kitfox Posted June 20, 2009 ID:91555 Share Posted June 20, 2009 I keep getting results as listed in the attachment- although I find it interesting that each subsequent scan tends to take significantly longer- have seen times between 7 minutes and 16 minutes. This one was in between.This is a friend's laptop which most certainly infested with the Vundo.h among many other malware. I used a variety of tools to remove most, though this lcfougs.dll was most resistant. I finally renamed it in dos mode then deleted. It stayed away for awhile, though apparently returned within a week. But MBAM keeps referring to a file which I cannot find. This lcfougs.dll is nowhere to be found EXCEPT in this scan results.... It is invisible even when hidden files are set to be shown. The scan upon reboot does nothing. I have to wonder if it is even really there? Could this be triggered by a remaining registry key which hasn't been properly removed yet? Thought it had a clean bill of health finally. Next step will likely be to reformat. But I really like to pursue the nuts & bolts of how & where- it usually comes in handy somewhere or another.Thanks all,kitfoxmbam_log_2009_06_19__18_04_57_.txtmbam_log_2009_06_19__18_04_57_.txt Link to post Share on other sites More sharing options...
negster22 Posted June 20, 2009 ID:91592 Share Posted June 20, 2009 Hi Kitfox,I am posting your MBAM log. Please copy/paste all logs into your replies unless requested to attach them, so everyone can follow.Malwarebytes' Anti-Malware 1.38Database version: 2309Windows 5.1.2600 Service Pack 36/19/2009 6:05:02 PMmbam-log-2009-06-19 (18-04-57).txtScan type: Quick ScanObjects scanned: 98904Time elapsed: 13 minute(s), 8 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a769d1bf-d939-40bd-91f9-95e9d2142f7b} (Trojan.Vundo.H) -> No action taken. [39747969558679698035414884092010013986796885748079]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\npllcjgy (Trojan.Vundo.H) -> No action taken. [39747969558679698035414884092010013986796885748079]HKEY_CLASSES_ROOT\CLSID\{a769d1bf-d939-40bd-91f9-95e9d2142f7b} (Trojan.Vundo.H) -> No action taken. [39747969558679698035414884092010013986796885748079]Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\windows\system32\lcfougs.dll (Trojan.Vundo.H) -> No action taken. [39747969558679698035414884092010013986796885748079]________________________________________We'll run some more programs to see what's keeping those entries intact.Please download ATF Cleaner by AtribuneClose Internet Explorer and any other open browsersDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Reboot Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.Disable the active protection component of your antivirus and antimalware programs by following the directions that apply here:http://www.bleepingcomputer.com/forums/topic114351.htmlNext, please perform a rootkit scan:Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program. When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button. Leave your system completely idle while this longer scan is in progress. When the scan is done, save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl VExit the ProgramSave the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.Re-enable your antivirus and any antimalware programs you disabled before performing the scan.Please download DDS and save it to your desktop from here or hereDisable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.When done, DDS will open two (2) logs:DDS.txtAttach.txt[*]Save both reports to your desktop[*]Please copy and paste both logs into your next reply,===============================================================Please post ARK.txt and the DDS scan reports. Link to post Share on other sites More sharing options...
kitfox Posted June 21, 2009 Author ID:91943 Share Posted June 21, 2009 Ok, here is a summary of what I find so far (forgive that I am not posting the log files yet as I failed to get AVG entirely turned off- will rescan tomorrow hopefully):MBAM bags a file & 3 registry keys within a second or so of beginning what looks like the start of the actual file scanning process. File was found to be a genuine infection previously and was then manually deleted by me. This file is no longer on this laptop, but MBAM still reports it as though it were. I took the owner's word for it that it returned- someone else was allowed to dork with this and disabled most of what I installed and then installed mbam. Not a bad move actually, but it breaks the chain of evidence, so to speak. So I am not convinced this was ever more than a false alarm of sorts- though I am not entirely certain. Something still seems not quite right given the MBAM report, but it is not necessarily what appears on the surface. I do know that several tools including a Norton and ATF dedicated Vundofix tools say there is nothing there. Nothing still left on this machine which formerly detected this vundo.h detects it now. Only MBAM says it remains- and then in a location where it does not any longer exist.I flushed everything per ATF. ARK rootkit/malware scan discovered one most interesting item I wish I could have cut & pasted- but ARK froze in the process of saving. But there is the one entry I could not speak for the origin of (was otherwise very short & boring with all processes listed obviously from an expected source) I wrote on paper and now type out this one sole item which showed in red:module (no name) (xxx hidden xxx) address 00400000-02400000 (33554432 bytes) (What the heck is this all about?)I thought I would just turn off everything in msconfig then reboot rather than turn each application off individually, but had inadvertently left part of AVG running when I first ran DDS. I will rescan again with it off- but I did see one interesting thing under the psuedo whatever portion of the report- Notify: npllcjgy - lcfougs.dll ( There is mention of that phantom buggy file name again!) What does the npllcjgy refer to? What I really am curious about is the ARK item I typed in as well as why the "notify" line above. Looks like I will be back at it once company leaves tomorrow. No telling for sure, but I somehow don't expect much out of the ordinary will surface beyond the couple things I list above. I am really running out of time for this, though I suspect the answer should come relatively quickly enough. I should have probably just reformatted, but want to spare the owner the grief of starting over, and the real killer is my obsession with needing to know what is happening here. Anything can be "fixed", though it isn't always expedient. Guess I am a bit OC if not AR. I do appreciate what everyone is doing here!Thanks all who look to help! I'll post again with the log files tomorrow evening, hopefully.kitfox Link to post Share on other sites More sharing options...
negster22 Posted June 22, 2009 ID:92092 Share Posted June 22, 2009 The Registry key that loads this file:c:\windows\system32\lcfougs.dllIs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\npllcjgyI have to see the ARK.txt results within the context of the dds logs so please post those as soon as you can.This is a DLL or SYS file that the ARK identifed as being hidden though it was unable to pinpoint the name of the module:module (no name) (xxx hidden xxx) address 00400000-02400000 (33554432 bytes) Link to post Share on other sites More sharing options...
kitfox Posted June 23, 2009 Author ID:92456 Share Posted June 23, 2009 ARK:GMER 1.0.15.14972 - http://www.gmer.netRootkit scan 2009-06-23 00:14:45Windows 5.1.2600 Service Pack 3---- Kernel code sections - GMER 1.0.15 ----PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B1001 7 Bytes JMP 85D80170 ---- User IAT/EAT - GMER 1.0.15 ----IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)---- EOF - GMER 1.0.15 ----DDS:DDS (Ver_09-05-14.01) - NTFSx86 Run by Charleen at 0:57:10.04 on Tue 06/23/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.103 [GMT -7:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Documents and Settings\Charleen\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://lego.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/keyword/%suURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dlluURLSearchHooks: H - No FileuURLSearchHooks: H - No FileBHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dllBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dllBHO: : {a769d1bf-d939-40bd-91f9-95e9d2142f7b} - c:\windows\system32\lcfougs.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dllTB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dllTB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No FileTB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No FileEB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No FileuRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quietuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exemRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exeIE: &Search - ?p=ZUxdm486YYUSIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dllDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cabDPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dllDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187060500000DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dllDPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cabDPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocxDPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxp://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cabDPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cabDPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - hxxp://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://coke.mycokerewards.com/cabs/Entriq_3_6_0_15_Silent.cabDPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cabDPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exeDPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exeHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dllNotify: AtiExtEvent - Ati2evxx.dllNotify: avgrsstarter - avgrsstx.dllNotify: npllcjgy - lcfougs.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllLSA: Notification Packages = scecli denseat.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\charleen\applic~1\mozilla\firefox\profiles\878icskz.default\FF - prefs.js: browser.search.selectedEngine - Yahoo! SearchFF - component: c:\program files\avg\avg8\firefox\components\avgssff.dllFF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dllFF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dllFF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dllFF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dllFF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll============= SERVICES / DRIVERS ===============R0 crilpagi;crilpagi;c:\windows\system32\drivers\crilpagi.sys [2004-8-4 23424]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-22 327688]R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-22 27784]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-22 108552]R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-22 906520]R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-22 298776]R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-12-27 231424]S2 jypqqxnv;TCP/IP Protocol Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2006-12-25 7548]=============== Created Last 30 ================2009-06-22 12:38 11,952 a------- c:\windows\system32\avgrsstx.dll2009-06-22 12:38 108,552 a------- c:\windows\system32\drivers\avgtdix.sys2009-06-22 12:37 327,688 a------- c:\windows\system32\drivers\avgldx86.sys2009-06-22 12:37 <DIR> --d----- c:\windows\system32\drivers\Avg2009-06-22 