Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus Alert in tool bar [CLOSED]


  • This topic is locked This topic is locked

#1
Luxdragon

Luxdragon

    New Member

  • Member
  • Pip
  • 4 posts
Hi, I'm new to this forum and am glad there are people out there to help.

I have encountered a strange virus or Maleware problem that seems to be common right now. I am running windows XP
SP2. I have VIRUS ALERT in my tool bar next to the time, My internet settings have been changed (i.e. Can't go to certian sites, can't do updates, search engines don't work.)The All programs option in the start menu is missing and my C Drive can't be accessed for My computer. My comp is running really slow as well and access violations such as can't run regedit. I also use Firefox instead of Internet Explorer if it makes a difference

I have read the sticky's about this, but i can't get anything to work.

Here is a Hijack This log that i got. It is from a selective start-up, normal startup won't work.
Some feedback and help will be greatly appreciated. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:48: VIRUS ALERT!, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\SxgTkBar.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Windows\stsystra.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Windows\system32\lphcjuoj0ep6t.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Windows\system32\tcpsvcs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Windows\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\System32\alg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\DOCUME~1\David\LOCALS~1\Temp\rsyncini.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\Windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [lphcjuoj0ep6t] C:\Windows\system32\lphcjuoj0ep6t.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [385cef77] rundll32.exe "C:\Windows\system32\vayvhtlj.dll",b
O4 - HKLM\..\Run: [BM3b6fdceb] Rundll32.exe "C:\Windows\system32\hmiutufk.dll",s
O4 - HKLM\..\RunOnce: [tmp266765] cmd /Q /C "C:\Windows\tmp266750.bat"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZU
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: wvUonMDU - wvUonMDU.dll (file missing)
O21 - SSODL: xokvrpwg - {CF55BF3E-25F5-4B06-8A8C-EAFA6EE59A3A} - (no file)
O21 - SSODL: tfnslopk - {46CDCDBE-7ACA-4070-9A90-B607DE1D7E6E} - (no file)
O21 - SSODL: QUgWtXhphoOc - {385CEFD9-92F6-4573-6042-720265C47ABE} - C:\Windows\system32\gdi.dll
O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\wltrysvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.
  • 0

#3
Luxdragon

Luxdragon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello.
Thank you for taking the time to help me. Here is the Combofix log and Hijack this log

ComboFix 08-08-11.01 - David 2008-08-12 22:27:38.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.778 [GMT -5:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\David\Application Data\Adobe\Manager.exe
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\AL849KSK\interclick.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\AL849KSK\interclick.com\ud.sol
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\AL849KSK\www.broadcaster.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\David\Application Data\rhcnuoj0ep6t
C:\Windows\BM3b6fdceb.txt
C:\Windows\BM3b6fdceb.xml
C:\Windows\pskt.ini
C:\Windows\system32\4.tmp
C:\Windows\system32\5.tmp
C:\Windows\system32\6.tmp
C:\Windows\system32\7.tmp
C:\Windows\system32\8.tmp
C:\Windows\system32\9.tmp
C:\Windows\system32\blphcjuoj0ep6t.scr
C:\Windows\system32\cmohjglu.dll
C:\Windows\system32\hmiutufk.dll
C:\WINDOWS\system32\IRsvFfhk.ini
C:\WINDOWS\system32\IRsvFfhk.ini2
C:\WINDOWS\system32\jlthvyav.ini
C:\Windows\system32\lphcjuoj0ep6t.exe
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\mctijube.dll
C:\Windows\system32\mqhwvonp.ini
C:\Windows\system32\myokzk.dll
C:\Windows\system32\pbravlym.dll
C:\Windows\system32\phcjuoj0ep6t.bmp
C:\Windows\system32\poflgx.dll
C:\Windows\system32\pphcjuoj0ep6t.exe
C:\Windows\system32\rgblwpkq.dll
C:\Windows\system32\syisrlnu.dll
C:\Windows\system32\tdssadw.dll
C:\Windows\system32\tdssinit.dll
C:\Windows\system32\tdssl.dll
C:\Windows\system32\tdsslog.dll
C:\Windows\system32\tdssmain.dll
C:\Windows\system32\tdssservers.dat
C:\Windows\system32\unlrsiys.ini
C:\Windows\system32\uvyxerjl.dll
C:\Windows\system32\vayvhtlj.dll

