Jump to content

Need help


Big J
 Share

Recommended Posts

Not sure if this is the right place for this or not, but here goes since I was trolled here.

I can not run malewarebytes, for whatever reason, you click on the icon and nothing. What ever virus or infection my computer has does not allow me to download updates to spyware removal software, antivirus software and it dosent even allow me to view related websites. Also searchengine links redirect to bogus sites.

So until I figure out what to do to my system to get malwarebytes to run I am pretty much stuck. Here is a hijackthis log from this morning. If there is anyone who can help, I would appreciate it.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:32:00 AM, on 1/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\lotus\notes\ntmulti.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe

C:\MONU-CAD_Win'95\MONU-CAD Pro\MCPro7-T.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\lotus\notes\NLNOTES.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG8\aAvgApi.exe

C:\Program Files\lotus\notes\ntaskldr.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Messenger\msmsgs.exe

F:\Data\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/8102-b424h/rnl/java/RntX.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DixieGranite.com

O17 - HKLM\Software\..\Telephony: DomainName = DixieGranite.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DixieGranite.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DixieGranite.com

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9072 bytes

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

I have dowmloaded the following programs to my flash drive from a second computer and loaded them into the infected computer, but neither of the programs will execute, something is blocking the programs from running.

I have:

Malwarebytes

Combofix

Spybot Search & Destroy

None of these 3 will run when clicked, the hour glass pops up for a couple seconds then goes away, also none of my anitvirus/spyware software will update.

I need help figureing out what to remove from the system to allow these processes to run.

Thanks

Link to post
Share on other sites

I ran another hijackthis log this morning in case something is different from the original as I have tried some suggestions over the weekend. Here is the file.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:16:11 AM, on 1/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\lotus\notes\ntmulti.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\MONU-CAD_Win'95\MONU-CAD Pro\MCPro7-T.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\lotus\notes\NLNOTES.EXE

C:\Program Files\lotus\notes\ntaskldr.EXE

C:\WINDOWS\system32\msiexec.exe

F:\Data\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/8102-b424h/rnl/java/RntX.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DixieGranite.com

O17 - HKLM\Software\..\Telephony: DomainName = DixieGranite.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DixieGranite.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DixieGranite.com

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 8553 bytes

Link to post
Share on other sites

I also ran DDS per a suggestion and here is the DDS.txt - per the instructions I have zipped and attached the attach.txt file

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

DDS (Ver_09-01-19.01) - NTFSx86

Run by jason at 8:25:36.94 on Mon 01/26/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.389 [GMT -5:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\lotus\notes\ntmulti.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\MONU-CAD_Win'95\MONU-CAD Pro\MCPro7-T.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\lotus\notes\NLNOTES.EXE

C:\Program Files\lotus\notes\ntaskldr.EXE

C:\Documents and Settings\jason.DIXIEGRANITE\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Bar =

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: NoExplorer - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxp://livenj02.custhelp.com/8102-b424h/rnl/java/RntX.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason~1.dix\applic~1\mozilla\firefox\profiles\vkhtc7r6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-20 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-20 325128]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-20 27656]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-20 107272]

R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-20 903960]

R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-20 298264]

R4 EdgeStat;EdgeStat;c:\windows\system32\drivers\edgestat.sys [2006-5-3 6912]

R4 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2006-5-3 19952]

S4 MDaemon;MDaemon;c:\mdaemon\app\mdaemon.exe --> c:\mdaemon\app\MDAEMON.EXE [?]

S4 WebAdmin;WebAdmin;c:\mdaemon\webadmin\webadmin.exe --> c:\mdaemon\webadmin\WebAdmin.exe [?]

=============== Created Last 30 ================

2009-01-23 15:08 <DIR> --d----- c:\windows\pss

2009-01-23 15:06 <DIR> --d----- c:\documents and settings\jason.dixiegranite\Tracing

2009-01-23 13:20 82,768 a------- c:\windows\system32\lmdimon8.dll

2009-01-23 13:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Applications

2009-01-23 13:08 44,544 a------- c:\windows\system32\msxml4a.dll

2009-01-23 13:07 <DIR> --d----- C:\MDaemon

2009-01-22 11:48 <DIR> --d----- c:\windows\system32\appmgmt

2009-01-20 10:20 <DIR> --d-h--- C:\$AVG8.VAULT$

2009-01-20 10:04 107,272 a------- c:\windows\system32\drivers\avgtdix.sys

2009-01-20 10:04 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys

2009-01-20 10:04 10,520 a------- c:\windows\system32\avgrsstx.dll

2009-01-20 10:04 325,128 a------- c:\windows\system32\drivers\avgldx86.sys

2009-01-20 10:04 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-01-20 10:04 <DIR> --d----- c:\docume~1\jason~1.dix\applic~1\AVGTOOLBAR

2009-01-20 10:04 <DIR> --d----- c:\program files\AVG

2009-01-20 10:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

2008-12-29 11:21 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll

2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys

2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

2008-10-29 06:42 262,144 a------- C:\ntuser.dat

2008-10-21 12:51 60,744 a------- c:\documents and settings\jason.dixiegranite\g2mdlhlpx.exe

2008-09-03 12:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 8:27:20.08 ===============

Attach.zip

Attach.zip

Link to post
Share on other sites

I figured out what to do to get certain blocked programs to run. I was able to load and run trojan remover first, when it was done and the items it found were removed I was then able to run malwarebytes.

Here is the log file from the malwarebytes scan.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Malwarebytes' Anti-Malware 1.33

Database version: 1695

Windows 5.1.2600 Service Pack 3

1/26/2009 10:29:04 AM

mbam-log-2009-01-26 (10-29-04).txt

Scan type: Quick Scan

Objects scanned: 86841

Time elapsed: 16 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\TDSSb5d.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

This has been a nightmare, but the last hour has been more productive than the last 4 days.

Link to post
Share on other sites

Well now I have been able to run combofix here is the combofix log

ComboFix 09-01-21.04 - jason 2009-01-26 10:57:00.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -5:00]

Running from: c:\documents and settings\jason.DIXIEGRANITE\Desktop\ComboFix.exe

AV: AVG Anti-Virus *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

F:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))

.

2009-01-26 10:11 . 2009-01-26 10:11 <DIR> d-------- c:\documents and settings\jason.DIXIEGRANITE\Application Data\Malwarebytes

2009-01-26 10:03 . 2009-01-26 10:03 332,288 --a------ c:\windows\system32\twex.exe.vir

2009-01-26 10:02 . 2009-01-26 10:10 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-26 10:01 . 2009-01-26 10:02 <DIR> d-------- c:\program files\Trojan Remover

2009-01-26 10:01 . 2009-01-26 10:01 <DIR> d-------- c:\documents and settings\jason.DIXIEGRANITE\Application Data\Simply Super Software

2009-01-26 10:01 . 2009-01-26 10:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software

2009-01-26 10:01 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll

2009-01-26 10:01 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll

2009-01-26 10:01 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll

2009-01-26 10:01 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll

2009-01-26 10:01 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll

2009-01-26 09:52 . 2009-01-26 10:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-26 09:52 . 2009-01-26 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-26 09:52 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-26 09:52 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-23 16:16 . 2009-01-23 16:16 0 --a------ c:\windows\nsreg.dat

2009-01-23 15:06 . 2009-01-23 16:01 <DIR> d-------- c:\documents and settings\jason.DIXIEGRANITE\Tracing

2009-01-23 13:20 . 2009-01-23 13:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Applications

2009-01-23 13:20 . 2008-12-22 14:43 82,768 --a------ c:\windows\system32\lmdimon8.dll

2009-01-23 13:10 . 2009-01-23 13:10 <DIR> d-------- c:\documents and settings\LocalService\.spamassassin

2009-01-23 13:08 . 2009-01-06 11:01 44,544 --a------ c:\windows\system32\msxml4a.dll

2009-01-23 13:07 . 2009-01-23 15:32 <DIR> d-------- C:\MDaemon

2009-01-20 10:20 . 2009-01-26 07:32 <DIR> d--h----- C:\$AVG8.VAULT$

2009-01-20 10:04 . 2009-01-26 10:11 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-01-20 10:04 . 2009-01-20 10:04 <DIR> d-------- c:\program files\AVG

2009-01-20 10:04 . 2009-01-20 11:21 <DIR> d-------- c:\documents and settings\jason.DIXIEGRANITE\Application Data\AVGTOOLBAR

2009-01-20 10:04 . 2009-01-20 10:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-01-20 10:04 . 2009-01-20 10:04 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-01-20 10:04 . 2009-01-20 10:04 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-01-20 10:04 . 2009-01-20 10:04 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys

2009-01-20 10:04 . 2009-01-20 10:04 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-01-13 13:34 . 2009-01-26 10:09 <DIR> d--hs---- c:\windows\system32\twain32

2008-12-29 11:21 . 2008-12-29 11:21 410,984 --a------ c:\windows\system32\deploytk.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-23 21:27 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-23 21:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-22 16:48 --------- d-----w c:\program files\Dell

2009-01-22 16:45 --------- d-----w c:\program files\Yahoo!

2009-01-22 16:45 --------- d-----w c:\documents and settings\jason.DIXIEGRANITE\Application Data\Yahoo!

2009-01-22 13:44 --------- d-----w c:\program files\Google

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-09 21:17 --------- d-----w c:\documents and settings\jason.DIXIEGRANITE\Application Data\ICAClient

2008-12-09 21:14 --------- d-----w c:\documents and settings\jason.DIXIEGRANITE\Application Data\Download Manager

2008-12-09 21:13 --------- d-----w c:\program files\Citrix

2008-10-29 11:42 262,144 ----a-w C:\ntuser.dat

2008-10-21 17:51 60,744 ----a-w c:\documents and settings\jason.DIXIEGRANITE\g2mdlhlpx.exe

2008-09-03 17:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-03-21 5537792]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-20 1601304]

"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2008-12-10 1230728]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-01-20 10:04 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-20 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-20 325128]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-20 107272]

R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-20 903960]

R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-20 298264]

R4 EdgeStat;EdgeStat;c:\windows\system32\drivers\edgestat.sys [2006-05-03 6912]

R4 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2006-05-03 19952]

S4 MDaemon;MDaemon;c:\mdaemon\APP\MDAEMON.EXE --> c:\mdaemon\APP\MDAEMON.EXE [?]

S4 WebAdmin;WebAdmin;c:\mdaemon\WebAdmin\WebAdmin.exe --> c:\mdaemon\WebAdmin\WebAdmin.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e62948c-98f2-11db-8bfd-0013721128f9}]

\Shell\AutoRun\command - U:\setupSNK.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-26 c:\windows\Tasks\EasyShare Registration Task.job

- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab

FF - ProfilePath - c:\documents and settings\jason.DIXIEGRANITE\Application Data\Mozilla\Firefox\Profiles\vkhtc7r6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-26 11:03:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{238B46B1-DB3F-FF9F-817885D113BABB65}\{C7A1A506-D491-606A-8FAD8C1E4DD81C50}\{5DBD0FCF-797E-7771-3B3D82FCE9F240F9}*]

"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,

5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B2D6F484-260A-7B5D-9DECE03114A71318}\{16279713-416B-AABF-512733F99CDDA7F7}\{FB965560-4DCA-8EF0-2DC335C1EACB0D08}*]

"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,88,fb,7f,

dc,8d,1b,29,61,29,bf,d5,81,32,4d,3b,59,44,65,eb,99,96,aa,c0,fb,7f,39,dc,40,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Dell\OpenManage\Client\Iap.exe

c:\program files\lotus\notes\ntmulti.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

.

**************************************************************************

.

Completion time: 2009-01-26 11:05:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-26 16:05:20

Pre-Run: 223,953,960,960 bytes free

Post-Run: 228,957,605,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

173 --- E O F --- 2009-01-14 14:05:28

Link to post
Share on other sites

And here is the latest hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:07, on 2009-01-26

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\lotus\notes\ntmulti.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\explorer.exe

F:\Data\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/8102-b424h/rnl/java/RntX.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DixieGranite.com

O17 - HKLM\Software\..\Telephony: DomainName = DixieGranite.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DixieGranite.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DixieGranite.com

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 7316 bytes

Link to post
Share on other sites

  • Root Admin

Did you set the DNS server to this on purpose ? DixieGranite.com

Please run another round of UDPATES and scan.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.