kitfox
-
Posts
8 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by kitfox
-
-
HJT:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:16 PM, on 6/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lego.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187060500000
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - http://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://coke.mycokerewards.com/cabs/Entriq_...0_15_Silent.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 7505 bytes
ESET:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
_________________________________________________________
See anything else, Negster? Amazing how well some of this malware can hide, by design of course. Takes a lot of dedication- or passion as you describe it to be willing to spend so much effort tracking this garbage down. And to just gain the knowledge you have to know what to do next. I describe myself as mostly a "semi-serious dabbler" in all of this. You've showed me a number of excellent tools, though I must confess that half or more I lack enough knowledge to get too much benefit from. But it still remains a step forward. I have been online as a user since just before the 56k modem- and people like you- conscientious, determined, and selfless- are too few & far between- but we'd be sunk without your kind. Thanks again! I'll likely get a plate of gourmet cookies out of this for my efforts, and I'd gladly share with you if I knew how to send them to you. Your knowledge is what brought the success.
Oh, btw- the "08- extra context menu item..." seems to have morphed a little. I killed it anyway- good, bad, or indifferent.
So this MBAM report which initially kept steering me to a non-existent location was symptomatic of an entirely different infection than the Vundo family, or was this a variant? Or should I say infections-(plural)? Seems like a bunch more stuff than I naively expected, at least. (few of us watch how many things our malware software actually do- most scarcely pay attention to even the list of infections removed I imagine) I'd be most interested in hearing the results of what you boil down out of all this if you'd care to post a summary at least. Also, it appears that what was the hot freeware tools a few years ago keeps getting eclipsed by newer & better tools. Do you have any recommendations for any anti-virus & other anti-malware tools which just stand out above all others in addition to MBAM? We use Trend at work which I can bring home I understand- but no one tool is complete. This keeping a computer healthy is not getting any easier these days, is it? And times like this require the rolling up of sleeves and a bunch of manual work. Or reformatting as many do. The scope of this problem is dizzying. A form of terrorism one might argue when one calculates the cost of global damage done.
Again, thank you!
Kitfox
-
Negster, Tell ya what, this is looking a whole lot better than I've seen before. I actually think I'm about ready to give it back with confidence that it will be healthy until.... Lets hope they don't do this again! But it is really a matter of time I suppose. I'd have just reformatted if it wasn't for all your help.
Malwarebytes' Anti-Malware 1.38
Database version: 2327
Windows 5.1.2600 Service Pack 3
6/23/2009 11:01:15 PM
mbam-log-2009-06-23 (23-01-14).txt
Scan type: Quick Scan
Objects scanned: 97708
Time elapsed: 10 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:22 PM, on 6/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lego.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm486YYUS
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187060500000
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - http://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://coke.mycokerewards.com/cabs/Entriq_...0_15_Silent.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 7938 bytes
Looking better, isn't it!?
KF
-
Negster22,
You will see that I tried Avenger then aborted when it reported having some heartburn with being asked to go into CLASSES. But I decided to roll the dice & continue anyway- figured it would only leave a registry line to have to deal with hopefully.
SVCQUERY
- - - - - - - - - - - BEFORE - - - - - - - - - - -
netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0jypqqxnv\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0
- - - - - - - - - - - AFTER - - - - - - - - - - -
netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0
Avenger
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 3)
Tue Jun 23 19:02:42 2009
19:02:30: Error: Invalid registry syntax in command:
"HKEY_CLASSES_ROOT\CLSID\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
19:02:42: Error: Execution aborted by user!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 3)
Tue Jun 23 19:35:26 2009
19:35:01: Error: Invalid registry syntax in command:
"HKEY_CLASSES_ROOT\CLSID\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "crilpagi" deleted successfully.
Driver "jypqqxnv" deleted successfully.
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\LEGACY_crilpagi" not found!
Deletion of driver "LEGACY_crilpagi" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\lcfougs.dll" not found!
Deletion of file "c:\windows\system32\lcfougs.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "c:\windows\system32\drivers\crilpagi.sys" deleted successfully.
Error: file "c:\windows\system32\denseat.dll" not found!
Deletion of file "c:\windows\system32\denseat.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Folder "C:\Documents and Settings\Charleen\Application Data\wulbffyj" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\npllcjgy" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
DDS
DDS (Ver_09-05-14.01) - NTFSx86
Run by Charleen at 19:51:01.82 on Tue 06/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.88 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Charleen\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://lego.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
IE: &Search - ?p=ZUxdm486YYUS
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187060500000
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxp://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - hxxp://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://coke.mycokerewards.com/cabs/Entriq_3_6_0_15_Silent.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\charleen\applic~1\mozilla\firefox\profiles\878icskz.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-22 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-22 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-22 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-22 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-22 298776]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-12-27 231424]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2006-12-25 7548]
=============== Created Last 30 ================
2009-06-22 12:38 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-22 12:38 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 12:37 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 12:37 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-22 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-20 18:57 <DIR> --d----- C:\VundoFix Backups
2009-06-14 18:22 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-06-14 18:07 <DIR> --d----- c:\program files\RegCleaner
2009-06-14 18:06 <DIR> --d----- c:\docume~1\charleen\applic~1\Malwarebytes
2009-06-14 18:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-14 18:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-14 18:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-12 21:12 <DIR> --d----- c:\program files\Lexmark
2009-06-12 21:00 229 a------- c:\windows\lexstat.ini
2009-06-12 20:58 40,960 a------- c:\windows\system32\lxblvs.dll
2009-06-12 20:58 73,728 a------- c:\windows\system32\lxblpwr.dll
2009-06-12 20:58 286,720 a------- c:\windows\system32\lxblcomm.dll
2009-06-12 20:58 201,216 a------- c:\windows\system32\LEXP2P32.DLL
2009-06-12 20:58 174,592 a------- c:\windows\system32\LEXPPS.EXE
2009-06-12 20:58 303,104 a------- c:\windows\system32\LEXBCES.EXE
2009-06-12 20:58 196,096 a------- c:\windows\system32\LEX2KUSB.DLL
2009-06-12 20:58 147,456 a------- c:\windows\system32\LEXBCE.DLL
2009-06-12 20:58 192,512 a------- c:\windows\system32\lexlmpm.dll
2009-06-12 20:58 <DIR> --d----- c:\program files\Lexmark Z700-P700 Series
2009-06-06 23:38 <DIR> --d----- c:\docume~1\charleen\applic~1\OpenOffice.org
2009-06-06 23:28 <DIR> --d----- c:\program files\JRE
2009-06-06 23:27 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-06-01 20:27 <DIR> --d----- c:\docume~1\charleen\applic~1\Ashampoo
2009-06-01 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ashampoo
2009-06-01 20:26 <DIR> --d----- c:\program files\Ashampoo
2009-06-01 19:53 <DIR> --d----- C:\to copy
2009-05-29 18:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-28 21:57 <DIR> --d----- c:\program files\Lavasoft
==================== Find3M ====================
2009-06-13 10:39 5,356 a------- c:\docume~1\charleen\applic~1\wklnhst.dat
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-05 17:42 34 a------- c:\documents and settings\charleen\jagex_runescape_preferences.dat
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 21:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 21:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 21:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 21:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 21:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 21:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 21:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 21:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 21:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 02:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 22:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-24 22:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 05:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 07:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-11-14 18:28 66,360 a------- c:\documents and settings\charleen\g2ax_customer_downloadhelper_win32_x86.exe
2008-03-13 20:31 61,224 a------- c:\documents and settings\charleen\GoToAssistDownloadHelper.exe
2007-10-15 14:47 774,144 a------- c:\program files\RngInterstitial.dll
2008-11-03 13:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat
============= FINISH: 19:52:17.42 ===============
Thanks again for your continued patience and expertise!
kf
-
Wow, Negster22, I couldn't have muddled myself even 25% there without your help. Thanks! Will try this soon as I can.
I still cannot understand how this lcfougs.dll thing keeps being reported as present in the system32 folder when it simply doesn't show up there any longer. (Straining on the one little part I think I understand when there are a lot more pertinent things I ignore because I do not understand) Guess it is just the registry key pointing to it... Little did I expect to see so many other things tied together with this. Best part of this process is expanding my knowledge a bit. I appreciate your help.
Thanks again!
Kitfox
-
ARK:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-23 00:14:45
Windows 5.1.2600 Service Pack 3
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B1001 7 Bytes JMP 85D80170
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
DDS:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Charleen at 0:57:10.04 on Tue 06/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.103 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Charleen\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://lego.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: : {a769d1bf-d939-40bd-91f9-95e9d2142f7b} - c:\windows\system32\lcfougs.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
IE: &Search - ?p=ZUxdm486YYUS
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187060500000
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxp://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - hxxp://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://coke.mycokerewards.com/cabs/Entriq_3_6_0_15_Silent.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: npllcjgy - lcfougs.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli denseat.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\charleen\applic~1\mozilla\firefox\profiles\878icskz.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
============= SERVICES / DRIVERS ===============
R0 crilpagi;crilpagi;c:\windows\system32\drivers\crilpagi.sys [2004-8-4 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-22 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-22 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-22 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-22 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-22 298776]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-12-27 231424]
S2 jypqqxnv;TCP/IP Protocol Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2006-12-25 7548]
=============== Created Last 30 ================
2009-06-22 12:38 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-22 12:38 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-22 12:37 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-22 12:37 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-22 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-06-20 18:57 <DIR> --d----- C:\VundoFix Backups
2009-06-14 18:22 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-06-14 18:07 <DIR> --d----- c:\program files\RegCleaner
2009-06-14 18:06 <DIR> --d----- c:\docume~1\charleen\applic~1\Malwarebytes
2009-06-14 18:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-14 18:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-14 18:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-12 21:12 <DIR> --d----- c:\program files\Lexmark
2009-06-12 21:00 229 a------- c:\windows\lexstat.ini
2009-06-12 20:58 40,960 a------- c:\windows\system32\lxblvs.dll
2009-06-12 20:58 73,728 a------- c:\windows\system32\lxblpwr.dll
2009-06-12 20:58 286,720 a------- c:\windows\system32\lxblcomm.dll
2009-06-12 20:58 201,216 a------- c:\windows\system32\LEXP2P32.DLL
2009-06-12 20:58 174,592 a------- c:\windows\system32\LEXPPS.EXE
2009-06-12 20:58 303,104 a------- c:\windows\system32\LEXBCES.EXE
2009-06-12 20:58 196,096 a------- c:\windows\system32\LEX2KUSB.DLL
2009-06-12 20:58 147,456 a------- c:\windows\system32\LEXBCE.DLL
2009-06-12 20:58 192,512 a------- c:\windows\system32\lexlmpm.dll
2009-06-12 20:58 <DIR> --d----- c:\program files\Lexmark Z700-P700 Series
2009-06-06 23:38 <DIR> --d----- c:\docume~1\charleen\applic~1\OpenOffice.org
2009-06-06 23:28 <DIR> --d----- c:\program files\JRE
2009-06-06 23:27 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-06-01 21:52 <DIR> --d----- c:\docume~1\charleen\applic~1\wulbffyj
2009-06-01 20:27 <DIR> --d----- c:\docume~1\charleen\applic~1\Ashampoo
2009-06-01 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ashampoo
2009-06-01 20:26 <DIR> --d----- c:\program files\Ashampoo
2009-06-01 19:53 <DIR> --d----- C:\to copy
2009-05-29 18:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-28 21:57 <DIR> --d----- c:\program files\Lavasoft
==================== Find3M ====================
2009-06-13 10:39 5,356 a------- c:\docume~1\charleen\applic~1\wklnhst.dat
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-05 17:42 34 a------- c:\documents and settings\charleen\jagex_runescape_preferences.dat
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 21:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 21:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 21:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 21:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 21:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 21:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 21:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 21:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 21:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 02:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 22:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-24 22:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 05:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 07:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-11-14 18:28 66,360 a------- c:\documents and settings\charleen\g2ax_customer_downloadhelper_win32_x86.exe
2008-03-13 20:31 61,224 a------- c:\documents and settings\charleen\GoToAssistDownloadHelper.exe
2007-10-15 14:47 774,144 a------- c:\program files\RngInterstitial.dll
2008-11-03 13:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat
============= FINISH: 0:58:23.62 ===============
Attach
DDS (Ver_09-05-14.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/25/2005 11:34:03 PM
System Uptime: 6/23/2009 12:52:58 AM (0 hours ago)
Motherboard: Quanta | | 3096
Processor: Mobile AMD Sempron Processor 3000+ | U23 | 1794/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 56 GiB total, 35.048 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP19: 6/14/2009 5:59:35 PM - Removed Windows Defender
RP20: 6/17/2009 6:13:11 PM - System Checkpoint
RP21: 6/19/2009 10:58:35 PM - System Checkpoint
RP22: 6/20/2009 11:07:14 PM - System Checkpoint
RP23: 6/22/2009 12:03:37 PM - Removed AVG Free 8.5
RP24: 6/22/2009 12:05:19 PM - Installed AVG Free 8.5
RP25: 6/22/2009 12:36:56 PM - Installed AVG Free 8.5
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player
Amazon MP3 Downloader 1.0.3
Ashampoo Burning Studio 6 FREE
AT&T Yahoo! Applications
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free 8.5
Broadcom 802.11 Wireless LAN Adapter
Conexant AC-Link Audio
Critical Update for Windows Media Player 11 (KB959772)
Data Fax SoftModem with SmartCP
GGE909 PC Recoil Pad
Google Toolbar for Internet Explorer
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Help and Support
HP User Guides 0002
HP Wireless Assistant 1.01 A2
HpSdpAppCoreApp
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 11
Java 6 Update 13
Java 6 Update 7
LEGO Alpha Team
Lexmark Photo Center
Lexmark Z700-P700 Series
LS_HSI
Malwarebytes' Anti-Malware
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 4.0 - SE
OpenOffice.org 3.1
Personal License Update Wizard for Windows Media Player
Plus! MP3 Audio Converter LE
Quick Launch Buttons 5.10 B2
QuickTime
RealArcade
REALTEK Gigabit and Fast Ethernet NIC Driver
SBC Yahoo! DSL Home Networking Installer
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sonic & Knuckles Collection Documentation
Sonic & Knuckles Killer !
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
SONIC HEROES
Sonic MyDVD Plus
Sonic R
Sonic Riders
Sonic Update Manager
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Virtools 3D Life Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Bonus Pack for Windows XP
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
6/20/2009 11:21:03 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
6/19/2009 4:45:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/19/2009 4:44:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 AvgLdx86 AvgMfx86 AvgTdiX eabfiltr Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/19/2009 4:44:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/19/2009 4:43:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/19/2009 3:20:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde ViaIde
6/19/2009 3:20:08 PM, error: Service Control Manager [7023] - The TCP/IP Protocol Monitor service terminated with the following error: The specified module could not be found.
6/19/2009 3:19:41 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
6/19/2009 1:22:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
6/19/2009 1:22:32 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
==== End Of File ===========================
Hope this is satisfactory. Been too crazy around here to focus on this very well, and staying up too late to get quiet is too easy to mess things up.
As always, really appreciate the coaching through this!
kitfox
-
Ok, here is a summary of what I find so far (forgive that I am not posting the log files yet as I failed to get AVG entirely turned off- will rescan tomorrow hopefully):
MBAM bags a file & 3 registry keys within a second or so of beginning what looks like the start of the actual file scanning process. File was found to be a genuine infection previously and was then manually deleted by me. This file is no longer on this laptop, but MBAM still reports it as though it were. I took the owner's word for it that it returned- someone else was allowed to dork with this and disabled most of what I installed and then installed mbam. Not a bad move actually, but it breaks the chain of evidence, so to speak. So I am not convinced this was ever more than a false alarm of sorts- though I am not entirely certain. Something still seems not quite right given the MBAM report, but it is not necessarily what appears on the surface. I do know that several tools including a Norton and ATF dedicated Vundofix tools say there is nothing there. Nothing still left on this machine which formerly detected this vundo.h detects it now. Only MBAM says it remains- and then in a location where it does not any longer exist.
I flushed everything per ATF. ARK rootkit/malware scan discovered one most interesting item I wish I could have cut & pasted- but ARK froze in the process of saving. But there is the one entry I could not speak for the origin of (was otherwise very short & boring with all processes listed obviously from an expected source) I wrote on paper and now type out this one sole item which showed in red:
module (no name) (xxx hidden xxx) address 00400000-02400000 (33554432 bytes)
(What the heck is this all about?)
I thought I would just turn off everything in msconfig then reboot rather than turn each application off individually, but had inadvertently left part of AVG running when I first ran DDS. I will rescan again with it off- but I did see one interesting thing under the psuedo whatever portion of the report-
Notify: npllcjgy - lcfougs.dll ( There is mention of that phantom buggy file name again!) What does the npllcjgy refer to?
What I really am curious about is the ARK item I typed in as well as why the "notify" line above.
Looks like I will be back at it once company leaves tomorrow. No telling for sure, but I somehow don't expect much out of the ordinary will surface beyond the couple things I list above. I am really running out of time for this, though I suspect the answer should come relatively quickly enough. I should have probably just reformatted, but want to spare the owner the grief of starting over, and the real killer is my obsession with needing to know what is happening here. Anything can be "fixed", though it isn't always expedient. Guess I am a bit OC if not AR. I do appreciate what everyone is doing here!
Thanks all who look to help! I'll post again with the log files tomorrow evening, hopefully.
kitfox
-
I keep getting results as listed in the attachment- although I find it interesting that each subsequent scan tends to take significantly longer- have seen times between 7 minutes and 16 minutes. This one was in between.
This is a friend's laptop which most certainly infested with the Vundo.h among many other malware. I used a variety of tools to remove most, though this lcfougs.dll was most resistant. I finally renamed it in dos mode then deleted. It stayed away for awhile, though apparently returned within a week. But MBAM keeps referring to a file which I cannot find. This lcfougs.dll is nowhere to be found EXCEPT in this scan results.... It is invisible even when hidden files are set to be shown. The scan upon reboot does nothing. I have to wonder if it is even really there? Could this be triggered by a remaining registry key which hasn't been properly removed yet? Thought it had a clean bill of health finally. Next step will likely be to reformat. But I really like to pursue the nuts & bolts of how & where- it usually comes in handy somewhere or another.
Thanks all,
kitfox
What is Hijack.Help?
in Malwarebytes for Windows Support Forum
Posted
I found this at work last week. Thought I had it whipped. Came back with a vengeance on a teacher's computer. It rapidly more or less disabled all the tools at my disposal. I manually isolated three entries from HijackThis- will try to check the logs tomorrow to see if I really got rid of it and if I can find some helpful info. Hopefully someone better than I am will jump in here with something more authoritative.
That EVNJEYV.exe looks suspicious to me- but I am really only a rookie at this. Seems similar to what I removed (which seemed to allow my tools to work again) Anyone else care to comment?
Kitfox