----- BITS: Possible infected sites -----

http://hqvideoporn.com
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-12 22:08 . 2008-08-12 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-12 22:08 . 2008-08-12 22:01 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-08-12 22:01 . 2008-08-12 22:08 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-11 01:41 . 2008-08-11 02:04 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-11 01:34 . 2008-08-12 21:28 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-11 01:34 . 2008-08-11 01:34 <DIR> d-------- C:\Program Files\AVG
2008-08-11 01:34 . 2008-08-11 01:34 <DIR> d-------- C:\Documents and Settings\David\Application Data\AVGTOOLBAR
2008-08-11 01:34 . 2008-08-11 01:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-11 01:34 . 2008-08-11 01:34 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-11 01:34 . 2008-08-11 01:34 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-10 23:11 . 2008-08-12 22:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-10 23:10 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-10 23:10 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-10 23:10 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-10 23:10 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-10 14:54 . 2008-08-10 14:54 2,048 --a------ C:\WINDOWS\system32\kyiqhjid.exe
2008-08-09 15:24 . 2008-08-11 07:24 <DIR> d-------- C:\Program Files\RegCure
2008-08-09 15:15 . 2006-01-30 22:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-09 15:15 . 2008-08-11 01:34 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-09 14:46 . 2008-08-09 14:46 2,048 --a------ C:\WINDOWS\system32\ihcaesxj.exe
2008-08-07 12:30 . 2008-08-09 10:48 <DIR> d-------- C:\Downloads
2008-08-07 12:27 . 2008-08-07 12:27 <DIR> d-------- C:\Program Files\Software Informer
2008-08-07 12:27 . 2008-08-07 12:27 <DIR> d-------- C:\Program Files\Free Download Manager
2008-08-07 12:27 . 2008-08-07 12:29 <DIR> d-------- C:\Documents and Settings\David\Application Data\Software Informer
2008-08-07 12:27 . 2008-08-11 20:13 <DIR> d-------- C:\Documents and Settings\David\Application Data\Free Download Manager
2008-08-07 12:27 . 2008-08-07 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-07-28 09:38 . 2008-07-28 09:38 <DIR> d-------- C:\Program Files\Atomic RAR Password Recovery
2008-07-23 10:38 . 2008-07-23 10:38 <DIR> d-------- C:\Program Files\DNA
2008-07-23 10:38 . 2008-08-11 20:13 <DIR> d-------- C:\Documents and Settings\David\Application Data\DNA
2008-07-21 16:54 . 2008-07-21 16:54 <DIR> d-------- C:\Program Files\Slot Machine 98
2008-07-21 16:54 . 2008-07-21 16:54 724,992 --a------ C:\WINDOWS\iun6002.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 03:25 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-11 14:03 --------- d-----w C:\Program Files\Trend Micro
2008-08-11 07:38 --------- d-----w C:\Program Files\MP3 Player Utilities 3.5.02
2008-08-11 04:23 96,256 ----a-w C:\Windows\system32\drivers\sptd7725.sys
2008-08-10 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-10 21:29 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-10 21:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-10 21:00 --------- d-----w C:\Program Files\Symantec
2008-08-09 13:33 --------- d-----w C:\Documents and Settings\David\Application Data\BitTorrent
2008-07-31 02:20 0 ----a-w C:\$RJ$.DAT
2008-07-30 00:53 43,520 ----a-w C:\Windows\system32\CmdLineExt03.dll
2008-07-30 00:53 --------- d-----w C:\Program Files\Diablo II
2008-07-28 02:52 --------- d-----w C:\Program Files\Cisco CCNA Network Simulator
2008-07-23 15:38 --------- d-----w C:\Program Files\BitTorrent
2008-07-05 17:42 --------- d-----w C:\Program Files\Acon Digital Media
2008-07-05 17:00 --------- d-----w C:\Program Files\FlashGet
2008-06-25 18:36 --------- d-----w C:\Program Files\Winamp
2008-06-24 20:02 --------- d-----w C:\Program Files\Nstorm
2007-05-03 06:28 92,064 ----a-w C:\Documents and Settings\David\mqdmmdm.sys
2007-05-03 06:28 9,232 ----a-w C:\Documents and Settings\David\mqdmmdfl.sys
2007-05-03 06:28 79,328 ----a-w C:\Documents and Settings\David\mqdmserd.sys
2007-05-03 06:28 66,656 ----a-w C:\Documents and Settings\David\mqdmbus.sys
2007-05-03 06:28 6,208 ----a-w C:\Documents and Settings\David\mqdmcmnt.sys
2007-05-03 06:28 5,936 ----a-w C:\Documents and Settings\David\mqdmwhnt.sys
2007-05-03 06:28 4,048 ----a-w C:\Documents and Settings\David\mqdmcr.sys
2007-05-03 06:28 25,600 ----a-w C:\Documents and Settings\David\usbsermptxp.sys
2007-05-03 06:28 22,768 ----a-w C:\Documents and Settings\David\usbsermpt.sys
2006-12-15 05:29 25,104 ----a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-08 06:57 56 --sh--r C:\Windows\system32\5B77058413.sys
2006-01-08 06:57 2,516 --sha-w C:\Windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

