Win32/Patched [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Win32/Patched [Solved], AVG cannot remove

Options

davidhenry View Member Profile	Jul 3 2009, 07:08 PM Post #1
New Member Posts: 9 OS: xp	I keep getting pop ups from AVG virus found. C:windows/system32ws2_32.dll win32/Patched. Object is white listed should not be removed. What do I do now?

JSntgRvr View Member Profile	Jul 3 2009, 11:03 PM Post #2
Global Moderator Posts: 6,771 From: Puerto Rico OS: Windows XP, VISTA Home Premium	Hi, davidhenry Welcome. Please read and follow all these instructions very carefully. Please download Malwarebytes' Anti-Malware from Here. Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. ===================================================================== Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop Please, never rename Combofix unless instructed. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combofix.exe & follow the prompts. If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply. Install the Recovery Console upon request. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

davidhenry View Member Profile	Jul 4 2009, 07:00 AM Post #3
New Member Posts: 9 OS: xp	Malwarebytes' Anti-Malware 1.38 Database version: 2371 Windows 5.1.2600 Service Pack 3 7/4/2009 8:22:03 AM mbam-log-2009-07-04 (08-22-03).txt Scan type: Quick Scan Objects scanned: 128128 Time elapsed: 18 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 4 Folders Infected: 1 Files Infected: 15 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot. Files Infected: c:\WINDOWS\system32\21.tmp (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\david acabbo.pc294771894831\local settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot. c:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot. c:\documents and settings\David Acabbo\Desktop\A360.lnk (Rogue.AntiVirus360) -> Quarantined and deleted successfully. c:\documents and settings\David Acabbo\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.AntiVirus360) -> Quarantined and deleted successfully. c:\documents and settings\david acabbo\local settings\Temp\60325cahp25ca0.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot. c:\documents and settings\David Acabbo\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully. c:\documents and settings\David Acabbo\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk (Rogue.av360) -> Quarantined and deleted successfully. c:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

JSntgRvr View Member Profile	Jul 4 2009, 01:23 PM Post #4
Global Moderator Posts: 6,771 From: Puerto Rico OS: Windows XP, VISTA Home Premium	Please post the C:\Combofix.txt.

davidhenry View Member Profile	Jul 5 2009, 05:28 AM Post #5
New Member Posts: 9 OS: xp	ComboFix 09-07-04.05 - David Acabbo 07/05/2009 7:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.282 [GMT -4:00] Running from: c:\documents and settings\David Acabbo.PC294771894831\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: Norton Internet Worm Protection disabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\Application Data\twain_32 c:\documents and settings\LocalService\Application Data\twain_32\user.ds C:\omnh.exe c:\windows\Installer\1059c5d2.msi c:\windows\Installer\111671b.msi c:\windows\Installer\11169c0.msi c:\windows\Installer\11169c6.msi c:\windows\Installer\1116a75.msi c:\windows\Installer\260155f.msi c:\windows\Installer\26c6e.msi c:\windows\Installer\294aff.msi c:\windows\Installer\3122b1f.msp c:\windows\Installer\32c3a.msi c:\windows\Installer\3569f.msi c:\windows\Installer\3858229.msi c:\windows\Installer\38d9cedc.msi c:\windows\Installer\38d9d0c0.msi c:\windows\Installer\38d9d143.msi c:\windows\Installer\39d7541.msi c:\windows\Installer\3a71c6.msi c:\windows\Installer\452691.msi c:\windows\Installer\4712f1e.msi c:\windows\Installer\4b6e95da.msi c:\windows\Installer\5188a31.msi c:\windows\Installer\5188a36.msi c:\windows\Installer\52e0c19.msi c:\windows\Installer\54b071d.msp c:\windows\Installer\56730.msi c:\windows\Installer\6339e80.msi c:\windows\Installer\8a6f1.msi c:\windows\Installer\8c239.msi c:\windows\Installer\90772ef.msi c:\windows\Installer\93eac.msi c:\windows\Installer\a73f04bd.msi c:\windows\Installer\d95de9.msp c:\windows\Installer\f9b955.msi c:\windows\lcass.exe c:\windows\stat c:\windows\system32\_000021_.tmp.dll c:\windows\system32\_000022_.tmp.dll c:\windows\system32\_000023_.tmp.dll c:\windows\system32\_000024_.tmp.dll D:\Autorun.inf c:\windows\system32\ws2_32.dll . . . is infected!! . ((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 ))))))))))))))))))))))))))))))) . 2009-07-04 11:50 . 2009-07-04 11:50 -------- d-----w- c:\documents and settings\David Acabbo.PC294771894831\Application Data\Malwarebytes 2009-07-04 11:50 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-04 11:50 . 2009-07-04 11:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-04 11:50 . 2009-07-04 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-04 11:50 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-04 00:17 . 2009-07-04 00:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-07-04 00:09 . 2009-07-04 00:10 -------- dc-h--w- c:\windows\ie8 2009-07-03 23:43 . 2009-07-03 23:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nikon 2009-06-27 02:50 . 2009-06-14 20:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-27 02:49 . 2009-06-27 02:47 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe 2009-06-27 02:49 . 2009-06-27 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-27 02:49 . 2009-06-27 02:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR 2009-06-17 20:53 . 2009-06-17 20:53 -------- d-----w- c:\program files\Midas Interactive 2009-06-17 19:54 . 2009-06-17 19:54 1915520 ----a-w- c:\documents and settings\David Acabbo.PC294771894831\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe 2009-06-10 01:11 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-06-10 01:11 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-10 01:11 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll 2009-06-10 01:10 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll 2009-06-10 00:54 . 2009-06-10 00:54 -------- d-----w- c:\documents and settings\David Acabbo.PC294771894831\Application Data\aAvgApi 2009-06-07 17:04 . 2009-06-07 17:04 -------- d-sh--w- c:\documents and settings\David Acabbo.PC294771894831\IECompatCache 2009-06-06 23:33 . 2009-06-06 23:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-06-06 14:27 . 2009-06-06 14:27 -------- d-sh--w- c:\documents and settings\David Acabbo.PC294771894831\PrivacIE 2009-06-06 14:24 . 2009-06-06 14:24 -------- d-sh--w- c:\documents and settings\David Acabbo.PC294771894831\IETldCache 2009-06-06 14:16 . 2009-06-11 21:55 -------- d-----w- c:\windows\ie8updates 2009-06-06 14:15 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-05 11:00 . 2009-02-14 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-07-04 00:33 . 2009-01-11 23:34 -------- d-----w- c:\program files\AVG 2009-07-03 23:45 . 2009-07-03 23:40 62360 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-03 23:45 . 2009-07-03 23:40 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat 2009-07-03 23:43 . 2009-02-14 17:38 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT 2009-06-27 02:47 . 2009-02-14 03:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-27 02:47 . 2009-02-14 03:06 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-27 02:47 . 2009-02-14 03:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-25 13:36 . 2009-05-25 13:36 299352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-05-25 13:36 . 2009-05-25 13:36 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-05-25 13:36 . 2009-05-25 13:36 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-05-25 13:36 . 2009-02-16 15:44 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-05-25 13:36 . 2009-05-25 13:36 165728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-05-25 13:36 . 2009-05-25 13:36 343888 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-05-25 13:36 . 2009-05-25 13:36 289632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-05-25 13:36 . 2009-05-25 13:36 82784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-05-25 13:35 . 2009-05-25 13:35 1629024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-05-25 13:35 . 2009-05-25 13:35 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-05-25 13:35 . 2009-05-25 13:35 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-05-25 13:35 . 2009-05-25 13:35 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys 2009-05-25 13:35 . 2009-02-16 14:35 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-05-25 13:35 . 2009-05-25 13:35 632680 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-05-25 13:35 . 2009-05-25 13:35 539512 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-05-25 13:35 . 2009-05-25 13:35 552808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-05-25 13:35 . 2009-05-25 13:35 2324808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-05-25 13:35 . 2009-05-25 13:35 626000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-05-25 13:34 . 2009-05-25 13:34 516440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-05-25 13:34 . 2009-05-25 13:34 953168 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2009-05-13 05:15 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-05 12:42 . 2009-02-14 03:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-04-17 12:26 . 2004-08-04 08:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-04 08:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2007-05-28 21:58 . 2007-05-28 21:58 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-08 136600] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-27 1948440] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-25 516440] c:\documents and settings\David Acabbo.PC294771894831\Start Menu\Programs\Startup\ Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-9 111376] Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-12-9 51984] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728] Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-27 02:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/16/2009 10:35 AM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/13/2009 11:06 PM 327688] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/13/2009 11:06 PM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2/13/2009 11:06 PM 906520] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/13/2009 11:06 PM 298776] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 953168] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-05-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:35] 2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011 uInternet Settings,ProxyOverride = .local IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-05 07:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??\|?????? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(844) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-07-05 7:21 ComboFix-quarantined-files.txt 2009-07-05 11:21 Pre-Run: 42,458,738,688 bytes free Post-Run: 44,389,789,696 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 222 --- E O F --- 2009-07-04 00:12

davidhenry View Member Profile	Jul 5 2009, 05:44 AM Post #6
New Member Posts: 9 OS: xp	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:41:23 AM, on 7/5/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing) O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing) O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- End of file - 9136 bytes

JSntgRvr View Member Profile	Jul 5 2009, 05:15 PM Post #7
Global Moderator Posts: 6,771 From: Puerto Rico OS: Windows XP, VISTA Home Premium	Hi, davidhenry Copy the entire contents of the Quote Box below to Notepad. Name the file as CFScript.txt Change the Save as Type to All Files and Save it on the desktop QUOTE Snapshot:: SysRst:: Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report. Download the enclosed folder. [attachment=31557:FindIt.zip]Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat file. It should take a while searching, then a report will be produced. Post its contents in your next reply.

davidhenry View Member Profile	Jul 6 2009, 07:51 AM Post #9
New Member Posts: 9 OS: xp	-c----w 82,944 2004-08-04 08:00:00 C:\Windows\$NtServicePackUninstall$\ws2_32.dll ------w 82,432 2008-04-14 00:12:10 C:\Windows\ServicePackFiles\i386\ws2_32.dll ----a-w 82,432 2008-04-14 00:12:10 C:\Windows\system32\ws2_32.dll ----a-w 82,432 2008-04-14 00:12:10 C:\Windows\system32\dllcache\ws2_32.dll Entries: 4 (4) Directories: 0 Files: 4 Bytes: 330,240 Blocks: 645

JSntgRvr View Member Profile	Jul 6 2009, 09:05 AM Post #10
Global Moderator Posts: 6,771 From: Puerto Rico OS: Windows XP, VISTA Home Premium	Hi, davidhenry Seems that Combofix took the hint and restored ws2_32.dll. Lets scan for remnants. Please do an online scan with Kaspersky WebScanner Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure the following is checked. Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. Upgrading Java: Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14. Click the "Download" button to the right. Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.". Click on Continue. Click on the link to download Windows Offline Installation (jre-6u14-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager.. Close any programs you may have running - especially your web browser. Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java version. Reboot your computer once all Java components are removed. Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")

davidhenry View Member Profile	Jul 6 2009, 08:56 PM Post #11
New Member Posts: 9 OS: xp	Sorry for the delay. I will post tomorrow but everything looks good so far.

davidhenry View Member Profile	Jul 7 2009, 12:40 PM Post #12
New Member Posts: 9 OS: xp	-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Tuesday, July 7, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Tuesday, July 07, 2009 16:16:57 Records in database: 2437327 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 119644 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 03:30:21 File name / Threat name / Threats count C:\Documents and Settings\David Acabbo.PC294771894831\My Documents\LimeWire\Saved\jeff beck (rare track).snd Infected: Trojan-Downloader.WMA.GetCodec.s 1 The selected area was scanned.

JSntgRvr View Member Profile	Jul 7 2009, 01:44 PM Post #13
Global Moderator Posts: 6,771 From: Puerto Rico OS: Windows XP, VISTA Home Premium	Hi, davidhenry Many peer-to-peer networks are under constant attack by people with a variety of motives. Examples include: poisoning attacks (e.g. providing files whose contents are different than the description) denial of service attacks (attacks that may make the network run very slowly or break completely) defection attacks (users or software that make use of the network without contributing resources to it) insertion of viruses to carried data (e.g. downloaded or carried files may be infected with viruses or other malware) malware in the peer-to-peer network software itself (e.g. distributed software may contain spyware) filtering (network operators may attempt to prevent peer-to-peer network data from being carried) identity attacks (e.g. tracking down the users of the network and harassing or legally attacking them) spamming (e.g. sending unsolicited information across the network- not necessarily as a denial of service attack) In your position, I would remove Limeware from my system. Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check Turn off System Restore. Click Apply, and then click OK.. Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools. Follow these steps to uninstall Combofix Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there. Create a Restore point (If the above process fails to do so): Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. In the System Restore dialog box, click Create a restore point, and then click Next. Type a description for your restore point, such as "After Cleanup", then click Create. How is the computer doing?

davidhenry View Member Profile	Jul 10 2009, 01:56 PM Post #14
New Member Posts: 9 OS: xp	Thank you very very much. Everything looks good. A donation will follow. Thanks again.

JSntgRvr View Member Profile	Jul 13 2009, 11:46 AM Post #15
Global Moderator Posts: 6,771 From: Puerto Rico OS: Windows XP, VISTA Home Premium	Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Google Redirect, Win32.Heur, Win32.Patched, ?jl.churia? [Solved]	13 / 177	12th July 2009 - 10:10 AM Majinko started - last by Rorschach112
Virus, Spyware and Trojan Removal Trojan.Win32.AutoRun, IM-Worm.Win32.Sohanad.t [Solved]	11 / 191	1st November 2009 - 12:21 PM aravindps started - last by emeraldnzl
Virus, Spyware and Trojan Removal Fake Security Center Alert Win32.Conflicker.C [Solved] 123	30 / 314	3rd November 2009 - 11:31 AM bitterbuck started - last by andrewuk
Virus, Spyware and Trojan Removal Google Redirect then Not a Valid Win32 Application [Solved] 12	19 / 118	3rd November 2009 - 11:07 AM jrwp started - last by Rorschach112