Jump to content

Trojan.Hiloti & crew are back


Recommended Posts

Hi,

Malwarebytes is detecting Trojan.Hiloti, Trojan.Dropper and Backdoor Agent every other day after successful removal.

Please see attached HijackThis Log.

Lately, I have been seeing a Java message update while browsing and a remote file (b4g4.cz.cc) trying to update something on my computer.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

In the future please post all logs directly into your reply instead of attaching them.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Link to post
Share on other sites

Hi & Many thanks

MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5405

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27/12/2010 23:11:46

mbam-log-2010-12-27 (23-11-46).txt

Scan type: Quick scan

Objects scanned: 166898

Time elapsed: 31 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------

DDS.text:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Comet at 9:53:05.45 on 28/12/2010

Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\HPQ\SHARED\HPQWMI.exe

C:\Program Files\Tall Emu\Online Armor\OAhlp.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\Documents and Settings\Comet\Desktop\dds.scr

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k bthsvcs

C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\ypager.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: premierinn.com\bookings

Trusted Zone: yahoo.com

Trusted Zone: yahoo.com\login

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/pub/mcgraw-hill/support/plugins/ebraryRdr.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183664200281

DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://mylaptop:8080/qcbin/Spider90.ocx

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxsrvc.dll

SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

============= SERVICES / DRIVERS ===============

R? FLASHREADER;%FLASHREADER.SvcDesc%

R? gupdate;Google Update Service (gupdate)

R? TDService;TDService

R? WinDefend;Windows Defender

S? avg9wd;AVG Free WatchDog

S? AvgLdx86;AVG AVI Loader Driver x86

S? AvgMfx86;AVG On-access Scanner Minifilter Driver x86

S? AvgTdiX;AVG Free Network Redirector

S? MySQL51;MySQL51

S? OAcat;Online Armor Helper Service

S? OADevice;OADriver

S? OAmon;OAmon

S? OAnet;OAnet

S? paldrv;paldrv

S? SvcOnlineArmor;Online Armor

=============== Created Last 30 ================

2010-12-25 07:37:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure

2010-12-25 06:29:01 200704 ----a-w- c:\windows\system32\vbalExpBar6.ocx

2010-12-25 06:29:00 44544 ----a-w- c:\windows\system32\GIF89.DLL

2010-12-25 06:28:54 15360 ----a-w- c:\windows\system32\inetfr.DLL

2010-12-25 06:28:54 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL

2010-12-25 06:28:54 119568 ----a-w- c:\windows\system32\VB6FR.DLL

2010-12-25 06:28:53 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL

2010-12-25 06:28:53 -------- d-----w- c:\program files\Free Easy Burner

2010-12-25 06:28:53 -------- d-----w- c:\docume~1\comet\applic~1\FreeBurner

2010-12-15 11:40:42 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 11:37:51 45568 ------w- c:\windows\system32\dllcache\wab.exe

2010-12-04 15:33:12 -------- d-----w- c:\program files\List Generator

2010-12-04 10:50:55 -------- d-----w- c:\docume~1\comet\applic~1\code128java

2010-12-04 10:28:11 -------- d-----w- c:\docume~1\comet\locals~1\applic~1\CSomar_Tech

2010-12-04 10:27:24 -------- d-----w- c:\program files\Barcode Maker 2.6

2010-12-04 10:14:10 -------- d-----w- c:\program files\Barcode Generator

2010-12-04 10:11:42 -------- d-----w- c:\program files\Setup

2010-12-04 00:01:37 -------- d-----w- c:\program files\IDAutomation.com Word and Excel Add-in

==================== Find3M ====================

2010-12-04 10:13:37 249856 ------w- c:\windows\Setup1.exe

2010-12-04 10:13:36 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-01-30 11:07:04 29456637 ----a-w- c:\program files\SweetHome3D-2.2-windows.exe

2010-01-28 13:10:25 693800 ----a-w- c:\program files\WindowsXP-Windows2000-Script56-KB917344-x86-enu.exe

2010-01-21 10:46:38 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe

2010-01-20 19:22:50 3546726 ----a-w- c:\program files\npp.5.6.4.Installer.exe

2007-07-07 15:07:05 265376 ----a-w- c:\program files\chaosshredder.exe

2007-07-05 21:28:59 21640064 ----a-w- c:\program files\Nokia_PC_Suite_6_84_10_3_eng_web.exe

============= FINISH: 9:57:17.21 ===============

Link to post
Share on other sites

Hi,

Online Armor just detected an unknown program that wants to run on my computer:

035508565358097444.exe

At the same time I got an IE message:

"Do you want to allow this website to open a programon your computer?"

from: b4g4.cz.cc

---------------------------------

MBAM log after the above incident (Trojan.Hiloti again):

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5405

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

28/12/2010 11:32:47

mbam-log-2010-12-28 (11-32-47).txt

Scan type: Quick scan

Objects scanned: 167530

Time elapsed: 18 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Comet\local settings\temp\0.35508565358097444.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi,

Could not uninstall AVG but managed to get it sorted.

Combofix Log:

ComboFix 10-12-28.03 - Comet 29/12/2010 23:36:22.6.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.453 [GMT 0:00]

Running from: c:\documents and settings\Comet\Desktop\ComboFix.exe

FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}

c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}\chrome.manifest

c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}\chrome\content\_cfg.js

c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}\chrome\content\overlay.xul

c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}\install.rdf

c:\documents and settings\Comet\System

c:\documents and settings\Comet\System\win_qs8.jqx

c:\windows\system32\Oeminfo.ini

E:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))

.

2010-12-29 23:03 . 2010-12-29 23:21 -------- d-----w- c:\documents and settings\Administrator

2010-12-29 22:42 . 2010-12-29 22:42 -------- d-----w- C:\AVGTemp

2010-12-25 07:37 . 2010-12-29 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

2010-12-25 06:29 . 2006-11-18 11:38 200704 ----a-w- c:\windows\system32\vbalExpBar6.ocx

2010-12-25 06:29 . 1998-07-13 17:53 44544 ----a-w- c:\windows\system32\GIF89.DLL

2010-12-25 06:28 . 2000-10-01 18:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL

2010-12-25 06:28 . 1998-07-12 22:00 15360 ----a-w- c:\windows\system32\inetfr.DLL

2010-12-25 06:28 . 1998-07-12 22:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL

2010-12-25 06:28 . 2010-12-25 12:28 -------- d-----w- c:\program files\Free Easy Burner

2010-12-25 06:28 . 2010-12-25 06:30 -------- d-----w- c:\documents and settings\Comet\Application Data\FreeBurner

2010-12-25 06:28 . 1998-07-12 18:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL

2010-12-15 11:40 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 11:37 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe

2010-12-04 15:33 . 2010-12-04 15:33 -------- d-----w- c:\program files\List Generator

2010-12-04 10:50 . 2010-12-04 10:50 -------- d-----w- c:\documents and settings\Comet\Application Data\code128java

2010-12-04 10:28 . 2010-12-04 10:28 -------- d-----w- c:\documents and settings\Comet\Local Settings\Application Data\CSomar_Tech

2010-12-04 10:27 . 2010-12-04 10:27 -------- d-----w- c:\program files\Barcode Maker 2.6

2010-12-04 10:14 . 2010-12-04 10:43 -------- d-----w- c:\program files\Barcode Generator

2010-12-04 10:11 . 2010-12-04 10:11 -------- d-----w- c:\program files\Setup

2010-12-04 00:01 . 2010-12-04 22:37 -------- d-----w- c:\program files\IDAutomation.com Word and Excel Add-in

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 18:09 . 2010-02-28 14:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 18:08 . 2010-02-28 14:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-04 10:13 . 2007-03-26 20:32 249856 ------w- c:\windows\Setup1.exe

2010-12-04 10:13 . 2007-03-26 20:32 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-11-18 18:12 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-04 08:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-04 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-04 08:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-01-30 11:07 . 2010-01-30 11:06 29456637 ----a-w- c:\program files\SweetHome3D-2.2-windows.exe

2010-01-28 13:10 . 2010-01-28 13:10 693800 ----a-w- c:\program files\WindowsXP-Windows2000-Script56-KB917344-x86-enu.exe

2010-01-21 10:46 . 2010-01-21 10:46 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe

2010-01-20 19:22 . 2010-01-20 19:22 3546726 ----a-w- c:\program files\npp.5.6.4.Installer.exe

2007-07-07 15:07 . 2007-07-07 15:07 265376 ----a-w- c:\program files\chaosshredder.exe

2007-07-05 21:28 . 2007-07-05 21:28 21640064 ----a-w- c:\program files\Nokia_PC_Suite_6_84_10_3_eng_web.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Service Manager.lnk - c:\program files\kunle ex\msdeBinn\MSSQL\Binn\sqlmaint.exe [2002-12-17 156224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2006-02-21 45056]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk

backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk

backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

2005-03-29 13:45 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]

2004-12-03 12:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-04-28 14:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"NBService"=3 (0x3)

"SQLSERVERAGENT"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQLSERVER"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/03/2010 19:18 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/03/2010 19:18 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/03/2010 19:18 29776]

R2 MySQL51;MySQL51;"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="c:\program files\MySQL\MySQL Server 5.1\my.ini" MySQL51 --> c:\program files\MySQL\MySQL Server 5.1\bin\mysqld [?]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/03/2010 19:18 1282248]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [25/09/2007 19:56 10951]

R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/03/2010 19:18 3291336]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/10/2010 16:52 136176]

S2 TDService;TDService;c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe --> c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe [?]

S3 FLASHREADER;%FLASHREADER.SvcDesc%;c:\windows\system32\drivers\CAUSB.SYS [04/12/2006 11:37 68164]

.

Contents of the 'Scheduled Tasks' folder

2010-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-19 16:52]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-19 16:52]

2010-12-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: premierinn.com\bookings

Trusted Zone: yahoo.com

Trusted Zone: yahoo.com\login

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://mylaptop:8080/qcbin/Spider90.ocx

.

.

------- File Associations -------

.

.txt=

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

MSConfigStartUp-Motive SmartBridge - c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

AddRemove-AviSynth - c:\program files\AviSynth 2.5\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-29 23:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL51"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-12-29 23:59:18

ComboFix-quarantined-files.txt 2010-12-29 23:59

ComboFix2.txt 2010-03-13 22:28

Pre-Run: 20,598,431,744 bytes free

Post-Run: 22,289,321,984 bytes free

- - End Of File - - 559DB11C305D4CD7A440044518641463

Link to post
Share on other sites

DDS log:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Comet at 1:22:07.07 on 30/12/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.414 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Online Armor Firewall *Enabled*

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Tall Emu\Online Armor\OAhlp.exe

C:\Program Files\HPQ\SHARED\HPQWMI.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Documents and Settings\Comet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallati...uot;ver=9.0.872

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\kunle ex\msdebinn\mssql\binn\sqlmaint.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\ypager.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: premierinn.com\bookings

Trusted Zone: yahoo.com

Trusted Zone: yahoo.com\login

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/pub/mcgraw-hill/support/plugins/ebraryRdr.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183664200281

DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://mylaptop:8080/qcbin/Spider90.ocx

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: igfxcui - igfxsrvc.dll

SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-3-10 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-3-10 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-3-10 29776]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

R2 MySQL51;MySQL51;"c:\program files\mysql\mysql server 5.1\bin\mysqld" --defaults-file="c:\program files\mysql\mysql server 5.1\my.ini" mysql51 --> c:\program files\mysql\mysql server 5.1\bin\mysqld [?]

R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2010-3-10 1282248]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2007-9-25 10951]

R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2010-3-10 3291336]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-19 136176]

S2 TDService;TDService;c:\progra~1\common~1\mercur~1\tdapis~1\tdservice.exe --> c:\progra~1\common~1\mercur~1\tdapis~1\TDService.exe [?]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-12-30 517448]

S3 FLASHREADER;%FLASHREADER.SvcDesc%;c:\windows\system32\drivers\CAUSB.SYS [2006-12-4 68164]

=============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-12-30 00:57:21 -------- d-----w- c:\docume~1\comet\applic~1\AVG10

2010-12-30 00:55:47 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2010-12-30 00:52:38 -------- d-----w- c:\windows\system32\drivers\AVG

2010-12-30 00:52:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2010-12-30 00:32:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

2010-12-29 23:31:16 98816 ----a-w- c:\windows\sed.exe

2010-12-29 23:31:16 89088 ----a-w- c:\windows\MBR.exe

2010-12-29 23:31:16 256512 ----a-w- c:\windows\PEV.exe

2010-12-29 23:31:16 161792 ----a-w- c:\windows\SWREG.exe

2010-12-29 22:42:08 -------- d-----w- C:\AVGTemp

2010-12-25 07:37:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure

2010-12-25 06:29:01 200704 ----a-w- c:\windows\system32\vbalExpBar6.ocx

2010-12-25 06:29:00 44544 ----a-w- c:\windows\system32\GIF89.DLL

2010-12-25 06:28:54 15360 ----a-w- c:\windows\system32\inetfr.DLL

2010-12-25 06:28:54 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL

2010-12-25 06:28:54 119568 ----a-w- c:\windows\system32\VB6FR.DLL

2010-12-25 06:28:53 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL

2010-12-25 06:28:53 -------- d-----w- c:\program files\Free Easy Burner

2010-12-25 06:28:53 -------- d-----w- c:\docume~1\comet\applic~1\FreeBurner

2010-12-15 11:40:42 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 11:37:51 45568 ------w- c:\windows\system32\dllcache\wab.exe

2010-12-08 04:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-12-04 15:33:12 -------- d-----w- c:\program files\List Generator

2010-12-04 10:50:55 -------- d-----w- c:\docume~1\comet\applic~1\code128java

2010-12-04 10:28:11 -------- d-----w- c:\docume~1\comet\locals~1\applic~1\CSomar_Tech

2010-12-04 10:27:24 -------- d-----w- c:\program files\Barcode Maker 2.6

2010-12-04 10:14:10 -------- d-----w- c:\program files\Barcode Generator

2010-12-04 10:11:42 -------- d-----w- c:\program files\Setup

2010-12-04 00:01:37 -------- d-----w- c:\program files\IDAutomation.com Word and Excel Add-in

==================== Find3M ====================

2010-12-04 10:13:37 249856 ------w- c:\windows\Setup1.exe

2010-12-04 10:13:36 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-01-30 11:07:04 29456637 ----a-w- c:\program files\SweetHome3D-2.2-windows.exe

2010-01-28 13:10:25 693800 ----a-w- c:\program files\WindowsXP-Windows2000-Script56-KB917344-x86-enu.exe

2010-01-21 10:46:38 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe

2010-01-20 19:22:50 3546726 ----a-w- c:\program files\npp.5.6.4.Installer.exe

2007-07-07 15:07:05 265376 ----a-w- c:\program files\chaosshredder.exe

2007-07-05 21:28:59 21640064 ----a-w- c:\program files\Nokia_PC_Suite_6_84_10_3_eng_web.exe

============= FINISH: 1:28:50.07 ===============

Link to post
Share on other sites

  • Staff

Hi WarZone,

My apologies for the delay.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi & Many Thanks

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=04a1e973a06ad34a890130796efec372

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-01-03 01:08:31

# local_time=2011-01-03 01:08:31 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 60158513 60158513 0 0

# compatibility_mode=1032 16777173 100 95 53602 37299671 0 0

# compatibility_mode=4352 16777215 100 0 0 0 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=6401 16777213 66 100 12475 5886533 0 0

# compatibility_mode=8192 67108863 100 0 10308 10308 0 0

# scanned=127964

# found=3

# cleaned=3

# scan_time=7636

C:\Program Files\TestDirector\bin\VCSBin\Utils\ExamDiff\ExamDiff.exe a variant of Win32/Packed.PECrypt32.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP298\A0123280.exe a variant of Win32/Packed.PECrypt32.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

-----------------------------------------------------

Results of screen317's Security Check version 0.99.8

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG 2011

ESET Online Scanner v3

Online Armor 4.5

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 18

Out of date Java installed!

Adobe Flash Player 10.0.12.36

Adobe Reader 9.3.1

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

I have had very serious problems with loading Windows XP so I have not been able to get onto the Internet.

Just managed now.

Main Issues:

Machine freezes

Mouse and pointer not functioning properly

If I manage to load Windows, it could take 30 min

Typing is a horror - pointer is not stable

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.