Jump to content

Recommended Posts

hello,

i am quite new to this so i apologise if i'm just wasting folks time.

anyway a trojan virus called win32trojandss has been detected on my pc, i have tried running MBAM but it does not run so i uninstalled followed the advice in a previous post as regards to it not running but still it did not work i also tried renaming it as winlogon but this too failed so i'm just gonna post my HJT log an hope that someone can help.

cheers

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:35:09, on 19/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\O2\bin\sprtcmd.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\QuickTime\QTTask.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\O2\bin\sprtsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\eHome\ehmsas.exe

D:\Documents and Settings\mr_goines\Desktop\winlogon.exe

D:\DOCUME~1\MR_GOI~1\LOCALS~1\Temp\is-MJUC5.tmp\winlogon.tmp

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\APPS\IE\offline\uk.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://C:\APPS\IE\offline\uk.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\win32room.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [internat] C:\WINDOWS\internat.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [Cognac] D:\DOCUME~1\MR_GOI~1\LOCALS~1\Temp\b.exe

O4 - HKCU\..\Run: [AntiMalware_ProNET] C:\Program Files\AntiMalware_Pro\AntiMalware_Pro.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--

End of file - 8706 bytes

Link to post
Share on other sites

Hello goinsey and welcome to MalwareBytes forums.

This system has the fake (rogue) AntiMalware Pro as one of the definite infections. Please follow my guidance and do not make any changes/additions to your system; nor run anything without checking here with me first.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for this member only. If you are a casual observer, do NOT try this on your system!

If at any point, if you have a question or problem, STOP & make a post to the forum.

Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

=

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

=

Right click on the Ad-Watch icon in the system tray.

At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: This will turn Ad-Watch On\Off without closing it.

Automatic: Suspicious activity will be blocked automatically.

Uncheck both of those boxes.

=

1. Go Here and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

Next, Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Close all browsers and all other programs that you have started.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [Cognac] D:\DOCUME~1\MR_GOI~1\LOCALS~1\Temp\b.exe

O4 - HKCU\..\Run: [AntiMalware_ProNET] C:\Program Files\AntiMalware_Pro\AntiMalware_Pro.exe

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:

Link 1

Link 2

Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:

KILLALL::
Driver::AntiMalware_ProNETCognac
File::C:\Program Files\AntiMalware_Pro\AntiMalware_Pro.exeD:\Documents and Settings\mr_goines\Desktop\winlogon.exeD:\Documents and Settings\mr_goines\Temp\is-MJUC5.tmp\winlogon.tmpD:\Documents and Settings\mr_goines\LOCAL Settings\Temp\b.exe
Folder::C:\Program Files\AntiMalware_ProC:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

CFScript.gif

  • :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:

=

Once Complete, reboot! :!:

Next, download & save Malwarebytes Anti-Malware from

http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or

http://www.besttechie.net/tools/mbam-setup.exe or

http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

Run Hijackthis

Then close all windows/applications/browsers and run hijackthis, saving the log.

After following the above, post back with

  • 1. Contents of C:\Combofix.txt;
    2. New Hijackthis log;
    3. the MBAM scan log
    4. Tell me, How is your system now ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

There will be more to do later.

Link to post
Share on other sites

thank you for the assist,

here are the logs

combofix

ComboFix 09-07-19.04 - mr_goines 20/07/2009 10:39.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.502 [GMT 1:00]

Running from: d:\documents and settings\mr_goines\Desktop\ComboFixed.exe

Command switches used :: d:\documents and settings\mr_goines\Desktop\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\program files\AntiMalware_Pro\AntiMalware_Pro.exe"

"d:\documents and settings\mr_goines\Desktop\winlogon.exe"

"d:\documents and settings\mr_goines\LOCAL Settings\Temp\b.exe"

"d:\documents and settings\mr_goines\Temp\is-MJUC5.tmp\winlogon.tmp"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\recycler

c:\windows\Installer\4e3b58.msp

c:\windows\Installer\4e3b59.msp

c:\windows\Installer\56659.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\kb913800.exe

c:\windows\system32\drivers\UACmlrqqtgepxdynsbpf.sys

c:\windows\system32\MSVolumeAMP.dll

c:\windows\system32\msxml71.dll

c:\windows\system32\UACbodulkdnhlvymujel.dll

c:\windows\system32\UACgmhsqbijnlrmgjcxj.db

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkhbobuypulfnaqjow.dll

c:\windows\system32\UACndebxdjdlbojnmteg.dll

c:\windows\system32\UACnkdktltxqbxuwkkyp.dll

c:\windows\system32\UACviydumwjjqibotkeh.dll

c:\windows\system32\UACvxhmsiltqtoexrpbr.dat

d:\documents and settings\mr_goines\Desktop\winlogon.exe

D:\recycler

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))

.

2009-07-20 09:08 . 2009-07-20 09:08 -------- d-----w- c:\program files\ERUNT

2009-07-19 14:09 . 2009-07-19 14:09 54 ----a-w- c:\windows\system32\rp_stats.dat

2009-07-19 14:09 . 2009-07-19 14:09 39 ----a-w- c:\windows\system32\rp_rules.dat

2009-07-19 14:01 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-07-19 14:01 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-19 14:01 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-07-19 14:01 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-07-19 14:01 . 2009-07-19 14:01 -------- d-----w- d:\docume~1\ALLUSE~1\APPLIC~1\Avira

2009-07-19 14:01 . 2009-07-19 14:01 -------- d-----w- c:\program files\Avira

2009-07-19 13:43 . 2009-07-19 13:44 -------- d-----w- c:\program files\WinAce

2009-07-19 13:36 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-19 13:31 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-18 11:06 . 2009-07-18 11:34 -------- d-----w- d:\documents and settings\All Users\AVP 2009

2009-07-17 17:28 . 2009-07-17 17:28 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2009-07-14 19:30 . 2009-07-14 19:30 -------- d-----w- d:\documents and settings\mr_goines\Application Data\Template

2009-07-06 07:34 . 2009-07-06 07:34 8 ----a-w- c:\windows\system32\CtSACKey.sys

2009-07-04 12:50 . 2009-07-04 12:50 -------- d-----w- d:\documents and settings\mr_goines\Local Settings\Application Data\PunkBuster

2009-07-03 14:41 . 2009-07-03 14:41 794408 ----a-w- c:\windows\system32\pbsvc.exe

2009-06-24 12:02 . 2009-06-25 15:25 -------- d-sh--w- c:\windows\system32\xors32

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-19 13:36 . 2009-05-16 10:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-19 12:50 . 2009-04-20 20:20 -------- d-----w- c:\program files\Java

2009-07-17 20:30 . 2009-07-17 20:30 1063497 ----a-w- c:\windows\system32\rn.tmp

2009-07-15 20:43 . 2009-07-14 19:30 482 ----a-w- d:\documents and settings\mr_goines\Application Data\wklnhst.dat

2009-07-06 20:14 . 2009-06-10 11:42 139016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-07-06 20:13 . 2009-06-10 11:36 189488 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-07-06 17:20 . 2009-04-20 13:31 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-07-03 14:41 . 2009-07-03 14:41 139152 ----a-w- d:\documents and settings\mr_goines\Application Data\PnkBstrK.sys

2009-07-03 14:41 . 2009-06-10 11:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

2009-07-03 14:34 . 2009-05-04 15:10 -------- d-----w- c:\program files\EA GAMES

2009-07-03 14:19 . 2009-06-10 10:29 -------- d-----w- c:\program files\Electronic Arts

2009-07-03 13:30 . 2009-06-02 10:42 -------- d-----w- c:\program files\Creative

2009-06-26 10:21 . 2009-04-20 13:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-16 14:36 . 2004-09-10 13:57 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-09-10 13:57 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 08:53 . 2009-06-12 08:53 -------- d-----w- d:\documents and settings\mr_goines\Application Data\CyberLink

2009-06-12 08:50 . 2009-05-02 20:02 -------- d-----w- d:\documents and settings\mr_goines\Application Data\dvdcss

2009-06-10 18:35 . 2009-06-10 18:35 -------- d-----w- d:\documents and settings\mr_goines\Application Data\AdobeUM

2009-06-10 10:29 . 2009-04-20 20:20 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-09 11:00 . 2009-06-09 11:00 -------- d-----w- d:\documents and settings\mr_goines\Application Data\Apple Computer

2009-06-06 13:38 . 2009-06-06 13:38 -------- d--h--r- d:\documents and settings\mr_goines\Application Data\SecuROM

2009-06-06 13:38 . 2009-06-06 13:38 107888 ----a-w- c:\windows\system32\CmdLineExt.dll

2009-06-03 19:09 . 2004-09-10 13:57 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-02 13:51 . 2009-06-02 12:34 -------- d-----w- d:\documents and settings\mr_goines\Application Data\Creative

2009-06-02 12:34 . 2009-06-02 12:34 -------- d-----w- d:\docume~1\ALLUSE~1\APPLIC~1\Creative

2009-05-28 10:32 . 2009-05-07 10:45 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-05-27 18:42 . 2009-04-20 20:28 112640 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-27 18:25 . 2009-04-20 20:20 -------- d-----w- c:\program files\Common Files\Adobe

2009-05-27 18:24 . 2009-05-27 18:24 -------- d-----w- c:\program files\Adobe Media Player

2009-05-27 18:20 . 2009-05-27 18:20 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-05-27 17:54 . 2009-05-27 17:54 -------- d-----w- c:\program files\7-Zip

2009-05-23 11:22 . 2009-05-23 11:22 -------- d-----w- c:\program files\SystemRequirementsLab

2009-05-23 11:22 . 2009-05-23 11:22 -------- d-----w- d:\documents and settings\mr_goines\Application Data\SystemRequirementsLab

2009-05-18 10:32 . 2009-05-07 10:31 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-05-07 15:32 . 2004-09-10 13:57 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-04 08:39 . 2009-04-20 13:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-05-04 08:39 . 2009-04-20 13:31 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-04-29 04:56 . 2004-09-10 13:57 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2004-09-10 13:57 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-04-24 08:57 . 2004-09-10 14:36 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-06-15 13:47 . 2009-04-20 13:09 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-11 13524992]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-20 148888]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-19 26112]

"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]

"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-11 86016]

"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-10-18 557056]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-04-11 1630208]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-05-04 08:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%ProgramFiles%\\AOL 9.0\\aol.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\O2\\bin\\wificfg.exe"=

"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=

"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=

"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [07/05/2009 11:31 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/04/2009 14:31 335752]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/04/2009 14:31 108552]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [19/07/2009 15:01 108289]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [06/07/2009 18:20 907032]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [20/04/2009 14:31 298776]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]

R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 16:19 202280]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [19/05/2006 15:38 799744]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [19/05/2006 15:41 7040]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)

HKLM-Run-internat - c:\windows\internat.exe

.

------- Supplementary Scan -------

.

uStart Page = file://c:\apps\IE\offline\uk.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

FF - ProfilePath - d:\docume~1\MR_GOI~1\APPLIC~1\Mozilla\Firefox\Profiles\arzkf99p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: d:\documents and settings\mr_goines\Application Data\Mozilla\Firefox\Profiles\arzkf99p.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-20 10:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

internat = c:\windows\internat.exe?_ ?|????? @????|????????????$???@???????????????h???????S

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Creative Detector = "c:\program files\Creative\MediaSource\Detector\CTDetect.exe" /R????????????????T??? SB~ative Tech\MediaSour????????p???????????(?l?,???????????????I??b??????D~??B~??????B~??B~(?l?????????h???6?C~??C~??l?????????????????6?C~????4?A~p???????????????6?C~???????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2009-07-20 10:47

ComboFix-quarantined-files.txt 2009-07-20 09:46

Pre-Run: 6,656,143,360 bytes free

Post-Run: 6,610,034,688 bytes free

209

MBAM log

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 3

20/07/2009 10:59:09

mbam-log-2009-07-20 (10-59-09).txt

Scan type: Quick Scan

Objects scanned: 96088

Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\BlueRaTech (Trojan.DNSChanger) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

D:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:

d:\documents and settings\all users\AVP 2009\1.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:03:21, on 20/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\O2\bin\sprtsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\O2\bin\sprtcmd.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\APPS\IE\offline\uk.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://C:\APPS\IE\offline\uk.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--

End of file - 8384 bytes

Link to post
Share on other sites

Your logs show 2 antivirus apps installed: AVG & Avira AntiVir. Make a selection of one to keep and de-install the other. Having 2 active AVs leads to conlicts. Make your choice. De-install one of them and then logoff and restart system fresh.

My inclination is to recommend you keep Avira AntiVir.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

Next, Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

=

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

Close all browsers and all open windows & programs.

1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.

excl.gifIt's very important that you be using the most recent version (v2.423 as of this post).

2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:

Double click the SmitFruadfix.exe file. It will create a folder named SmitfraudFix) on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".

Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:

  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you were infected

Reply with copy of the Sysclean log

and the C:\Rapport.txt

and tell me, How is your system now ?

Link to post
Share on other sites

Sorry for the delay here are the logs,

thank you again and everything seems fine at the moment.

2009-07-22, 11:05:21, Auto-clean mode specified.

2009-07-22, 11:05:21, Initialized Rootkit Driver version 2.2.0.1004.

2009-07-22, 11:05:21, Running scanner "D:\Documents and Settings\mr_goines\Desktop\sysclean package\TSC.BIN"...

2009-07-22, 11:05:45, Scanner "D:\Documents and Settings\mr_goines\Desktop\sysclean package\TSC.BIN" has finished running.

2009-07-22, 11:05:45, TSC Log:

Link to post
Share on other sites

The Sysclean results show nothing as far as malwares & the SmitFraudfix result is good as well.

I'd like for you to do some follow-ups and get a new HJT log for review.

Close and save any open documents or programs you have running.

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:

http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

There is no GUI interface or log file produced.

=

Next, Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesD:\Documents and Settings\All Users\AVP 2009C:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recycler
    :Commands[purity][emptytemp]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.

If you see any other Java versions there,

such as

J2SE Runtime Environment 5.0

Java SE Runtime Environment

Java 6

uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.

  • Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp

> In top of the page ( 5th in the list), click on the Download button to the right of (JRE) 6 Update 14

> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control

> Accept the license agreement

> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

  • Tip: Choose Custom install to select only the part(s) you need/want.

Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_14 from Sun Microsystems Inc.

=

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

=

Next, Start HijackThis. Do a Scan and Save log.

Reply with copies of contents of OTL MovedFiles log

Checkup.txt

and the new HJT log

and advise me, which antivirus program you decided to keep

and How is your system now ?

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.