32.dll
    2009-04-02 23:19 . 2004-08-28 22:10 12067 ----atw c:\winnt\system32\SIntf16.dll
    2009-04-02 07:21 . 2004-11-28 02:13 102064 ----a-w c:\documents and settings\Frank Leutheuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-04-02 07:19 . 2009-04-02 07:19 604 ---ha-w c:\program files\STLL Notifier
    2009-03-31 04:23 . 2006-11-05 15:07 249856 ------w c:\winnt\Setup1.exe
    2009-03-31 04:23 . 2006-11-05 15:02 73216 ----a-w c:\winnt\ST6UNST.EXE
    2009-03-30 19:32 . 2008-09-23 11:26 -------- d-----w c:\program files\SystemRequirementsLab
    2009-03-30 19:32 . 2008-09-23 11:26 -------- d-----w c:\documents and settings\Frank Leutheuser\Application Data\SystemRequirementsLab
    2009-03-24 03:08 . 2008-07-01 20:27 34 ----a-w c:\documents and settings\Frank Leutheuser\jagex_runescape_preferences.dat
    2009-03-23 05:17 . 2009-03-19 04:04 -------- d-----w c:\documents and settings\Frank Leutheuser\Application Data\Orbit
    2009-03-19 03:37 . 2007-08-04 22:46 -------- d-----w c:\program files\iTunes
    2009-03-14 03:41 . 2009-03-14 03:41 -------- d-----w c:\program files\Hasbro Interactive
    2009-03-14 03:22 . 2008-12-21 18:27 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
    2009-02-25 05:50 . 2009-02-25 05:50 -------- d-----w c:\documents and settings\Frank Leutheuser\Application Data\NCH Software
    2009-02-25 05:49 . 2009-02-25 05:49 -------- d---a-w c:\documents and settings\All Users\Application Data\NCH Software
    2009-02-25 05:49 . 2009-02-25 05:49 -------- d-----w c:\program files\NCH Software
    2009-02-08 16:16 . 2003-06-20 12:00 1644784 ----a-w c:\winnt\system32\WIN32K.SYS
    2009-01-12 20:46 . 2009-01-12 20:46 56912 ----a-w c:\documents and settings\Frank Leutheuser\g2mdlhlpx.exe
    2004-04-08 13:50 . 2004-04-08 13:50 271 ---h--w c:\program files\desktop.ini
    2004-04-08 13:50 . 2004-04-08 13:50 21952 ---h--w c:\program files\folder.htt
    2003-08-20 11:06 . 2003-08-20 11:06 2512896 ----a-w c:\program files\PTEditor17.msi
    2003-08-20 11:05 . 2003-08-20 11:05 41 ----a-w c:\program files\Setup.Ini
    2002-08-27 18:04 . 2007-12-25 19:01 58871 ----a-w c:\program files\viewsonicinstruct_2k.pdf
    2001-09-25 20:05 . 2001-09-25 20:05 1707856 ----a-w c:\program files\InstMsiA.Exe
    2001-09-11 23:04 . 2001-09-11 23:04 1821008 ----a-w c:\program files\InstMsiW.Exe
    2008-11-21 21:2008-11-21 21:45 45:38 . c:\program files\mozilla firefox\plugins\msvcm80.dll
    2008-11-21 21:2008-11-21 21:45 45:40 . c:\program files\mozilla firefox\plugins\msvcp80.dll
    2008-11-21 21:2008-11-21 21:45 45:40 . c:\program files\mozilla firefox\plugins\msvcr80.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-04-22_00.05.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-05-29 15:31 . 2009-04-22 00:15 84661 c:\winnt\system32\Macromed\Flash\uninstall_plugin.exe
    + 2009-02-03 02:15 . 2009-02-03 02:15 240544 c:\winnt\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
    + 2009-02-03 02:15 . 2009-02-03 02:15 3771296 c:\winnt\system32\Macromed\Flash\NPSWF32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-07-22 101080]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ezShieldProtector for Px"="c:\winnt\system32\ezSP_Px.exe" [2002-08-20 40960]
    "NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-11-17 3022848]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-04 180269]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-28 271672]
    "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
    "HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-01 1932568]
    "Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-20 111376]

    c:\documents and settings\Frank Leutheuser\Start Menu\Programs\Startup\
    Greetings Workshop Reminders.lnk - c:\program files\Greetings Workshop\GWREMIND.EXE [1996-6-25 40448]
    Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-3-24 748840]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-04-01 06:23 10520 ----a-w c:\winnt\system32\avgrsstx.dll

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
    "aux"= mmdrv.dll
    "wave1"= serwvdrv.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=c:\winnt\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BounceBack Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BounceBack Launcher.lnk
    backup=c:\winnt\pss\BounceBack Launcher.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CAMEDIA Master.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CAMEDIA Master.lnk
    backup=c:\winnt\pss\CAMEDIA Master.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
    backup=c:\winnt\pss\Forget Me Not.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AOLService"=2 (0x2)
    "AOL ACS"=2 (0x2)

    R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\winnt\system32\Drivers\GPWADrv.sys [2004-10-25 331776]
    R3 PSI;PSI;c:\winnt\system32\DRIVERS\psi_mf.sys [2009-03-24 7808]
    R3 viafilter;VIA USB Filter;c:\winnt\System32\Drivers\viausb.sys [2003-06-18 9038]
    R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\System32\Drivers\avgldx86.sys [2009-04-01 325640]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\System32\Drivers\avgtdix.sys [2009-04-01 108552]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-01 298264]
    S2 portD;CMS PortIO Service;c:\winnt\system32\DRIVERS\portd2k.sys [2004-02-23 14976]
    S3 L6DP;L6DP;c:\winnt\system32\Drivers\l6dp.sys [2005-12-10 27392]
    S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]

    .
    Contents of the 'Scheduled Tasks' folder

    2009-04-19 c:\winnt\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 20:57]
    .
    .
    ------- Supplementary Scan -------
    .
    mSearch Bar =
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    LSP: %SystemRoot%\system32\msafd.dll
    FF - ProfilePath - c:\documents and settings\Frank Leutheuser\Application Data\Mozilla\Firefox\Profiles\r9mw7ztk.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-04-22 19:07
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\winnt\system32\Perflib_Perfdata_300.dat 16384 bytes


    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(208)
    c:\winnt\system32\wzcdlg.dll
    c:\winnt\system32\WZCSAPI.DLL
    .
    Completion time: 2009-04-23 19:10
    ComboFix-quarantined-files.txt 2009-04-23 00:08
    ComboFix2.txt 2009-04-22 22:33
    ComboFix3.txt 2009-04-22 00:12

    Pre-Run: 38,767,722,496 bytes free
    Post-Run: 38,760,116,224 bytes free

    194 --- E O F --- 2009-04-01 09:03

  3. #13
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Post a new HJT log and tell me how the computer is running, any malware issues?

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  4. #14
    Junior Member
    Join Date
    Apr 2009
    Posts
    20

    Default

    Computer is running good, none as far as I know!
    I also downloaded Spybot Search & Destroy to prevent future problems. Everything seems to be running well!

    Thank you so much for all of your help!

    HJT Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:01:26 AM, on 4/23/2009
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\ezSP_Px.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINNT\system32\wuauclt.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

    --
    End of file - 5479 bytes

  5. #15
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for the feedback, the HJT log looks clean of malware, let's proceed like this.

    Spybot S&D information to help:
    http://www.safer-networking.org/en/faq/index.html
    http://www.safer-networking.org/en/tutorial/index.html

    AVG information:
    FAQ: http://www.avg.com/faq
    AVG Free Forum: http://freeforum.avg.com/

    Remove combofix from the computer like this:

    Click START then RUN
    Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.



    Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
    (MBAM is yours to keep if you wish, keep it updated and run it once a month or so)

    Update AVG 8 and scan the system, to be sure it is running right and scanning clean.

    If all is well at this point, let me know and I will close the topic.

    (all information will not apply to Win2000)

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.

    http://users.telenet.be/bluepatchy/m...oes/Links.html
    http://www.microsoft.com/windows/ie/...rotection.mspx
    Improve the safety of your browsing and e-mail activities
    http://www.microsoft.com/protect/com.../browsing.mspx
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #16
    Junior Member
    Join Date
    Apr 2009
    Posts
    20

    Default

    alright, scans looked good! only thing found were some tracking cookies on firefox in AVG

    thank you so much for all of your help! very very appreciated!

  7. #17
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for taking the time to let me know safe surfing.

    http://www.mistywindow.com/security/...ie-control.htm
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •