kitfox
-
Posts
8 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by kitfox
-
I found this at work last week. Thought I had it whipped. Came back with a vengeance on a teacher's computer. It rapidly more or less disabled all the tools at my disposal. I manually isolated three entries from HijackThis- will try to check the logs tomorrow to see if I really got rid of it and if I can find some helpful info. Hopefully someone better than I am will jump in here with something more authoritative. That EVNJEYV.exe looks suspicious to me- but I am really only a rookie at this. Seems similar to what I removed (which seemed to allow my tools to work again) Anyone else care to comment? Kitfox
-
HJT:Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:25:16 PM, on 6/25/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lego.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187060500000 O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab O16 - DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - http://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://coke.mycokerewards.com/cabs/Entriq_...0_15_Silent.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE -- End of file - 7505 bytes ESET: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined _________________________________________________________ See anything else, Negster? Amazing how well some of this malware can hide, by design of course. Takes a lot of dedication- or passion as you describe it to be willing to spend so much effort tracking this garbage down. And to just gain the knowledge you have to know what to do next. I describe myself as mostly a "semi-serious dabbler" in all of this. You've showed me a number of excellent tools, though I must confess that half or more I lack enough knowledge to get too much benefit from. But it still remains a step forward. I have been online as a user since just before the 56k modem- and people like you- conscientious, determined, and selfless- are too few & far between- but we'd be sunk without your kind. Thanks again! I'll likely get a plate of gourmet cookies out of this for my efforts, and I'd gladly share with you if I knew how to send them to you. Your knowledge is what brought the success. Oh, btw- the "08- extra context menu item..." seems to have morphed a little. I killed it anyway- good, bad, or indifferent. So this MBAM report which initially kept steering me to a non-existent location was symptomatic of an entirely different infection than the Vundo family, or was this a variant? Or should I say infections-(plural)? Seems like a bunch more stuff than I naively expected, at least. (few of us watch how many things our malware software actually do- most scarcely pay attention to even the list of infections removed I imagine) I'd be most interested in hearing the results of what you boil down out of all this if you'd care to post a summary at least. Also, it appears that what was the hot freeware tools a few years ago keeps getting eclipsed by newer & better tools. Do you have any recommendations for any anti-virus & other anti-malware tools which just stand out above all others in addition to MBAM? We use Trend at work which I can bring home I understand- but no one tool is complete. This keeping a computer healthy is not getting any easier these days, is it? And times like this require the rolling up of sleeves and a bunch of manual work. Or reformatting as many do. The scope of this problem is dizzying. A form of terrorism one might argue when one calculates the cost of global damage done. Again, thank you! Kitfox
-
Negster, Tell ya what, this is looking a whole lot better than I've seen before. I actually think I'm about ready to give it back with confidence that it will be healthy until.... Lets hope they don't do this again! But it is really a matter of time I suppose. I'd have just reformatted if it wasn't for all your help. Malwarebytes' Anti-Malware 1.38 Database version: 2327 Windows 5.1.2600 Service Pack 3 6/23/2009 11:01:15 PM mbam-log-2009-06-23 (23-01-14).txt Scan type: Quick Scan Objects scanned: 97708 Time elapsed: 10 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:48:22 PM, on 6/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lego.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Search - ?p=ZUxdm486YYUS O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187060500000 O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab O16 - DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - http://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://coke.mycokerewards.com/cabs/Entriq_...0_15_Silent.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE -- End of file - 7938 bytes Looking better, isn't it!? KF
-
Negster22, You will see that I tried Avenger then aborted when it reported having some heartburn with being asked to go into CLASSES. But I decided to roll the dice & continue anyway- figured it would only leave a registry line to have to deal with hopefully. SVCQUERY - - - - - - - - - - - BEFORE - - - - - - - - - - - netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0jypqqxnv\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0 - - - - - - - - - - - AFTER - - - - - - - - - - - netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0 Avenger ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 3) Tue Jun 23 19:02:42 2009 19:02:30: Error: Invalid registry syntax in command: "HKEY_CLASSES_ROOT\CLSID\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode) 19:02:42: Error: Execution aborted by user! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 3) Tue Jun 23 19:35:26 2009 19:35:01: Error: Invalid registry syntax in command: "HKEY_CLASSES_ROOT\CLSID\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode) ////////////////////////////////////////// Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Driver "crilpagi" deleted successfully. Driver "jypqqxnv" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\LEGACY_crilpagi" not found! Deletion of driver "LEGACY_crilpagi" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\lcfougs.dll" not found! Deletion of file "c:\windows\system32\lcfougs.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "c:\windows\system32\drivers\crilpagi.sys" deleted successfully. Error: file "c:\windows\system32\denseat.dll" not found! Deletion of file "c:\windows\system32\denseat.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Folder "C:\Documents and Settings\Charleen\Application Data\wulbffyj" deleted successfully. Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}" deleted successfully. Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\npllcjgy" deleted successfully. Completed script processing. ******************* Finished! Terminate. DDS DDS (Ver_09-05-14.01) - NTFSx86 Run by Charleen at 19:51:01.82 on Tue 06/23/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.88 [GMT -7:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Charleen\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://lego.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll uURLSearchHooks: H - No File uURLSearchHooks: H - No File BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe IE: &Search - ?p=ZUxdm486YYUS IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187060500000 DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxp://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - hxxp://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://coke.mycokerewards.com/cabs/Entriq_3_6_0_15_Silent.cab DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\charleen\applic~1\mozilla\firefox\profiles\878icskz.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo! Search FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-22 327688] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-22 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-22 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-22 906520] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-22 298776] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-12-27 231424] S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2006-12-25 7548] =============== Created Last 30 ================ 2009-06-22 12:38 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-06-22 12:38 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-06-22 12:37 327,688 a------- c:\windows\system32\drivers\avgldx86.sys 2009-06-22 12:37 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-06-22 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar 2009-06-20 18:57 <DIR> --d----- C:\VundoFix Backups 2009-06-14 18:22 25,992 a------- c:\windows\system32\pgdfgsvc.exe 2009-06-14 18:07 <DIR> --d----- c:\program files\RegCleaner 2009-06-14 18:06 <DIR> --d----- c:\docume~1\charleen\applic~1\Malwarebytes 2009-06-14 18:06 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-06-14 18:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-14 18:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-06-14 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-06-12 21:12 <DIR> --d----- c:\program files\Lexmark 2009-06-12 21:00 229 a------- c:\windows\lexstat.ini 2009-06-12 20:58 40,960 a------- c:\windows\system32\lxblvs.dll 2009-06-12 20:58 73,728 a------- c:\windows\system32\lxblpwr.dll 2009-06-12 20:58 286,720 a------- c:\windows\system32\lxblcomm.dll 2009-06-12 20:58 201,216 a------- c:\windows\system32\LEXP2P32.DLL 2009-06-12 20:58 174,592 a------- c:\windows\system32\LEXPPS.EXE 2009-06-12 20:58 303,104 a------- c:\windows\system32\LEXBCES.EXE 2009-06-12 20:58 196,096 a------- c:\windows\system32\LEX2KUSB.DLL 2009-06-12 20:58 147,456 a------- c:\windows\system32\LEXBCE.DLL 2009-06-12 20:58 192,512 a------- c:\windows\system32\lexlmpm.dll 2009-06-12 20:58 <DIR> --d----- c:\program files\Lexmark Z700-P700 Series 2009-06-06 23:38 <DIR> --d----- c:\docume~1\charleen\applic~1\OpenOffice.org 2009-06-06 23:28 <DIR> --d----- c:\program files\JRE 2009-06-06 23:27 <DIR> --d----- c:\program files\OpenOffice.org 3 2009-06-01 20:27 <DIR> --d----- c:\docume~1\charleen\applic~1\Ashampoo 2009-06-01 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ashampoo 2009-06-01 20:26 <DIR> --d----- c:\program files\Ashampoo 2009-06-01 19:53 <DIR> --d----- C:\to copy 2009-05-29 18:37 <DIR> --d-h--- C:\$AVG8.VAULT$ 2009-05-28 21:57 <DIR> --d----- c:\program files\Lavasoft ==================== Find3M ==================== 2009-06-13 10:39 5,356 a------- c:\docume~1\charleen\applic~1\wklnhst.dat 2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll 2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll 2009-05-05 17:42 34 a------- c:\documents and settings\charleen\jagex_runescape_preferences.dat 2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll 2009-04-28 21:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll 2009-04-28 21:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll 2009-04-28 21:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll 2009-04-28 21:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll 2009-04-28 21:56 105,984 -------- c:\windows\system32\dllcache\url.dll 2009-04-28 21:56 102,912 -------- c:\windows\system32\dllcache\occache.dll 2009-04-28 21:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll 2009-04-28 21:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll 2009-04-28 21:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll 2009-04-28 21:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll 2009-04-28 02:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe 2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe 2009-04-24 22:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe 2009-04-24 22:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll 2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys 2009-04-17 05:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys 2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll 2009-04-15 07:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll 2008-11-14 18:28 66,360 a------- c:\documents and settings\charleen\g2ax_customer_downloadhelper_win32_x86.exe 2008-03-13 20:31 61,224 a------- c:\documents and settings\charleen\GoToAssistDownloadHelper.exe 2007-10-15 14:47 774,144 a------- c:\program files\RngInterstitial.dll 2008-11-03 13:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat ============= FINISH: 19:52:17.42 =============== Thanks again for your continued patience and expertise! kf
-
Wow, Negster22, I couldn't have muddled myself even 25% there without your help. Thanks! Will try this soon as I can. I still cannot understand how this lcfougs.dll thing keeps being reported as present in the system32 folder when it simply doesn't show up there any longer. (Straining on the one little part I think I understand when there are a lot more pertinent things I ignore because I do not understand) Guess it is just the registry key pointing to it... Little did I expect to see so many other things tied together with this. Best part of this process is expanding my knowledge a bit. I appreciate your help. Thanks again! Kitfox
-
ARK: GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-06-23 00:14:45 Windows 5.1.2600 Service Pack 3 ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B1001 7 Bytes JMP 85D80170 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) ---- EOF - GMER 1.0.15 ---- DDS: DDS (Ver_09-05-14.01) - NTFSx86 Run by Charleen at 0:57:10.04 on Tue 06/23/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.103 [GMT -7:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Documents and Settings\Charleen\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://lego.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll uURLSearchHooks: H - No File uURLSearchHooks: H - No File BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: : {a769d1bf-d939-40bd-91f9-95e9d2142f7b} - c:\windows\system32\lcfougs.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe IE: &Search - ?p=ZUxdm486YYUS IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187060500000 DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxp://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - hxxp://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://coke.mycokerewards.com/cabs/Entriq_3_6_0_15_Silent.cab DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll Notify: npllcjgy - lcfougs.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Notification Packages = scecli denseat.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\charleen\applic~1\mozilla\firefox\profiles\878icskz.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo! Search FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll ============= SERVICES / DRIVERS =============== R0 crilpagi;crilpagi;c:\windows\system32\drivers\crilpagi.sys [2004-8-4 23424] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-22 327688] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-22 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-22 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-22 906520] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-22 298776] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-12-27 231424] S2 jypqqxnv;TCP/IP Protocol Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336] S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2006-12-25 7548] =============== Created Last 30 ================ 2009-06-22 12:38 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-06-22 12:38 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-06-22 12:37 327,688 a------- c:\windows\system32\drivers\avgldx86.sys 2009-06-22 12:37 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-06-22 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar 2009-06-20 18:57 <DIR> --d----- C:\VundoFix Backups 2009-06-14 18:22 25,992 a------- c:\windows\system32\pgdfgsvc.exe 2009-06-14 18:07 <DIR> --d----- c:\program files\RegCleaner 2009-06-14 18:06 <DIR> --d----- c:\docume~1\charleen\applic~1\Malwarebytes 2009-06-14 18:06 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-06-14 18:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-14 18:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-06-14 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-06-12 21:12 <DIR> --d----- c:\program files\Lexmark 2009-06-12 21:00 229 a------- c:\windows\lexstat.ini 2009-06-12 20:58 40,960 a------- c:\windows\system32\lxblvs.dll 2009-06-12 20:58 73,728 a------- c:\windows\system32\lxblpwr.dll 2009-06-12 20:58 286,720 a------- c:\windows\system32\lxblcomm.dll 2009-06-12 20:58 201,216 a------- c:\windows\system32\LEXP2P32.DLL 2009-06-12 20:58 174,592 a------- c:\windows\system32\LEXPPS.EXE 2009-06-12 20:58 303,104 a------- c:\windows\system32\LEXBCES.EXE 2009-06-12 20:58 196,096 a------- c:\windows\system32\LEX2KUSB.DLL 2009-06-12 20:58 147,456 a------- c:\windows\system32\LEXBCE.DLL 2009-06-12 20:58 192,512 a------- c:\windows\system32\lexlmpm.dll 2009-06-12 20:58 <DIR> --d----- c:\program files\Lexmark Z700-P700 Series 2009-06-06 23:38 <DIR> --d----- c:\docume~1\charleen\applic~1\OpenOffice.org 2009-06-06 23:28 <DIR> --d----- c:\program files\JRE 2009-06-06 23:27 <DIR> --d----- c:\program files\OpenOffice.org 3 2009-06-01 21:52 <DIR> --d----- c:\docume~1\charleen\applic~1\wulbffyj 2009-06-01 20:27 <DIR> --d----- c:\docume~1\charleen\applic~1\Ashampoo 2009-06-01 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ashampoo 2009-06-01 20:26 <DIR> --d----- c:\program files\Ashampoo 2009-06-01 19:53 <DIR> --d----- C:\to copy 2009-05-29 18:37 <DIR> --d-h--- C:\$AVG8.VAULT$ 2009-05-28 21:57 <DIR> --d----- c:\program files\Lavasoft ==================== Find3M ==================== 2009-06-13 10:39 5,356 a------- c:\docume~1\charleen\applic~1\wklnhst.dat 2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll 2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll 2009-05-05 17:42 34 a------- c:\documents and settings\charleen\jagex_runescape_preferences.dat 2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll 2009-04-28 21:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll 2009-04-28 21:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll 2009-04-28 21:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll 2009-04-28 21:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll 2009-04-28 21:56 105,984 -------- c:\windows\system32\dllcache\url.dll 2009-04-28 21:56 102,912 -------- c:\windows\system32\dllcache\occache.dll 2009-04-28 21:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll 2009-04-28 21:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll 2009-04-28 21:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll 2009-04-28 21:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll 2009-04-28 02:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe 2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe 2009-04-24 22:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe 2009-04-24 22:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll 2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys 2009-04-17 05:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys 2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll 2009-04-15 07:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll 2008-11-14 18:28 66,360 a------- c:\documents and settings\charleen\g2ax_customer_downloadhelper_win32_x86.exe 2008-03-13 20:31 61,224 a------- c:\documents and settings\charleen\GoToAssistDownloadHelper.exe 2007-10-15 14:47 774,144 a------- c:\program files\RngInterstitial.dll 2008-11-03 13:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat ============= FINISH: 0:58:23.62 =============== Attach DDS (Ver_09-05-14.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 12/25/2005 11:34:03 PM System Uptime: 6/23/2009 12:52:58 AM (0 hours ago) Motherboard: Quanta | | 3096 Processor: Mobile AMD Sempron Processor 3000+ | U23 | 1794/200mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 56 GiB total, 35.048 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP19: 6/14/2009 5:59:35 PM - Removed Windows Defender RP20: 6/17/2009 6:13:11 PM - System Checkpoint RP21: 6/19/2009 10:58:35 PM - System Checkpoint RP22: 6/20/2009 11:07:14 PM - System Checkpoint RP23: 6/22/2009 12:03:37 PM - Removed AVG Free 8.5 RP24: 6/22/2009 12:05:19 PM - Installed AVG Free 8.5 RP25: 6/22/2009 12:36:56 PM - Installed AVG Free 8.5 ==== Installed Programs ====================== Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 7.0 Adobe Shockwave Player Amazon MP3 Downloader 1.0.3 Ashampoo Burning Studio 6 FREE AT&T Yahoo! Applications Athlon 64 Processor Driver ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver AVG Free 8.5 Broadcom 802.11 Wireless LAN Adapter Conexant AC-Link Audio Critical Update for Windows Media Player 11 (KB959772) Data Fax SoftModem with SmartCP GGE909 PC Recoil Pad Google Toolbar for Internet Explorer Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Format SDK (KB902344) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) HP Help and Support HP User Guides 0002 HP Wireless Assistant 1.01 A2 HpSdpAppCoreApp InterVideo WinDVD iTunes J2SE Runtime Environment 5.0 Update 11 Java 6 Update 13 Java 6 Update 7 LEGO Alpha Team Lexmark Photo Center Lexmark Z700-P700 Series LS_HSI Malwarebytes' Anti-Malware Media Library Management Wizard Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft .NET Framework 3.0 Service Pack 1 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft Money 2005 Microsoft National Language Support Downlevel APIs Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Works Movie Maker Background Music Files Movie Maker Sound Effects Movie Maker Title Images Mozilla Firefox (3.0.11) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser (KB933579) muvee autoProducer 4.0 - SE OpenOffice.org 3.1 Personal License Update Wizard for Windows Media Player Plus! MP3 Audio Converter LE Quick Launch Buttons 5.10 B2 QuickTime RealArcade REALTEK Gigabit and Fast Ethernet NIC Driver SBC Yahoo! DSL Home Networking Installer Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Sonic & Knuckles Collection Documentation Sonic & Knuckles Killer ! Sonic Audio Module Sonic Copy Module Sonic Data Module Sonic Express Labeler SONIC HEROES Sonic MyDVD Plus Sonic R Sonic Riders Sonic Update Manager Synaptics Pointing Device Driver Texas Instruments PCIxx21/x515 drivers. TIxx21 Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Virtools 3D Life Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP Windows Defender Signatures Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 7 Windows Media Bonus Pack for Windows XP Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 11 Windows Media Player Playlist Import to Excel Wizard Windows Media Player Skin Importer Windows Media Player Tray Control Windows Presentation Foundation Windows XP Service Pack 3 XML Paper Specification Shared Components Pack 1.0 Yahoo! Toolbar ==== Event Viewer Messages From Past Week ======== 6/20/2009 11:21:03 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0. 6/19/2009 4:45:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 6/19/2009 4:44:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 AvgLdx86 AvgMfx86 AvgTdiX eabfiltr Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip 6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 6/19/2009 4:44:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 6/19/2009 4:43:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 6/19/2009 3:20:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde ViaIde 6/19/2009 3:20:08 PM, error: Service Control Manager [7023] - The TCP/IP Protocol Monitor service terminated with the following error: The specified module could not be found. 6/19/2009 3:19:41 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume. 6/19/2009 1:22:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect. 6/19/2009 1:22:32 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. ==== End Of File =========================== Hope this is satisfactory. Been too crazy around here to focus on this very well, and staying up too late to get quiet is too easy to mess things up. As always, really appreciate the coaching through this! kitfox
-
Ok, here is a summary of what I find so far (forgive that I am not posting the log files yet as I failed to get AVG entirely turned off- will rescan tomorrow hopefully): MBAM bags a file & 3 registry keys within a second or so of beginning what looks like the start of the actual file scanning process. File was found to be a genuine infection previously and was then manually deleted by me. This file is no longer on this laptop, but MBAM still reports it as though it were. I took the owner's word for it that it returned- someone else was allowed to dork with this and disabled most of what I installed and then installed mbam. Not a bad move actually, but it breaks the chain of evidence, so to speak. So I am not convinced this was ever more than a false alarm of sorts- though I am not entirely certain. Something still seems not quite right given the MBAM report, but it is not necessarily what appears on the surface. I do know that several tools including a Norton and ATF dedicated Vundofix tools say there is nothing there. Nothing still left on this machine which formerly detected this vundo.h detects it now. Only MBAM says it remains- and then in a location where it does not any longer exist. I flushed everything per ATF. ARK rootkit/malware scan discovered one most interesting item I wish I could have cut & pasted- but ARK froze in the process of saving. But there is the one entry I could not speak for the origin of (was otherwise very short & boring with all processes listed obviously from an expected source) I wrote on paper and now type out this one sole item which showed in red: module (no name) (xxx hidden xxx) address 00400000-02400000 (33554432 bytes) (What the heck is this all about?) I thought I would just turn off everything in msconfig then reboot rather than turn each application off individually, but had inadvertently left part of AVG running when I first ran DDS. I will rescan again with it off- but I did see one interesting thing under the psuedo whatever portion of the report- Notify: npllcjgy - lcfougs.dll ( There is mention of that phantom buggy file name again!) What does the npllcjgy refer to? What I really am curious about is the ARK item I typed in as well as why the "notify" line above. Looks like I will be back at it once company leaves tomorrow. No telling for sure, but I somehow don't expect much out of the ordinary will surface beyond the couple things I list above. I am really running out of time for this, though I suspect the answer should come relatively quickly enough. I should have probably just reformatted, but want to spare the owner the grief of starting over, and the real killer is my obsession with needing to know what is happening here. Anything can be "fixed", though it isn't always expedient. Guess I am a bit OC if not AR. I do appreciate what everyone is doing here! Thanks all who look to help! I'll post again with the log files tomorrow evening, hopefully. kitfox
-
I keep getting results as listed in the attachment- although I find it interesting that each subsequent scan tends to take significantly longer- have seen times between 7 minutes and 16 minutes. This one was in between. This is a friend's laptop which most certainly infested with the Vundo.h among many other malware. I used a variety of tools to remove most, though this lcfougs.dll was most resistant. I finally renamed it in dos mode then deleted. It stayed away for awhile, though apparently returned within a week. But MBAM keeps referring to a file which I cannot find. This lcfougs.dll is nowhere to be found EXCEPT in this scan results.... It is invisible even when hidden files are set to be shown. The scan upon reboot does nothing. I have to wonder if it is even really there? Could this be triggered by a remaining registry key which hasn't been properly removed yet? Thought it had a clean bill of health finally. Next step will likely be to reformat. But I really like to pursue the nuts & bolts of how & where- it usually comes in handy somewhere or another. Thanks all, kitfox mbam_log_2009_06_19__18_04_57_.txt mbam_log_2009_06_19__18_04_57_.txt