md5deep: C:\Windows\system32\svchost.exe: Permission denied

md5deep: C:\Windows\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\Windows\explorer.exe: Permission denied

md5deep: C:\Windows\system32\services.exe: error at offset 0: Permission denied

md5deep: C:\Windows\system32\lsass.exe: error at offset 0: Permission denied

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\Windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
md5deep: C:\Windows\system32\spoolsv.exe: Permission denied
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCYCATS"="C:\Windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2005-12-01 13:38 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"QUgWtXhphoOc"= {385CEFD9-92F6-4573-6042-720265C47ABE} - C:\Windows\system32\gdi.dll [2006-07-05 05:55 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\Windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\Windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcnuoj0ep6t
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2006-10-23 00:24 620152 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-08-11 01:34 1232152 C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 12:57 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-07-23 10:38 341824 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2006-02-07 00:10 98304 C:\Program Files\Lexmark 3400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2008-05-20 17:27 2474031 C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-07-19 11:06 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-07-19 11:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-07-19 11:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-04-10 15:14 1107848 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcymon.exe]
--a------ 2006-01-25 11:02 286720 C:\Program Files\Lexmark 3400 Series\lxcymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-03-17 21:24 184320 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 04:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-06-24 07:36 729178 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--------- 2004-08-14 05:42 36864 C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SxgTkBar]
--a------ 2002-07-22 17:03 53248 C:\WINDOWS\system32\Sxgtkbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Team17\\Worms Armageddon\\WA.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Free Download Manager\\fdm.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-08-11 01:34]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-12 22:01]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-11 01:34]
R3 SOFTXG;YAMAHA XG SoftSynthesizer;C:\Windows\system32\drivers\sxgxgwdm.sys [2002-05-22 09:34]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2005-08-02 16:10]
S3 npkycryp;npkycryp;C:\Program Files\Gravity\RO\npkycryp.sys []
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\Windows\system32\Drivers\usbbc2.sys [2003-05-07 16:54]
S3 samhid;samhid;C:\Windows\system32\drivers\samhid.sys []
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);C:\Windows\system32\DRIVERS\tap0801co.sys [2004-07-10 09:54]
S3 XLPINIT;XLPINIT;C:\Windows\system32\Drivers\xromlp.sys [2003-12-06 07:44]
S3 XLPWRITER;XLPWRITER;C:\Windows\system32\drivers\xromio.sys [2001-01-28 11:07]
S4 lxcy_device;lxcy_device;C:\Windows\system32\lxcycoms.exe [2006-02-20 14:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-bestreak - (no file)
Notify-wvUonMDU - wvUonMDU.dll
MSConfigStartUp-385cef77 - C:\Windows\system32\vayvhtlj.dll
MSConfigStartUp-BM3b6fdceb - C:\Windows\system32\hmiutufk.dll
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-lphcjuoj0ep6t - C:\Windows\system32\lphcjuoj0ep6t.exe
MSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - C:\Program Files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-Run - C:\Documents and Settings\David\Application Data\Adobe\Manager.exe
MSConfigStartUp-VirusScan Online - C:\Program Files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\upqcf6hy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47, on 2008-08-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\Windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZU
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: wvUonMDU - wvUonMDU.dll (file missing)
O21 - SSODL: QUgWtXhphoOc - {385CEFD9-92F6-4573-6042-720265C47ABE} - C:\Windows\system32\gdi.dll
O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\wltrysvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7783 bytes
  • 0

#4
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

Did you install, or do you use RegCure? I'm going to recommend you uninstall it - registry cleaners do nothing practical and risk corrupting your registry.

Is there a reason you ran everything in safe mode? Please do the following in Normal mode. unless instructed otherwise.

One question, what is your F:\ and E:\ drive? Take a look under my computer, is it a CD or USB drive?

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\Windows\system32\drivers\sptd7725.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Then,

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O20 - Winlogon Notify: wvUonMDU - wvUonMDU.dll (file missing)
O21 - SSODL: QUgWtXhphoOc - {385CEFD9-92F6-4573-6042-720265C47ABE} - C:\Windows\system32\gdi.dll
O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)
O24 - Desktop Component 0: Privacy Protection - (no file)


Now please close all open windows except HJT and press "Fix checked".

And,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...ar-t207911.html
Extra::
Collect::
C:\WINDOWS\system32\kyiqhjid.exe
C:\WINDOWS\system32\ihcaesxj.exe
C:\Windows\system32\gdi.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcnuoj0ep6t]


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Post back with the logs.

Edited by Mike, 13 August 2008 - 09:53 AM.

  • 0

#5
Luxdragon

Luxdragon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi there.

The reason I ran everything in safe mode is that normal mode would always stop respondig or freeze.

My E and F drives are virtual CD-ROM drives.

C:\Windows\system32\drivers\sptd7725.sys scan came back with an error. The upload could not be found.

Combo Fix stopped responding at the end where it says that ComboFix is preparing a log.

Here is the log and files capured.

ComboFix 08-08-11.01 - David 2008-08-13 13:41:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.632 [GMT -5:00]
Running from: H:\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\gdi.dll
C:\WINDOWS\system32\ihcaesxj.exe
C:\WINDOWS\system32\kyiqhjid.exe
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\David\Application Data\Adobe\Manager.exe
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\AL849KSK\interclick.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\AL849KSK\interclick.com\ud.sol
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\AL849KSK\www.broadcaster.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\David\Application Data\rhcnuoj0ep6t
C:\Windows\BM3b6fdceb.txt
C:\Windows\BM3b6fdceb.xml
C:\Windows\pskt.ini
C:\Windows\system32\4.tmp
C:\Windows\system32\5.tmp
C:\Windows\system32\6.tmp
C:\Windows\system32\7.tmp
C:\Windows\system32\8.tmp
C:\Windows\system32\9.tmp
C:\Windows\system32\blphcjuoj0ep6t.scr
C:\Windows\system32\cmohjglu.dll
C:\Windows\system32\hmiutufk.dll
C:\WINDOWS\system32\IRsvFfhk.ini
C:\WINDOWS\system32\IRsvFfhk.ini2
C:\WINDOWS\system32\jlthvyav.ini
C:\Windows\system32\lphcjuoj0ep6t.exe
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\mctijube.dll
C:\Windows\system32\mqhwvonp.ini
C:\Windows\system32\myokzk.dll
C:\Windows\system32\pbravlym.dll
C:\Windows\system32\phcjuoj0ep6t.bmp
C:\Windows\system32\poflgx.dll
C:\Windows\system32\pphcjuoj0ep6t.exe
C:\Windows\system32\rgblwpkq.dll
C:\Windows\system32\syisrlnu.dll
C:\Windows\system32\tdssadw.dll
C:\Windows\system32\tdssinit.dll
C:\Windows\system32\tdssl.dll
C:\Windows\system32\tdsslog.dll
C:\Windows\system32\tdssmain.dll
C:\Windows\system32\tdssservers.dat
C:\Windows\system32\unlrsiys.ini
C:\Windows\system32\uvyxerjl.dll
C:\Windows\system32\vayvhtlj.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

Edited by Mike, 13 August 2008 - 01:30 PM.
Removed attachment

  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
You 'had' and still have the remains of a rootkit, your last CF log didn't include the catchme and I was hoping to see it this time but the log still seems truncated - are you posting it all?

For that zip file, please visit this site and follow the instructions for uploading the <Submit_Date_Time>.zip http://www.bleepingc...e.php?channel=4

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
KillAll::
Rootkit::
C:\WINDOWS\system32\drivers\tdssserv.sys

Driver::
tdssserv
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Edited by Mike, 13 August 2008 - 01:28 PM.

  • 0

#7
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Another thing for you,

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@echo off
pushd %systemdrive%\
Vfind -ltf \svchost.ex* \winlogon.ex* \explorer.ex* \services.ex* \lsass.ex* >"%~dp0Log.txt"
popd
start notepad log.txt
del %0


In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat. A notepad file 'log.txt' will appear, please post the contents of that log - it will be located the same place you saved the batch file if you for some reason exit out of the notepad file.
  • 0

#8
Luxdragon

Luxdragon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sorry about that. I think that i got it all this time. :)

Here is the ComboFix log and the fix.bat log.

I thought they are getting a little to big, so i am posting them as attachments. :)

Attached Files


  • 0

#9
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

That's more like it!
If you can post it in the thread rather than attaching, if the log is so long that you don't see E O F at the end then attach it.

What antivirus did you decide to keep by the way?

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@echo off
Nircmd killprocess explorer.exe
attrib -h -r -s -a %systemroot%\explorer.exe
move /y %systemroot%\explorer.exe explorer.old
eXpand -r C:\i386\EXPLORER.EX_ %systemroot%
fdsv %systemroot%\explorer.exe >log.txt
Notepad log.txt


In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat.

Then,

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
Extra::
FCopy::
C:\i386\svchost.exe | C:\WINDOWS\system32\svchost.exe
C:\i386\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
C:\i386\lsass.exe | C:\WINDOWS\system32\lsass.exe
C:\i386\services.exe | C:\windows\system32\services.exe

File::
C:\WINDOWS\system32\kyiqhjid.exe
C:\WINDOWS\system32\ihcaesxj.exe
C:\Windows\System32\gdi.dll
C:\Windows\system32\vayvhtlj.dll
C:\Windows\system32\hmiutufk.dll 
C:\Windows\system32\lphcjuoj0ep6t.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"QUgWtXhphoOc"=-
[-HKEY_CLASSES_ROOT\CLSID\{385CEFD9-92F6-4573-6042-720265C47ABE}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcnuoj0ep6t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\385cef77]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM3b6fdceb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcjuoj0ep6t]
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Edited by Mike, 14 August 2008 - 07:32 AM.

  • 0

#10
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Do you still need help?
  • 0

#11
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP