Jump to content

Trojan Problem - Please Help


Recommended Posts

Hi there I have followed your instructions and I now have the log files to show you. I have tried to clean my system as best I could, but I think there still may be some junk left over. Let me know if you need any other information than what I have provided in the log files. Thanks!

1. MBAM scan - it found nothing so I have no log files to show you for this.

2. Panda ActiveScan -

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-30 12:13:42

PROTECTIONS: 1

MALWARE: 21

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

AVG Anti-Virus Free 8.0 Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00039204 adware/cws Adware No 0 Yes No c:\documents and settings\anne\favorites\health

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Anne\Cookies\anne@atdmt[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Anne\Cookies\anne@tribalfusion[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Anne\Cookies\anne@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.com.com/]

00167749 Cookie/Toplist TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.toplist.cz/]

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.apmebf.com/]

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.apmebf.com/]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Anne\Cookies\anne@serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Anne\Cookies\anne@bs.serving-sys[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[www.burstbeacon.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Anne\Cookies\anne@advertising[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ads.pointroll.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ads.pointroll.com/]

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Anne\Cookies\anne@questionmarket[1].txt

00172447 Cookie/Inet-Traffic TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.inet-traffic.com/]

00172447 Cookie/Inet-Traffic TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.inet-traffic.com/]

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.bravenet.com/]

00199981 Cookie/Seeq TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.www48.seeq.com/]

00207712 Cookie/360i TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ct.360i.com/]

00207712 Cookie/360i TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ct.360i.com/]

00207712 Cookie/360i TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.ct.360i.com/]

00262020 Cookie/Atwola TrackingCookie No 0 Yes No G:\FRomC\Anne Stanton\Application Data\Mozilla\Firefox\Profiles\gvjy2xf9.default\cookies.txt[.atwola.com/]

00497423 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{6B035AB3-7E57-4502-A6AA-ECA1CB426DAE}\RP171\A0037964.dll

00497423 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{6B035AB3-7E57-4502-A6AA-ECA1CB426DAE}\RP171\A0037961.dll

00497533 W32/Lineage.KIZ.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{6B035AB3-7E57-4502-A6AA-ECA1CB426DAE}\RP171\A0037965.dll

00497533 W32/Lineage.KIZ.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{6B035AB3-7E57-4502-A6AA-ECA1CB426DAE}\RP171\A0037966.dll

01010780 Generic Malware Virus/Trojan No 0 Yes No C:\My Download Files\kmd.exe

04466764 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\vjbjvaca.dll

04466764 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\lbxdun.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location Q

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description Q

;===============================================================================

================================================================================

=

===================

182048 HIGH MS07-069 Q

182043 HIGH MS07-064 Q

176382 HIGH MS07-057 Q

170907 HIGH MS07-046 Q

170906 HIGH MS07-045 Q

170904 HIGH MS07-043 Q

164913 HIGH MS07-033 Q

160623 HIGH MS07-027 Q

150253 HIGH MS07-016 Q

129976 MEDIUM MS06-052 Q

93394 HIGH MS05-050 Q

;===============================================================================

================================================================================

=

===================

3. HijackThis log -

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:15:50 PM, on 12/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/29501...;from=searchbox

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {07661B5D-76AC-424C-ACEF-7F9B8226D1B6} - C:\WINDOWS\system32\pmnkJBtU.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Auto EPSON Stylus CX7800 Series on YOUR-6BVPXYZTOQ] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P50 "Auto EPSON Stylus CX7800 Series on YOUR-6BVPXYZTOQ" /O26 "\\YOUR-6BVPXYZTOQ\Printer5" /M "Stylus CX7800"

O4 - HKLM\..\Run: [Auto EPSON Stylus CX7800 Series on LAPTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P41 "Auto EPSON Stylus CX7800 Series on LAPTOP" /O17 "\\LAPTOP\Printer5" /M "Stylus CX7800"

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\RunOnce: [spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_S1D9.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [Auto EPSON Stylus Photo R280 Series on LAPTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_S2A6.tmp" /EF "HKCU"

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: c:\windows\system32\wotupogo.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 8545 bytes

Thanks again.

Link to post
Share on other sites

Hi there aws

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

===============================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply along with the combofix log.

Link to post
Share on other sites
Hi there aws

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

===============================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply along with the combofix log.

Ok. Here they are:

Combofix log -

ComboFix 09-01-01.02 - Anne 2009-01-03 10:16:40.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1983.1511 [GMT -5:00]

Running from: c:\documents and settings\Anne\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Anne\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Anne\LOCALS~1\Temp\tmp1.tmp

c:\docume~1\Anne\LOCALS~1\Temp\tmp2.tmp

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\ewukefig.ini

c:\windows\system32\lbxdun.dll

c:\windows\system32\vjbjvaca.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com

.

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))

.

2008-12-29 20:31 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-29 20:30 . 2008-12-29 20:30 <DIR> d-------- c:\program files\Panda Security

2008-12-29 15:31 . 2008-12-29 15:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-29 15:31 . 2008-12-29 15:31 <DIR> d-------- c:\documents and settings\Anne\Application Data\Malwarebytes

2008-12-29 15:31 . 2008-12-29 15:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-29 15:31 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-29 15:31 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-29 14:49 . 2008-12-29 14:49 95 --a------ c:\windows\wininit.ini

2008-12-29 12:37 . 2008-12-31 12:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-29 12:37 . 2008-12-29 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-28 17:12 . 2008-12-28 17:14 <DIR> d-------- c:\documents and settings\Administrator

2008-12-28 16:03 . 2008-12-28 16:03 <DIR> d-------- c:\program files\CCleaner

2008-12-28 15:50 . 2008-12-28 15:50 <DIR> d-------- c:\program files\Trend Micro

2008-12-25 13:00 . 2008-12-25 13:00 <DIR> d-------- c:\documents and settings\Anne\Application Data\CyberLink

2008-12-20 15:09 . 2008-12-20 15:09 <DIR> d-------- c:\windows\Sun

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-24 23:57 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-06 23:26 --------- d-----w c:\documents and settings\Anne\Application Data\ArcSoft

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]

"Auto EPSON Stylus Photo R280 Series on LAPTOP"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"Auto EPSON Stylus CX7800 Series on YOUR-6BVPXYZTOQ"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]

"Auto EPSON Stylus CX7800 Series on LAPTOP"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]

"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"= c:\windows\system32\wotupogo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anne^Start Menu^Programs^Startup^Product Registration.lnk]

path=c:\documents and settings\Anne\Start Menu\Programs\Startup\Product Registration.lnk

backup=c:\windows\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

--a------ 2006-10-22 22:24 620152 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

--a------ 2007-03-20 15:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--a------ 2006-12-05 21:55 54832 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2006-11-23 14:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 00:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

--a------ 2007-04-11 14:32 56080 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgscanx.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\EPSON\\EPW!3 SSRP\\E_S40RP7.EXE"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-29 28544]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-24 97928]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-31 875288]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-31 231704]

R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-24 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4d69af9-5fe2-11dd-9908-001d7d297731}]

\Shell\AutoRun\command - I:\setupSNK.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\trglgmiq.job

- c:\windows\system32\rundll32.exe [2004-08-04 07:00]

.

- - - - ORPHANS REMOVED - - - -

BHO-{07661B5D-76AC-424C-ACEF-7F9B8226D1B6} - c:\windows\system32\pmnkJBtU.dll

MSConfigStartUp-LELA - c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.weather.com/weather/local/29501?lswe=29501&lwsa=WeatherLocalUndeclared&from=searchbox

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Anne\Application Data\Mozilla\Firefox\Profiles\vawte78a.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-03 10:19:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)

c:\windows\System32\BCMLogon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

.

**************************************************************************

.

Completion time: 2009-01-03 10:22:56 - machine was rebooted [Anne]

ComboFix-quarantined-files.txt 2009-01-03 15:22:53

Pre-Run: 257,120,755,712 bytes free

Post-Run: 256,923,344,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

188 --- E O F --- 2008-08-16 14:22:46

Add-Remove Programs -

Add or Remove Adobe Creative Suite 3 Design Standard

Add or Remove Adobe Creative Suite 3 Web Standard

Adobe Acrobat 8 Professional

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe BridgeTalk Plugin CS3

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color - Photoshop Specific

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Contribute CS3

Adobe Creative Suite 3 Design Standard

Adobe Creative Suite 3 Web Standard

Adobe Default Language CS3

Adobe Device Central CS3

Adobe Dreamweaver CS3

Adobe ExtendScript Toolkit 2

Adobe Extension Manager CS3

Adobe Fireworks CS3

Adobe Flash CS3

Adobe Flash Player 9 ActiveX

Adobe Flash Player 9 Plugin

Adobe Flash Video Encoder

Adobe Fonts All

Adobe Help Viewer CS3

Adobe Illustrator CS3

Adobe InDesign CS3

Adobe InDesign CS3 Icon Handler

Adobe Linguistics CS3

Adobe MotionPicture Color Files

Adobe PDF Library Files

Adobe Photoshop CS3

Adobe Setup

Adobe SING CS3

Adobe Stock Photos CS3

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe Version Cue CS3 Server

Adobe WAS CS3

Adobe WinSoft Linguistics Plugin

Adobe XMP Panels CS3

AHV content for Acrobat and Flash

ArcSoft PhotoImpression 5

ArcSoft PhotoImpression 6

ArcSoft Print Creations

ArcSoft Print Creations - Photo Calendar

AVG Free 8.0

CCleaner (remove only)

CDDRV_Installer

EPSON Print CD

EPSON Printer Software

EPSON R280 User's Guide

EPSON Scan

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB935448)

Hotfix for Windows XP (KB952287)

Java 6 Update 3

KhalInstallWrapper

Logitech Registration

Logitech SetPoint

Macromedia FreeHand 10

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0

Microsoft .NET Framework 3.0

Microsoft IntelliPoint 5.0

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox (3.0.5)

MSXML 6.0 Parser (KB933579)

NVIDIA Drivers

Panda ActiveScan 2.0

Pattern Maker for cross stitch - v4 (Pro+ME)

PCI SoftV92 Modem

PDF Settings

PowerDVD

QuarkXPress 5.01

QuarkXPress 6.5

Realtek High Definition Audio Driver

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944338)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Spybot - Search & Destroy

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB925720)

Update for Windows XP (KB927891)

Update for Windows XP (KB930916)

Update for Windows XP (KB932823-v3)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB951072-v2)

WebEx Support Manager for Internet Explorer

WebFldrs XP

Windows Communication Foundation

Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Presentation Foundation

Windows Workflow Foundation

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

XML Paper Specification Shared Components Pack 1.0

Link to post
Share on other sites

Hi there

Just a couple of items that still need attention...

Go to start menu - Select Run and in the command box type in notepad

Next - copy/paste the text in the code box below into it:

File::

c:\windows\Tasks\trglgmiq.job

c:\windows\system32\wotupogo.dll

C:\My Download Files\kmd.exe

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""

- Save this to your desktop as CFScript.txt

- Drag the CFScript.txt over onto Combofix.exe and release.

CFScript.gif

Combofix will then execute the script and produce a fresh log. Post this back in your next reply....

You have some old versions of java running. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 11.

You can delete JavaRa.Zip, and the unzipped JavaRa.exe. It's job is finished.

Please update and generate a fresh MBAM log for me

  • Start MalwareBytes AntiMalware
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Post back with the new combofix log and the results from the MBAM scan. Also update me on how things are running now

Link to post
Share on other sites

ComboFix:

ComboFix 09-01-01.02 - Anne 2009-01-06 17:30:50.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1983.1292 [GMT -5:00]

Running from: c:\documents and settings\Anne\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Anne\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\my download files\kmd.exe

c:\windows\system32\wotupogo.dll

c:\windows\Tasks\trglgmiq.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\my download files\kmd.exe

c:\windows\Tasks\trglgmiq.job

.

((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))

.

2008-12-29 20:31 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-29 20:30 . 2008-12-29 20:30 <DIR> d-------- c:\program files\Panda Security

2008-12-29 15:31 . 2008-12-29 15:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-29 15:31 . 2008-12-29 15:31 <DIR> d-------- c:\documents and settings\Anne\Application Data\Malwarebytes

2008-12-29 15:31 . 2008-12-29 15:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-29 15:31 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-29 15:31 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-29 14:49 . 2008-12-29 14:49 95 --a------ c:\windows\wininit.ini

2008-12-29 12:37 . 2008-12-31 12:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-29 12:37 . 2008-12-29 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-28 17:12 . 2008-12-28 17:14 <DIR> d-------- c:\documents and settings\Administrator

2008-12-28 16:03 . 2008-12-28 16:03 <DIR> d-------- c:\program files\CCleaner

2008-12-28 15:50 . 2008-12-28 15:50 <DIR> d-------- c:\program files\Trend Micro

2008-12-25 13:00 . 2008-12-25 13:00 <DIR> d-------- c:\documents and settings\Anne\Application Data\CyberLink

2008-12-20 15:09 . 2008-12-20 15:09 <DIR> d-------- c:\windows\Sun

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-24 23:57 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-06 23:26 --------- d-----w c:\documents and settings\Anne\Application Data\ArcSoft

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

.

((((((((((((((((((((((((((((( snapshot@2009-01-03_10.22.09.32 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-03 14:25:15 67,424 ----a-w c:\windows\system32\perfc009.dat

+ 2009-01-06 14:14:51 67,424 ----a-w c:\windows\system32\perfc009.dat

- 2009-01-03 14:25:15 430,826 ----a-w c:\windows\system32\perfh009.dat

+ 2009-01-06 14:14:51 430,826 ----a-w c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]

"Auto EPSON Stylus Photo R280 Series on LAPTOP"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]

"Auto EPSON Stylus CX7800 Series on YOUR-6BVPXYZTOQ"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]

"Auto EPSON Stylus CX7800 Series on LAPTOP"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-06 98304]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]

"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anne^Start Menu^Programs^Startup^Product Registration.lnk]

path=c:\documents and settings\Anne\Start Menu\Programs\Startup\Product Registration.lnk

backup=c:\windows\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

--a------ 2006-10-22 22:24 620152 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

--a------ 2007-03-20 15:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--a------ 2006-12-05 21:55 54832 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2006-11-23 14:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 00:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

--a------ 2007-04-11 14:32 56080 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgscanx.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\EPSON\\EPW!3 SSRP\\E_S40RP7.EXE"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-29 28544]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-24 97928]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-31 875288]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-31 231704]

R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-06-24 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4d69af9-5fe2-11dd-9908-001d7d297731}]

\Shell\AutoRun\command - I:\setupSNK.exe

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.weather.com/weather/local/29501?lswe=29501&lwsa=WeatherLocalUndeclared&from=searchbox

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Anne\Application Data\Mozilla\Firefox\Profiles\vawte78a.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-06 17:33:20

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)

c:\windows\System32\BCMLogon.dll

.

Completion time: 2009-01-06 17:34:32

ComboFix-quarantined-files.txt 2009-01-06 22:34:30

ComboFix2.txt 2009-01-03 15:22:56

Pre-Run: 256,357,109,760 bytes free

Post-Run: 256,351,227,904 bytes free

169 --- E O F --- 2008-08-16 14:22:46

Malwarebytes:

Malwarebytes' Anti-Malware 1.32

Database version: 1625

Windows 5.1.2600 Service Pack 2

1/6/2009 5:48:03 PM

mbam-log-2009-01-06 (17-48-03).txt

Scan type: Quick Scan

Objects scanned: 52541

Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Overall, my computer seems to be working normally now. AVG caught and stopped a Trojan a couple of days ago, other than that it seems good.

Link to post
Share on other sites

Hi there

From your last log all is looking good.

You have some old versions of java running. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 11.

You can delete JavaRa.Zip, and the unzipped JavaRa.exe. It's job is finished.

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.

Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing

Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.

Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser

Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance

Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein

-> How to prevent Malware - By miekiemoes

-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

Link to post
Share on other sites

Hello. Yes I think we can consider this thread resolved. Thank you very much for your help. It is nice to know there are people out there who will take the trouble to help someone as opposed to the malicious people out there who put viruses on people's computers in the first place. Thanks again!

Link to post
Share on other sites

Not a problem, only too glad to lend a hand.

I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums

Good luck and happy safe surfing!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.