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar2009-06-20 18:57 <DIR> --d----- C:\VundoFix Backups2009-06-14 18:22 25,992 a------- c:\windows\system32\pgdfgsvc.exe2009-06-14 18:07 <DIR> --d----- c:\program files\RegCleaner2009-06-14 18:06 <DIR> --d----- c:\docume~1\charleen\applic~1\Malwarebytes2009-06-14 18:06 19,096 a------- c:\windows\system32\drivers\mbam.sys2009-06-14 18:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys2009-06-14 18:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2009-06-14 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes2009-06-12 21:12 <DIR> --d----- c:\program files\Lexmark2009-06-12 21:00 229 a------- c:\windows\lexstat.ini2009-06-12 20:58 40,960 a------- c:\windows\system32\lxblvs.dll2009-06-12 20:58 73,728 a------- c:\windows\system32\lxblpwr.dll2009-06-12 20:58 286,720 a------- c:\windows\system32\lxblcomm.dll2009-06-12 20:58 201,216 a------- c:\windows\system32\LEXP2P32.DLL2009-06-12 20:58 174,592 a------- c:\windows\system32\LEXPPS.EXE2009-06-12 20:58 303,104 a------- c:\windows\system32\LEXBCES.EXE2009-06-12 20:58 196,096 a------- c:\windows\system32\LEX2KUSB.DLL2009-06-12 20:58 147,456 a------- c:\windows\system32\LEXBCE.DLL2009-06-12 20:58 192,512 a------- c:\windows\system32\lexlmpm.dll2009-06-12 20:58 <DIR> --d----- c:\program files\Lexmark Z700-P700 Series2009-06-06 23:38 <DIR> --d----- c:\docume~1\charleen\applic~1\OpenOffice.org2009-06-06 23:28 <DIR> --d----- c:\program files\JRE2009-06-06 23:27 <DIR> --d----- c:\program files\OpenOffice.org 32009-06-01 21:52 <DIR> --d----- c:\docume~1\charleen\applic~1\wulbffyj2009-06-01 20:27 <DIR> --d----- c:\docume~1\charleen\applic~1\Ashampoo2009-06-01 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ashampoo2009-06-01 20:26 <DIR> --d----- c:\program files\Ashampoo2009-06-01 19:53 <DIR> --d----- C:\to copy2009-05-29 18:37 <DIR> --d-h--- C:\$AVG8.VAULT$2009-05-28 21:57 <DIR> --d----- c:\program files\Lavasoft==================== Find3M ====================2009-06-13 10:39 5,356 a------- c:\docume~1\charleen\applic~1\wklnhst.dat2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll2009-05-05 17:42 34 a------- c:\documents and settings\charleen\jagex_runescape_preferences.dat2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll2009-04-28 21:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll2009-04-28 21:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll2009-04-28 21:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll2009-04-28 21:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll2009-04-28 21:56 105,984 -------- c:\windows\system32\dllcache\url.dll2009-04-28 21:56 102,912 -------- c:\windows\system32\dllcache\occache.dll2009-04-28 21:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll2009-04-28 21:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll2009-04-28 21:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll2009-04-28 21:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll2009-04-28 02:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe2009-04-24 22:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe2009-04-24 22:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys2009-04-17 05:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll2009-04-15 07:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll2008-11-14 18:28 66,360 a------- c:\documents and settings\charleen\g2ax_customer_downloadhelper_win32_x86.exe2008-03-13 20:31 61,224 a------- c:\documents and settings\charleen\GoToAssistDownloadHelper.exe2007-10-15 14:47 774,144 a------- c:\program files\RngInterstitial.dll2008-11-03 13:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat============= FINISH: 0:58:23.62 ===============AttachDDS (Ver_09-05-14.01)Microsoft Windows XP Home EditionBoot Device: \Device\HarddiskVolume1Install Date: 12/25/2005 11:34:03 PMSystem Uptime: 6/23/2009 12:52:58 AM (0 hours ago)Motherboard: Quanta | | 3096Processor: Mobile AMD Sempron Processor 3000+ | U23 | 1794/200mhz==== Disk Partitions =========================C: is FIXED (NTFS) - 56 GiB total, 35.048 GiB free.D: is CDROM ()==== Disabled Device Manager Items ================= System Restore Points ===================RP19: 6/14/2009 5:59:35 PM - Removed Windows DefenderRP20: 6/17/2009 6:13:11 PM - System CheckpointRP21: 6/19/2009 10:58:35 PM - System CheckpointRP22: 6/20/2009 11:07:14 PM - System CheckpointRP23: 6/22/2009 12:03:37 PM - Removed AVG Free 8.5RP24: 6/22/2009 12:05:19 PM - Installed AVG Free 8.5RP25: 6/22/2009 12:36:56 PM - Installed AVG Free 8.5==== Installed Programs ======================Adobe Flash Player 10 ActiveXAdobe Flash Player 10 PluginAdobe Reader 7.0Adobe Shockwave PlayerAmazon MP3 Downloader 1.0.3Ashampoo Burning Studio 6 FREEAT&T Yahoo! ApplicationsAthlon 64 Processor DriverATI - Software Uninstall UtilityATI Control PanelATI Display DriverAVG Free 8.5Broadcom 802.11 Wireless LAN AdapterConexant AC-Link AudioCritical Update for Windows Media Player 11 (KB959772)Data Fax SoftModem with SmartCPGGE909 PC Recoil PadGoogle Toolbar for Internet ExplorerHotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Format SDK (KB902344)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB952287)HP Help and SupportHP User Guides 0002HP Wireless Assistant 1.01 A2HpSdpAppCoreAppInterVideo WinDVDiTunesJ2SE Runtime Environment 5.0 Update 11Java 6 Update 13Java 6 Update 7LEGO Alpha TeamLexmark Photo CenterLexmark Z700-P700 SeriesLS_HSIMalwarebytes' Anti-MalwareMedia Library Management WizardMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB928366)Microsoft .NET Framework 2.0 Service Pack 1Microsoft .NET Framework 3.0 Service Pack 1Microsoft Base Smart Card Cryptographic Service Provider PackageMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft Money 2005Microsoft National Language Support Downlevel APIsMicrosoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2005 RedistributableMicrosoft WorksMovie Maker Background Music FilesMovie Maker Sound EffectsMovie Maker Title ImagesMozilla Firefox (3.0.11)MSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 (KB954430)MSXML 6.0 Parser (KB933579)muvee autoProducer 4.0 - SEOpenOffice.org 3.1Personal License Update Wizard for Windows Media PlayerPlus! MP3 Audio Converter LEQuick Launch Buttons 5.10 B2QuickTimeRealArcadeREALTEK Gigabit and Fast Ethernet NIC DriverSBC Yahoo! DSL Home Networking InstallerSecurity Update for CAPICOM (KB931906)Security Update for Step By Step Interactive Training (KB898458)Security Update for Step By Step Interactive Training (KB923723)Security Update for Windows Internet Explorer 7 (KB931768)Security Update for Windows Internet Explorer 7 (KB938127-v2)Security Update for Windows Internet Explorer 7 (KB938127)Security Update for Windows Internet Explorer 7 (KB944533)Security Update for Windows Internet Explorer 7 (KB950759)Security Update for Windows Internet Explorer 7 (KB958215)Security Update for Windows Internet Explorer 7 (KB960714)Security Update for Windows Internet Explorer 7 (KB961260)Security Update for Windows Internet Explorer 7 (KB963027)Security Update for Windows Internet Explorer 7 (KB969897)Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player 10 (KB911565)Security Update for Windows Media Player 10 (KB917734)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 11 (KB954154)Security Update for Windows Media Player 6.4 (KB925398)Security Update for Windows XP (KB923561)Security Update for Windows XP (KB923689)Security Update for Windows XP (KB938464-v2)Security Update for Windows XP (KB938464)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB946648)Security Update for Windows XP (KB950760)Security Update for Windows XP (KB950762)Security Update for Windows XP (KB950974)Security Update for Windows XP (KB951066)Security Update for Windows XP (KB951376-v2)Security Update for Windows XP (KB951376)Security Update for Windows XP (KB951698)Security Update for Windows XP (KB951748)Security Update for Windows XP (KB952004)Security Update for Windows XP (KB952954)Security Update for Windows XP (KB953839)Security Update for Windows XP (KB954211)Security Update for Windows XP (KB954459)Security Update for Windows XP (KB954600)Security Update for Windows XP (KB955069)Security Update for Windows XP (KB956391)Security Update for Windows XP (KB956572)Security Update for Windows XP (KB956802)Security Update for Windows XP (KB956803)Security Update for Windows XP (KB956841)Security Update for Windows XP (KB957095)Security Update for Windows XP (KB957097)Security Update for Windows XP (KB958644)Security Update for Windows XP (KB958687)Security Update for Windows XP (KB958690)Security Update for Windows XP (KB959426)Security Update for Windows XP (KB960225)Security Update for Windows XP (KB960715)Security Update for Windows XP (KB960803)Security Update for Windows XP (KB961373)Security Update for Windows XP (KB961501)Security Update for Windows XP (KB968537)Security Update for Windows XP (KB969898)Security Update for Windows XP (KB970238)Sonic & Knuckles Collection DocumentationSonic & Knuckles Killer !Sonic Audio ModuleSonic Copy ModuleSonic Data ModuleSonic Express LabelerSONIC HEROESSonic MyDVD PlusSonic RSonic RidersSonic Update ManagerSynaptics Pointing Device DriverTexas Instruments PCIxx21/x515 drivers.TIxx21Update for Windows XP (KB951072-v2)Update for Windows XP (KB951978)Update for Windows XP (KB955839)Update for Windows XP (KB967715)Virtools 3D Life PlayerVisual C++ 2008 x86 Runtime - (v9.0.30729)Visual C++ 2008 x86 Runtime - v9.0.30729.01WebFldrs XPWindows Defender SignaturesWindows Genuine Advantage Notifications (KB905474)Windows Genuine Advantage Validation Tool (KB892130)Windows Imaging ComponentWindows Internet Explorer 7Windows Media Bonus Pack for Windows XPWindows Media Format 11 runtimeWindows Media Format SDK Hotfix - KB891122Windows Media Player 11Windows Media Player Playlist Import to Excel WizardWindows Media Player Skin ImporterWindows Media Player Tray ControlWindows Presentation FoundationWindows XP Service Pack 3XML Paper Specification Shared Components Pack 1.0Yahoo! Toolbar==== Event Viewer Messages From Past Week ========6/20/2009 11:21:03 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.6/19/2009 4:45:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}6/19/2009 4:44:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 AvgLdx86 AvgMfx86 AvgTdiX eabfiltr Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.6/19/2009 4:44:23 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.6/19/2009 4:44:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}6/19/2009 4:43:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}6/19/2009 3:20:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde ViaIde6/19/2009 3:20:08 PM, error: Service Control Manager [7023] - The TCP/IP Protocol Monitor service terminated with the following error: The specified module could not be found.6/19/2009 3:19:41 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.6/19/2009 1:22:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.6/19/2009 1:22:32 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.==== End Of File ===========================Hope this is satisfactory. Been too crazy around here to focus on this very well, and staying up too late to get quiet is too easy to mess things up.As always, really appreciate the coaching through this!kitfox Link to post Share on other sites More sharing options...
negster22 Posted June 23, 2009 ID:92618 Share Posted June 23, 2009 Hi kitfox,Please download this tool to remove a malicious netsvcs registry entry remaining:http://download.bleepingcomputer.com/sUBs/SvcQuery.exeWhen prompted:"Please enter the 'Service Name' as instructed by the helper "Copy/paste or type:jypqqxnvHit EnterExit the programOpen a Notepad window by Clicking start --> run --> type notepad and then hit EnterOn the Notepad menu, make sure "word wrap" is UNchecked under format.Paste the following bolded text into the Notepad window :REGEDIT4[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00Save the file to your desktop by setting the "Save as Type" to "all files", and save it as fix.regDouble-click the fix.reg aqua blocks icon on your desktop (disable any script blocking programs and allow allow the script to run).Answer Yes to the prompt about adding the information to the Registry.You should get a success message once the reg fix has completed.If you don't receive that message or receive an error message - don't proceed and report back please.Download The Avenger by Swandog46:http://swandog46.geekstogo.com/avenger2/download.phpUnzip/extract it to a folder on your desktop.Double click on avenger.exe to launch Avenger.Click OK.Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:Drivers to delete:crilpagijypqqxnvLEGACY_crilpagi Registry keys to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a769d1bf-d939-40bd-91f9-95e9d2142f7b} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\npllcjgy HKEY_CLASSES_ROOT\CLSID\{a769d1bf-d939-40bd-91f9-95e9d2142f7b} Files to delete:c:\windows\system32\lcfougs.dllc:\windows\system32\drivers\crilpagi.sysc:\windows\system32\denseat.dll Folders to delete:C:\Documents and Settings\Charleen\Application Data\wulbffyjClick the Execute button.You will be prompted with "Are you sure you want to execute the current script?"Click "Yes"You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click "Yes".Your PC will reboot.After your PC has completed the necessary reboot, a log should automatically open.If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)Please post back the Netsvcs tool log, the Avenger log, and a new DDS.txt Link to post Share on other sites More sharing options...
kitfox Posted June 23, 2009 Author ID:92625 Share Posted June 23, 2009 Wow, Negster22, I couldn't have muddled myself even 25% there without your help. Thanks! Will try this soon as I can.I still cannot understand how this lcfougs.dll thing keeps being reported as present in the system32 folder when it simply doesn't show up there any longer. (Straining on the one little part I think I understand when there are a lot more pertinent things I ignore because I do not understand) Guess it is just the registry key pointing to it... Little did I expect to see so many other things tied together with this. Best part of this process is expanding my knowledge a bit. I appreciate your help.Thanks again!Kitfox Link to post Share on other sites More sharing options...
kitfox Posted June 24, 2009 Author ID:92716 Share Posted June 24, 2009 Negster22,You will see that I tried Avenger then aborted when it reported having some heartburn with being asked to go into CLASSES. But I decided to roll the dice & continue anyway- figured it would only leave a registry line to have to deal with hopefully. SVCQUERY- - - - - - - - - - - BEFORE - - - - - - - - - - - netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0jypqqxnv\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0- - - - - - - - - - - AFTER - - - - - - - - - - - netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0Avenger////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows XP (build 2600, Service Pack 3)Tue Jun 23 19:02:42 200919:02:30: Error: Invalid registry syntax in command:"HKEY_CLASSES_ROOT\CLSID\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry key deletion mode) 19:02:42: Error: Execution aborted by user!//////////////////////////////////////////////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows XP (build 2600, Service Pack 3)Tue Jun 23 19:35:26 200919:35:01: Error: Invalid registry syntax in command:"HKEY_CLASSES_ROOT\CLSID\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry key deletion mode) //////////////////////////////////////////Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Driver "crilpagi" deleted successfully.Driver "jypqqxnv" deleted successfully.Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\LEGACY_crilpagi" not found!Deletion of driver "LEGACY_crilpagi" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\lcfougs.dll" not found!Deletion of file "c:\windows\system32\lcfougs.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existFile "c:\windows\system32\drivers\crilpagi.sys" deleted successfully.Error: file "c:\windows\system32\denseat.dll" not found!Deletion of file "c:\windows\system32\denseat.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existFolder "C:\Documents and Settings\Charleen\Application Data\wulbffyj" deleted successfully.Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a769d1bf-d939-40bd-91f9-95e9d2142f7b}" deleted successfully.Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\npllcjgy" deleted successfully.Completed script processing.*******************Finished! Terminate.DDSDDS (Ver_09-05-14.01) - NTFSx86 Run by Charleen at 19:51:01.82 on Tue 06/23/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.88 [GMT -7:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Charleen\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://lego.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/keyword/%suURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dlluURLSearchHooks: H - No FileuURLSearchHooks: H - No FileBHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dllBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar5.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dllTB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dllTB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No FileTB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No FileEB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No FileuRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quietuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exemRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exeIE: &Search - ?p=ZUxdm486YYUSIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dllDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cabDPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dllDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187060500000DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dllDPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cabDPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocxDPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxp://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cabDPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cabDPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - hxxp://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://coke.mycokerewards.com/cabs/Entriq_3_6_0_15_Silent.cabDPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cabDPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exeDPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exeHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dllNotify: AtiExtEvent - Ati2evxx.dllNotify: avgrsstarter - avgrsstx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\charleen\applic~1\mozilla\firefox\profiles\878icskz.default\FF - prefs.js: browser.search.selectedEngine - Yahoo! SearchFF - component: c:\program files\avg\avg8\firefox\components\avgssff.dllFF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dllFF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dllFF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dllFF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dllFF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll============= SERVICES / DRIVERS ===============R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-22 327688]R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-22 27784]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-22 108552]R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-22 906520]R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-22 298776]R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-12-27 231424]S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2006-12-25 7548]=============== Created Last 30 ================2009-06-22 12:38 11,952 a------- c:\windows\system32\avgrsstx.dll2009-06-22 12:38 108,552 a------- c:\windows\system32\drivers\avgtdix.sys2009-06-22 12:37 327,688 a------- c:\windows\system32\drivers\avgldx86.sys2009-06-22 12:37 <DIR> --d----- c:\windows\system32\drivers\Avg2009-06-22 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar2009-06-20 18:57 <DIR> --d----- C:\VundoFix Backups2009-06-14 18:22 25,992 a------- c:\windows\system32\pgdfgsvc.exe2009-06-14 18:07 <DIR> --d----- c:\program files\RegCleaner2009-06-14 18:06 <DIR> --d----- c:\docume~1\charleen\applic~1\Malwarebytes2009-06-14 18:06 19,096 a------- c:\windows\system32\drivers\mbam.sys2009-06-14 18:06 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys2009-06-14 18:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2009-06-14 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes2009-06-12 21:12 <DIR> --d----- c:\program files\Lexmark2009-06-12 21:00 229 a------- c:\windows\lexstat.ini2009-06-12 20:58 40,960 a------- c:\windows\system32\lxblvs.dll2009-06-12 20:58 73,728 a------- c:\windows\system32\lxblpwr.dll2009-06-12 20:58 286,720 a------- c:\windows\system32\lxblcomm.dll2009-06-12 20:58 201,216 a------- c:\windows\system32\LEXP2P32.DLL2009-06-12 20:58 174,592 a------- c:\windows\system32\LEXPPS.EXE2009-06-12 20:58 303,104 a------- c:\windows\system32\LEXBCES.EXE2009-06-12 20:58 196,096 a------- c:\windows\system32\LEX2KUSB.DLL2009-06-12 20:58 147,456 a------- c:\windows\system32\LEXBCE.DLL2009-06-12 20:58 192,512 a------- c:\windows\system32\lexlmpm.dll2009-06-12 20:58 <DIR> --d----- c:\program files\Lexmark Z700-P700 Series2009-06-06 23:38 <DIR> --d----- c:\docume~1\charleen\applic~1\OpenOffice.org2009-06-06 23:28 <DIR> --d----- c:\program files\JRE2009-06-06 23:27 <DIR> --d----- c:\program files\OpenOffice.org 32009-06-01 20:27 <DIR> --d----- c:\docume~1\charleen\applic~1\Ashampoo2009-06-01 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ashampoo2009-06-01 20:26 <DIR> --d----- c:\program files\Ashampoo2009-06-01 19:53 <DIR> --d----- C:\to copy2009-05-29 18:37 <DIR> --d-h--- C:\$AVG8.VAULT$2009-05-28 21:57 <DIR> --d----- c:\program files\Lavasoft==================== Find3M ====================2009-06-13 10:39 5,356 a------- c:\docume~1\charleen\applic~1\wklnhst.dat2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll2009-05-05 17:42 34 a------- c:\documents and settings\charleen\jagex_runescape_preferences.dat2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll2009-04-28 21:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll2009-04-28 21:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll2009-04-28 21:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll2009-04-28 21:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll2009-04-28 21:56 105,984 -------- c:\windows\system32\dllcache\url.dll2009-04-28 21:56 102,912 -------- c:\windows\system32\dllcache\occache.dll2009-04-28 21:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll2009-04-28 21:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll2009-04-28 21:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll2009-04-28 21:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll2009-04-28 02:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe2009-04-24 22:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe2009-04-24 22:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys2009-04-17 05:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll2009-04-15 07:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll2008-11-14 18:28 66,360 a------- c:\documents and settings\charleen\g2ax_customer_downloadhelper_win32_x86.exe2008-03-13 20:31 61,224 a------- c:\documents and settings\charleen\GoToAssistDownloadHelper.exe2007-10-15 14:47 774,144 a------- c:\program files\RngInterstitial.dll2008-11-03 13:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat============= FINISH: 19:52:17.42 ===============Thanks again for your continued patience and expertise!kf Link to post Share on other sites More sharing options...
negster22 Posted June 24, 2009 ID:92718 Share Posted June 24, 2009 Good job! We got rid of the malicious driver that was keeping the infection intact.Please follow the directions for posting a HJT log here:http://www.malwarebytes.org/forums/index.php?showtopic=9573Relaunch Malwarebytes' Anti-Malware (MBAM)Click the Update tab and Check for Updates- then wait for MBAM to updateClick the Scanner tab, and select Perform Quick scan, then click Scan.When the scan is complete, click OK -> Show Results to view the scan results.Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.Please post back a HJT log and your MBAM log. Link to post Share on other sites More sharing options...
kitfox Posted June 24, 2009 Author ID:92746 Share Posted June 24, 2009 Negster, Tell ya what, this is looking a whole lot better than I've seen before. I actually think I'm about ready to give it back with confidence that it will be healthy until.... Lets hope they don't do this again! But it is really a matter of time I suppose. I'd have just reformatted if it wasn't for all your help.Malwarebytes' Anti-Malware 1.38Database version: 2327Windows 5.1.2600 Service Pack 36/23/2009 11:01:15 PMmbam-log-2009-06-23 (23-01-14).txtScan type: Quick ScanObjects scanned: 97708Time elapsed: 10 minute(s), 8 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:48:22 PM, on 6/23/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16850)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lego.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllR3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: &Search - ?p=ZUxdm486YYUSO9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptopO16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dllO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187060500000O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cabO16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cabO16 - DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - http://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cabO16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://coke.mycokerewards.com/cabs/Entriq_...0_15_Silent.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exeO16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exeO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE--End of file - 7938 bytesLooking better, isn't it!? KF Link to post Share on other sites More sharing options...
negster22 Posted June 24, 2009 ID:92830 Share Posted June 24, 2009 Looking better, isn't it!?Absolutely!! I'll be back after work with some final steps. I lost my internet access (cable) but now it's back, so check back a little later. Link to post Share on other sites More sharing options...
negster22 Posted June 25, 2009 ID:92944 Share Posted June 25, 2009 Hi kitfox,We're almost wrapped up now...Can you please upload the malicious files that Avenger removed to my collection channel - to do that:Go to the upload page herehttp://www.bleepingcomputer.com/submit-mal....php?channel=75Browse to this fileC:\avenger\backup.zipSelect the file, then click OpenClick "Send File".Scan with HijackThis by clicking the "Do a System scan only" button and place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "Fix Checked".R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O8 - Extra context menu item: &Search - ?p=ZUxdm486YYUSO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptopReboot and post a new HJT log in your next reply.Please perform a scan with the ESET online virus scanner. You can expect some detections in Avenger's quarantine and system volume information. They will not represent active malware so don't worry:http://www.eset.com/onlinescan/index.phpESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.Check the "Yes, I accept the terms of use" box.Click "Start"Check the boxes the following two boxes:enable "Remove found threats"Scan unwanted applications[*]Click the Scan button to begin scanning.[*]When the scan is done the log is automatically saved. To retrieve itClose the ESET scan Window.Now open a run line by clicking Start >> Run...Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:The Scan results will now display in Notepad[*]Please copy and paste the ESET scan report that can be found in this locationC:\Program Files\EsetOnlineScanner\log.txt into your next replyNote to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.Please post back the ESET scan report and a new HJT log. Link to post Share on other sites More sharing options...
kitfox Posted June 26, 2009 Author ID:93267 Share Posted June 26, 2009 HJT:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:25:16 PM, on 6/25/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16850)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lego.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dllO3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dllO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187060500000O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cabO16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cabO16 - DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - http://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cabO16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://coke.mycokerewards.com/cabs/Entriq_...0_15_Silent.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exeO16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exeO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE--End of file - 7505 bytesESET: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined_________________________________________________________See anything else, Negster? Amazing how well some of this malware can hide, by design of course. Takes a lot of dedication- or passion as you describe it to be willing to spend so much effort tracking this garbage down. And to just gain the knowledge you have to know what to do next. I describe myself as mostly a "semi-serious dabbler" in all of this. You've showed me a number of excellent tools, though I must confess that half or more I lack enough knowledge to get too much benefit from. But it still remains a step forward. I have been online as a user since just before the 56k modem- and people like you- conscientious, determined, and selfless- are too few & far between- but we'd be sunk without your kind. Thanks again! I'll likely get a plate of gourmet cookies out of this for my efforts, and I'd gladly share with you if I knew how to send them to you. Your knowledge is what brought the success.Oh, btw- the "08- extra context menu item..." seems to have morphed a little. I killed it anyway- good, bad, or indifferent.So this MBAM report which initially kept steering me to a non-existent location was symptomatic of an entirely different infection than the Vundo family, or was this a variant? Or should I say infections-(plural)? Seems like a bunch more stuff than I naively expected, at least. (few of us watch how many things our malware software actually do- most scarcely pay attention to even the list of infections removed I imagine) I'd be most interested in hearing the results of what you boil down out of all this if you'd care to post a summary at least. Also, it appears that what was the hot freeware tools a few years ago keeps getting eclipsed by newer & better tools. Do you have any recommendations for any anti-virus & other anti-malware tools which just stand out above all others in addition to MBAM? We use Trend at work which I can bring home I understand- but no one tool is complete. This keeping a computer healthy is not getting any easier these days, is it? And times like this require the rolling up of sleeves and a bunch of manual work. Or reformatting as many do. The scope of this problem is dizzying. A form of terrorism one might argue when one calculates the cost of global damage done.Again, thank you!Kitfox Link to post Share on other sites More sharing options...
negster22 Posted June 27, 2009 ID:93560 Share Posted June 27, 2009 Good job, kitfox! Your computer is clean now. Next, we'll get rid of your infected system restore data.Flush your system restore points so you have a suitable backup should you need to restore your system files: Turn off System Restore: On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. Reboot Turn System Restore back on: On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK.=================================Here are some additional measures you should take to keep your system in good working order and ensure your continued security.1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, allow it.2. I'd like you to rehide your system files and folders again by reversing the steps in my first reply.3. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.4. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment. You asked about what I use on my computer or recommend. I like to run a lean system securitywise to keep its performance relatively high:Antivirus - ESET Nod32Antispyware/Antimalware - MBAMWinPatrol - System Monitor ( light on resources)SpywareBlasterI also like Avira Antivir antivirus which has the advantage of being free for home users.MIcrosoft just released the Beta version of Microsoft Security Essentials (formerly code name Morro) which is an antimalware freeware with a small footprint so I plan on testing that fairly soon.I also am very fond of using the Microsoft (formerly Sysinternals) Toolset (freeware) such as Process Explorer, Autoruns, TCPView, Sigcheck, and more recently I've been investigating Process Monitor which is similar to a combination of Process Explorer, Filemon, and Regmon. As you so very well put it, malware is becoming increasing more crafty - finding new obscure launch points, and going stealth. Many infections have morphing components, watch dog type processes and multiple load points.MBAM detected your infection using heuristics, and it did it quite well. Since Vundo typically loads infected DLLs via BHO and Notify keys, MBAM essentially identified your infection as having Vundo like behavior (Vundo.H where H stands for heuristic). What it didn't identify was the rootkit driver that held the infection in place. It does a good job of detecting most variants of this type rootkit driver, which most antivirus are routinely fooled by and have difficulty identifying. Link to post Share on other sites More sharing options...
Recommended Posts