Command & Virtu...

C

CaveatEmpty

New member
Greetings all ~ it's been quite some while since last having to request assistance .. my, how things have changed!

Several passes of AVG and S&D have reduced the number of those annoying "Recommended..Reboot?" startup-scan popups from 57 to only 3 (still takes an hour to scan&boot), so I'd expect we're down to the nitty-gritty...
Still on the YUCK-list: Command Service, a touch of Fraud.AntiMalewares, and the real bugger - Virtumonde (which during the first few scans would throw an "out of memory" error, and crash the whole works)...

So, having grabbed fresh copies of HJT, Malwarebytes, ComboFix, RSIT, & the Recovery thingy -- (in breathless anticipation -- Ha!) & am poised to dump TeaTimer .. let's rock-n-roll !!

= = = = = = = = = = = = = = = = = = = = = = = = = = =
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:10 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Utils\AVG\avgamsvr.exe
C:\Utils\AVG\avgupsvc.exe
C:\Utils\AVG\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Utils\AVG\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Utils\Spybot-S&D\TeaTimer.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\WINDOWS\System32\svchost.exe
C:\Utils\HiJackThis\CaveatEmpty-hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...1100HC&application=305&modelID=PU026AV&LF=red
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\pmnkljg.dll
O2 - BHO: (no name) - {3FD7931A-58A2-050E-DF32-5DC0035787B9} - C:\WINDOWS\system32\ibets.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utils\Spybot-S&D\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Utils\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Utils\Spybot-S&D\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Utils\Spybot-S&D\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131028158734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159656446812

O20 - Winlogon Notify: pmnkljg - C:\WINDOWS\SYSTEM32\pmnkljg.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Utils\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Utils\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Utils\AVG\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5343 bytes
= = = = = = = = = = = = = = = = = = = = = = = = = = =
 
Hi

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
     and OK any prompts.
  • Restart your computer

Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Hi Blade81 -- & thanks;

* I 'discovered' that Recovery Console was pre-existing on the sick machine, but re-installed anyway (on the assumption that there might be a 'new' version).
Didn't see the "successfully installed" message -- ComboFix went directly to 'disinfection' mode -- Mentioned only because the instructions appeared to say 'turn off (AVG) at that point'... There didn't appear to have any ill effect though.

Question: that PC was shipped with Norton/Symantic .. long expired (in favor of AVG); efforts to uninstall seem to have left some remnants behind. I'd welcome suggestions for total erradication.

Now -- back to business & the logs: (next post)
 
ComboFix 08-11-30.01 - Compaq_Owner 2008-12-07 11:50:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.23 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\salesmonitor
c:\documents and settings\All Users\Application Data\WinAntiSpyware 2007
c:\documents and settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
c:\documents and settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
c:\documents and settings\Compaq_Owner\Application Data\FNTS~1
c:\documents and settings\Compaq_Owner\My Documents\RACLE~1
c:\program files\Common Files\ecurit~1
c:\program files\Common Files\ecurit~1\w?wexec.exe
c:\program files\Common Files\stem~1
c:\program files\ssembl~1
c:\temp\tmp1.tmp
c:\windows\BMdb141a10.txt
c:\windows\BMdb141a10.xml
c:\windows\cookies.ini
c:\windows\IA
c:\windows\IA\KE.vbs
c:\windows\icroso~1.net
c:\windows\icroso~1.net\?icrosoft.NET\
c:\windows\IE4 Error Log.txt
c:\windows\system32\afryxaqp.ini
c:\windows\system32\alhmpo.dll
c:\windows\system32\b02FdUe
c:\windows\system32\bcbeg.bak1
c:\windows\system32\bcbeg.bak2
c:\windows\system32\bcbeg.ini
c:\windows\system32\bcbeg.ini2
c:\windows\system32\bcbeg.tmp
c:\windows\system32\curity~1
c:\windows\system32\cusgyiee.ini
c:\windows\system32\dnmmwebo.dll
c:\windows\system32\dpvjwibq.ini
c:\windows\system32\ercujobs.ini
c:\windows\system32\ewkrmofr.ini
c:\windows\system32\f10WtR
c:\windows\system32\ftvoybhj.ini
c:\windows\system32\ghnvcgdk.ini
c:\windows\system32\gjkkj.ini
c:\windows\system32\gjkkj.ini2
c:\windows\system32\gnjubirc.ini
c:\windows\system32\hnhtqpis.ini
c:\windows\system32\hoafcgxt.ini
c:\windows\system32\ibets.dll
c:\windows\system32\iotprkvk.ini
c:\windows\system32\iuocrswy.dll
c:\windows\system32\jkkjg.dll
c:\windows\system32\lowrexnp.ini
c:\windows\system32\lqcrfynh.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mcykhlte.ini
c:\windows\system32\mlcohqpv.ini
c:\windows\system32\mwlrwcaa.ini
c:\windows\system32\ogwebcay.ini
c:\windows\system32\pmnkljg.dll
c:\windows\system32\rtgseffi.ini
c:\windows\system32\scurit~1
c:\windows\system32\win
c:\windows\system32\winnb58.dll
c:\windows\system32\wrpnappl.ini
c:\windows\system32\wtsisvit.exe
c:\windows\system32\wyeiodst.ini
c:\windows\system32\X1
c:\windows\system32\X1\kmhp83122.exe
c:\windows\system32\X11
c:\windows\system32\X3
c:\windows\system32\X7
c:\windows\system32\X9
c:\windows\system32\ywsrcoui.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_DOMAINSERVICE
-------\Legacy_FOPN
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 12:03 . 2004-10-21 06:49 24,613 --a------ c:\temp\IadHide5.dll
2008-12-07 12:02 . 2008-12-07 12:02 53,248 --a------ c:\temp\catchme.dll
2008-12-07 11:10 . 2008-12-07 12:02 <DIR> d-------- c:\temp\Adrm
2008-11-30 23:07 . 2008-11-30 23:10 <DIR> d-------- c:\documents and settings\Compaq_Owner\SecurityScans
2008-11-30 23:06 . 2008-11-30 23:06 <DIR> d-------- c:\windows\Microsoft Baseline Security Analyzer 2
2008-11-30 21:44 . 2008-11-30 21:44 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Auslogics
2008-11-30 17:29 . 2008-11-30 21:53 <DIR> d-------- C:\rsit
2008-11-30 17:29 . 2008-11-30 17:29 <DIR> d-------- c:\program files\trend micro
2008-11-30 17:03 . 2008-11-30 17:03 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-30 16:51 . 2008-11-30 16:50 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-30 16:51 . 2008-11-30 16:50 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-30 15:50 . 2008-12-07 11:15 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-30 15:05 . 2008-12-07 11:08 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\AVG7
2008-11-30 15:04 . 2008-11-30 15:04 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2008-11-30 15:03 . 2008-11-30 15:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-11-30 15:03 . 2008-12-07 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 22:01 --------- d-----w c:\program files\Common Files\Adobe
2008-11-30 21:53 --------- d-----w c:\program files\Java
2008-11-30 21:03 --------- d-----w c:\program files\Common Files\Symantec Shared
2007-07-30 16:17 558 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2005-03-31 02:44 0 --sha-w c:\windows\SMINST\HPCD.sys
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 253,952 2004-10-15 04:54:32 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

----a-w 61,440 2003-02-12 03:02:48 c:\hp\KBD\bak\KBD.EXE

----a-w 180,269 2004-10-21 11:15:36 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 15:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 58,488 2004-08-14 03:17:38 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 124,096 2003-11-05 01:36:00 c:\program files\Common Files\Symantec Shared\bak\cfgwiz.exe

----a-w 98,304 2004-10-21 11:36:23 c:\program files\QuickTime\bak\qttask.exe

----a-w 233,472 2004-04-15 03:43:46 c:\windows\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-07 23:04:38 c:\windows\system\bak\hpsysdrv.exe

----a-w 15,360 2004-08-04 12:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 c:\windows\system32\ctfmon.exe

----a-w 118,784 2004-08-21 05:51:14 c:\windows\system32\bak\hkcmd.exe

----a-w 155,648 2004-08-21 05:55:14 c:\windows\system32\bak\igfxtray.exe

----a-w 98,304 2003-09-13 03:13:20 c:\windows\system32\bak\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [N/A]
"PS2"="c:\windows\system32\ps2.exe" [N/A]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [N/A]
"AVG7_CC"="c:\utils\AVG\avgcc.exe" [2008-12-07 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-30 136600]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 c:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\utils\AVG\avgw.exe" [2008-11-30 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-10-21 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=alhmpo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Utils\\AVG\\avginet.exe"=
"c:\\Utils\\AVG\\avgamsvr.exe"=
"c:\\Utils\\AVG\\avgcc.exe"=
"c:\\Utils\\AVG\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)

.
Contents of the 'Scheduled Tasks' folder

2005-04-07 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe []

2008-11-30 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\utils\Spybot-S&D\SDUpdate.exe [2008-08-14 12:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{166494a7-c24f-4426-9264-4ebf396aeabb} - c:\windows\system32\alhmpo.dll
BHO-{3FD7931A-58A2-050E-DF32-5DC0035787B9} - c:\windows\system32\ibets.dll
BHO-{D95F7365-D6EB-403D-9DD3-F04F2436BF04} - c:\windows\system32\jkkjg.dll
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 12:02:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\utils\AVG\avgamsvr.exe
c:\utils\AVG\avgupsvc.exe
c:\utils\AVG\avgemc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-12-07 12:07:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 17:07:06

Pre-Run: 53,674,037,248 bytes free
Post-Run: 53,585,235,968 bytes free
211

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:08 PM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Utils\AVG\avgamsvr.exe
C:\Utils\AVG\avgupsvc.exe
C:\Utils\AVG\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Utils\AVG\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\WINDOWS\explorer.exe
C:\Utils\HiJackThis\CaveatEmpty-hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...1100HC&application=305&modelID=PU026AV&LF=red
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utils\Spybot-S&D\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Utils\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131028158734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159656446812
O20 - AppInit_DLLs: alhmpo.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Utils\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Utils\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Utils\AVG\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4762 bytes
 
Hi

Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O20 - AppInit_DLLs: alhmpo.dll

Close browsers and fix checked.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report & a fresh hjt log.
 
Interum update:
following the last log post, S&D played *lots* nicer ~ complained about a single (1) tracking cookie, from a known site; no worries there.

Per your above, the about:blank were dumped, which immediately put MSN back in control of the IE startup screen ~ damn annoying; Is there any prohibition to knocking those R1 Defaults to the dumpster?

FYI: Kaspersky- the scan opened in a fixed-size window, with no scroll-bars; the 'Settings' button is obscured (if not for the screenshot, I wouldn't have known to look for it). I trust the check-boxes are defaults.
KAS ran for about 10mins & 4500 files, then threw an 'error on page' & locked up: I rebooted & repeated the instructions .. currently @ 34mins & 2% -- FWIW - this is a 1TB+ machine, so it's gonna be a l-o-n-g night :red:

/.
 
Is there any prohibition to knocking those R1 Defaults to the dumpster?
Click to expand...
Hi

You may restore those about:blank entries back if you want:
Click "View the list of backups". Backups can also be accessed thorugh the "config" menu from inside the program interface. Checkmark the entries needed to be restored (those two entries). Click "Restore" and then click "Yes" in the confirmation dialogue to restore the item.

I'll wait for Kaspersky report & a fresh hjt log :)
 
:oops: Not much love from Kaspersky ... stalled again overnite at 3%; it had 'found' 7 names & 8 files (or the other way 'round), but wouldn't show the log.

I did get it to finish in 'Critical' mode (2 items) -- but I'm not convinced:

----------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 02:49:44
Records in database: 1443282
----------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 32981
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:28:09

File name / Threat name / Threats count
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Program Files\Windows Media Player\prolyhd.html
Infected: Trojan-Clicker.HTML.IFrame.dn 1

The selected area was scanned.
----------------------------------------------------------------------

I dumped the whole "Online Services" directory -- bunch of 'signup' trash.
the WMP item had what looked to be a web-bug call -- also now gone.

I 'adjusted' those R0/R1 entries, then took another run with S&D -- came up clean.
Here's a RSIT log -- seems to be a bit more comprehensive:
----------------------------------------------------------------------
Logfile of random's system information tool 1.04 (written by random/random)
Run by Compaq_Owner at 2008-12-08 13:14:10
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 51 GB (74%) free of 69 GB
Total RAM: 191 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:47 PM, on 12/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Utils\AVG\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Utils\AVG\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Utils\AVG\avgupsvc.exe
C:\Utils\AVG\avgemc.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Compaq_Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Compaq_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...1100HC&application=305&modelID=PU026AV&LF=red
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utils\Spybot-S&D\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Utils\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131028158734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159656446812
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Utils\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Utils\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Utils\AVG\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4173 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Utils\Spybot-S&D\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-30 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-30 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE []
"PS2"=C:\WINDOWS\system32\ps2.exe []
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe []
"AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2004-07-29 2551808]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-06-29 88363]
"AVG7_CC"=C:\Utils\AVG\avgcc.exe [2008-12-07 590848]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-30 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe"="C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe:*:Disabled:BackWeb for Presario"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Utils\AVG\avginet.exe"="C:\Utils\AVG\avginet.exe:*:Enabled:avginet.exe"
"C:\Utils\AVG\avgamsvr.exe"="C:\Utils\AVG\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Utils\AVG\avgcc.exe"="C:\Utils\AVG\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Utils\AVG\avgemc.exe"="C:\Utils\AVG\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\iTunes\iTunes.exe"="%ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes"

======List of files/folders created in the last 1 months======

2008-12-08 11:41:29 ----SHD---- C:\RECYCLER
2008-12-08 08:24:45 ----A---- C:\ComboFix.txt
2008-12-07 11:49:04 ----A---- C:\WINDOWS\zip.exe
2008-12-07 11:49:04 ----A---- C:\WINDOWS\VFIND.exe
2008-12-07 11:49:04 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-07 11:49:04 ----A---- C:\WINDOWS\SWSC.exe
2008-12-07 11:49:04 ----A---- C:\WINDOWS\SWREG.exe
2008-12-07 11:49:04 ----A---- C:\WINDOWS\sed.exe
2008-12-07 11:49:04 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-07 11:49:04 ----A---- C:\WINDOWS\grep.exe
2008-12-07 11:49:04 ----A---- C:\WINDOWS\fdsv.exe
2008-12-07 11:48:50 ----D---- C:\WINDOWS\ERDNT
2008-12-07 11:48:50 ----D---- C:\Qoobox
2008-12-07 11:08:32 ----A---- C:\WINDOWS\system32\d304edf2-.txt
2008-11-30 23:16:22 ----HDC---- C:\WINDOWS\$NtUninstallKB927891$
2008-11-30 23:06:54 ----D---- C:\WINDOWS\Microsoft Baseline Security Analyzer 2
2008-11-30 21:44:26 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\Auslogics
2008-11-30 17:29:26 ----D---- C:\Program Files\trend micro
2008-11-30 17:29:21 ----D---- C:\rsit
2008-11-30 17:03:46 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-11-30 17:01:14 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-30 16:51:12 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-30 16:51:12 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-11-30 16:51:11 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-30 16:51:10 ----A---- C:\WINDOWS\system32\java.exe
2008-11-30 15:50:49 ----RHD---- C:\$VAULT$.AVG
2008-11-30 15:05:21 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2008-11-30 15:03:46 ----D---- C:\Program Files\Grisoft
2008-11-30 15:03:46 ----D---- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-11-30 15:03:46 ----D---- C:\Documents and Settings\All Users\Application Data\avg7

======List of files/folders modified in the last 1 months======

2008-12-08 13:14:23 ----D---- C:\temp
2008-12-08 13:13:58 ----D---- C:\WINDOWS\Prefetch
2008-12-08 13:02:19 ----D---- C:\Program Files\Windows Media Player
2008-12-08 12:57:57 ----AD---- C:\Program Files
2008-12-08 12:01:29 ----D---- C:\WINDOWS\temp
2008-12-08 11:59:35 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-08 11:53:12 ----AD---- C:\Program Files\Common Files
2008-12-08 11:51:58 ----SHD---- C:\WINDOWS\Installer
2008-12-08 08:29:22 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-08 08:24:54 ----D---- C:\WINDOWS\system32
2008-12-08 08:24:52 ----D---- C:\WINDOWS
2008-12-08 08:22:25 ----A---- C:\WINDOWS\system.ini
2008-12-08 08:21:09 ----D---- C:\WINDOWS\system32\drivers
2008-12-08 08:21:08 ----D---- C:\WINDOWS\AppPatch
2008-12-07 15:19:23 ----A---- C:\WINDOWS\winzip32.ini
2008-12-07 15:19:23 ----A---- C:\WINDOWS\win.ini
2008-12-07 12:47:20 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-07 12:15:51 ----HD---- C:\WINDOWS\inf
2008-12-07 12:15:51 ----D---- C:\WINDOWS\Help
2008-12-07 11:59:09 ----D---- C:\WINDOWS\system32\config
2008-11-30 23:15:56 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-30 23:04:26 ----D---- C:\WindowsUpdates
2008-11-30 21:50:33 ----D---- C:\Utils
2008-11-30 21:41:31 ----D---- C:\Program_Installs
2008-11-30 17:17:04 ----SD---- C:\WINDOWS\Tasks
2008-11-30 17:11:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-30 17:04:24 ----D---- C:\Program Files\Adobe
2008-11-30 17:03:40 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\Adobe
2008-11-30 17:01:27 ----D---- C:\Program Files\Common Files\Adobe
2008-11-30 17:01:19 ----D---- C:\WINDOWS\WinSxS
2008-11-30 16:53:21 ----D---- C:\Program Files\Java
2008-11-30 15:01:32 ----D---- C:\WINDOWS\system
2008-11-30 12:48:09 ----A---- C:\WINDOWS\wininit.ini
2008-11-30 10:51:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-04 37376]
R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2008-11-30 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2008-11-30 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2008-11-30 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2008-11-30 10760]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2004-09-24 12928]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2008-11-30 4960]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2005-12-27 42496]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2004-04-06 13872]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2002-07-30 23808]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 viagfx;viagfx; C:\WINDOWS\system32\DRIVERS\vtmini.sys [2005-03-08 172544]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5b.sys [2003-11-12 41984]
S3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-04-27 135168]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-08-21 737874]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2004-07-29 2216128]
S3 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\system32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2004-09-30 229888]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2004-08-11 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-04 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Avg7Alrt;AVG7 Alert Manager Server; C:\Utils\AVG\avgamsvr.exe [2008-11-30 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\Utils\AVG\avgupsvc.exe [2008-11-30 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\Utils\AVG\avgemc.exe [2008-11-30 406528]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-30 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2003-02-21 32768]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2004-06-04 401408]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------
----------------------------------------------------------------------

I'll give Kaspersky another shot ... :sad:

/.
 
Hi

To make Kaspersky scan (possible) quicker please make sure antivirus program is disabled and hard drive is recently defragged. If it still jams despite of these two things taken into account please try ESET Online scanner by following instructions below.

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
 
ESET -- oh yeah :) - that's much better! Churned thru the whole machine in just over an hour... though the 'findings' are kinda sad; S&D signatures & quarantines?
First I'd seen that AOL-AIM installer trigger anything, too... wierd.

------------------------------------------------
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3673 (20081208)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=0c412256d4bdc447abb7244f5b8a4418
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-12-09 02:22:31
# local_time=2008-12-08 09:22:31 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=469554
# found=15
# scan_time=4281
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClickspringOuterinfo14.zip Win32/Bagle.gen.zip worm 35A3698C1CEDF5142937BAD6783AE545
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClickspringOuterinfo6.zip Win32/Bagle.gen.zip worm 7607278515478B111053AB18C7437D61
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc10.zip Win32/Bagle.gen.zip worm C12388D83113683E2061863F13829436
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc11.zip Win32/Bagle.gen.zip worm 3040AF4FC2B25236878794196A225603
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc12.zip Win32/Bagle.gen.zip worm 217FC85A2740AEAEBA536F3945988660
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc13.zip Win32/Bagle.gen.zip worm D7CE1EFF6B5358B482168778D959F143
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc9.zip Win32/Bagle.gen.zip worm A57B22D9A7D245907B0FE3712FFFE276
C:\Documents and Settings\Compaq_Owner\My Documents\!!_Melissa\__Utils\AIM-5_5_install.exe Win32/Adware.WBug.A application 2FF2EC707305F71D8C923773A1A8A3E0
C:\Documents and Settings\Compaq_Owner\My Documents\!!_Melissa\__Utils\AIM-5_5_install.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
C:\Documents and Settings\Compaq_Owner\My Documents\!!_Melissa\__Utils\AIM-5_5_install.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\Common Files\ECURIT~1\w?wexec.exe.vir probably a variant of Win32/Adware.PurityScan application 30AAB2155B1D9092CC523B7EFB8FD64A
C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir Win32/Adware.ISearch application 387EDBB90A5275D1B464EB31F3162C40
C:\Qoobox\Quarantine\C\WINDOWS\system32\ibets.dll.vir probably a variant of Win32/Adware.PurityScan application 48A63902BD5FC1A356CC850362B3A71F
C:\Qoobox\Quarantine\C\WINDOWS\system32\WinNB58.dll.vir a variant of Win32/Adware.Mirar application 7B934FEDF0FC53DE51105D4D6B0EC0A9
C:\Qoobox\Quarantine\C\WINDOWS\system32\X1\kmhp83122.exe.vir probably a variant of Win32/TrojanDownloader.Agent trojan 6D7E8217372DD8CF343FC00D90A245D0
------------------------------------------------
and another HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:01 PM, on 12/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Utils\AVG\avgamsvr.exe
C:\Utils\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Utils\AVG\avgupsvc.exe
C:\Utils\AVG\avgemc.exe
C:\Utils\Java\jre6\bin\jqs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Utils\HiJackThis\CaveatEmpty-hjt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...1100HC&application=305&modelID=PU026AV&LF=red
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utils\Spybot-S&D\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Utils\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Utils\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Utils\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Utils\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Utils\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131028158734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159656446812
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Utils\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Utils\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Utils\AVG\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Utils\Java\jre6\bin\jqs.exe

--
End of file - 4281 bytes
------------------------------------------------

also -- noted a new release of JRE ... KOS7 ran a tad quicker -- just got to the crash site a bit sooner :laugh:

WHOAAAA... while writing this (on another machine)... AVG just poped up with a BHO.BOX Trojan - in:
C:\System Volume Information\_restore{###}\RP583\A0052222.dll
-- moved it to the Vault.
/.
 
Hi

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Delete files in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery folder. Then delete C:\Documents and Settings\Compaq_Owner\My Documents\!!_Melissa\__Utils\AIM-5_5_install.exe file. We'll get quarantined ones later.

Post a fresh hjt log when above meantioned removals are ready.
 
..check. :cool:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:11 AM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Utils\AVG\avgamsvr.exe
C:\Utils\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Utils\AVG\avgupsvc.exe
C:\Utils\AVG\avgemc.exe
C:\Utils\Java\jre6\bin\jqs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Utils\AVG\avgcc.exe
C:\Utils\HiJackThis\CaveatEmpty-hjt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...1100HC&application=305&modelID=PU026AV&LF=red
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utils\Spybot-S&D\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Utils\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Utils\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Utils\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Utils\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Utils\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\Utils\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131028158734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159656446812
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Utils\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Utils\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Utils\AVG\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Utils\Java\jre6\bin\jqs.exe

--
End of file - 4305 bytes

/.
 
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



We need to re hide system files. To do so, please follow the steps below:
  1. Double-click My Computer.
  2. Click the Tools menu, and then click Folder Options.
  3. Click the View tab.
  4. Put a check by
    Hide file extensions for known file types.
  5. Under the
    Hidden files
    folder, select
    Show hidden files and folders.
  6. Check
    Hide protected operating system files.
  7. Click Apply, and then click OK.


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :santa:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :santa:

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top