Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

downloader.obfuskated


  • Please log in to reply

#1
Karalot875

Karalot875

    Member

  • Member
  • PipPip
  • 28 posts
Ok this is giving me a headache.. I deleted the file path AVG said it was detected on, shut down system restore, ran adaware, and hoping I got rid of it, but I highly doubt it.
I know it could take awhile for someone to read my hijack this log, but I was hoping someone could answer this in the meantime: Can I do things that require me to put in my password, such as banking online, or is this one of those viruses that are recording what I am typing?
Thanks for your time, and here's my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:19:33 PM, on 27/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program

Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\KeyText\KeyText.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program

Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,

[email protected]
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program

Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark

4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program

Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32

cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program

Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Pando] "C:\Program Files\Pando

Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [Yahoo! Pager]

"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program

Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program

Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program

Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Startup: KeyText.lnk = C:\Program

Files\KeyText\KeyText.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: Harvest Mania by pogo -

http://game1.pogo.co...vest/harvest-ob

-assets.cab
O16 - DPF: Tri-Peaks by pogo -

http://game1.pogo.co...eaks-ob-[bleep]

ets.cab
O16 - DPF: Word Whomp Whackdown by pogo -

http://game1.pogo.co...ckdown/whackdow

n-ob-assets.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} (iSite

3D Renderer Class) -

http://www.pc.gc.ca/...in/iS3DCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8}

(Cult3D ActiveX Player) -

http://host.cycore.n...e/Cult3D_IE_5.3.

0.228.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN

Photo Upload Tool) -

http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66}

(MLauncherNew Class) -

http://legendofares....MusaLauncherNew

.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zon...engerStatsClien

t.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7}

(LinkSys Content Update) -

http://www.linksysfi...tall/gtdownls.c

ab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...engerSetupDownl

oader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://cdn2.zone.msn.../ZIntro.cab5308

3.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6}

(CPlayFirstDinerDashControl Object) -

http://clubgames.pog...iner_dash/Diner

Dash.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

http://www.pogo.com/...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN

Chat Control 4.5) -

http://chat.msn.com/...s/msnchat45.cab
O18 - Protocol: livecall -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui -

C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: biepx.dll -

{00000000-0000-0000-0000-000000027019} -

C:\WINDOWS\system32\biepx.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark

International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc.

- C:\WINDOWS\system32\lxcecoms.exe
  • 0

Advertisements


#2
Jrenter2

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hello Karaloy875 and Welcome to Geeks to Go!

My name is Joe and I will be helping you today. As you can see, the forums are rather busy. Please be patient as I am still in training and all my posts are reviewed by our Expert Instructors prior to posting. With this in mind, there may be a little delay between posts.

In regards to your question about the passwords, banking, etc. Until I can look over everything, I would wait. There may be an underlying problem that isn't visible at this time. I am saying this without looking at your log in total. If you could wait a little while or use another computer, that would be best.

Please give me a little bit to look over your log. I will post back some instructions as soon as possible.

Also, could you please provide another HJT log along with an Uninstall list.

Create a Uninstall List
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
Thank you,

Jrenter2
  • 0

#3
Karalot875

Karalot875

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thank you for such a fast response! Here is the fresh log, and unistall list:

Logfile of HijackThis v1.99.1
Scan saved at 5:44:14 PM, on 27/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\KeyText\KeyText.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Startup: KeyText.lnk = C:\Program Files\KeyText\KeyText.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} (iSite 3D Renderer Class) - http://www.pc.gc.ca/...in/iS3DCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares....LauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://clubgames.pog...sh.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.pogo.com/...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: biepx.dll - {00000000-0000-0000-0000-000000027019} - C:\WINDOWS\system32\biepx.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

UNISTALL LIST:

ABBYY FineReader 6.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Advanced Video FX Utility
Ahead Nero - Burning Rom
ATI - Software Uninstall Utility
Audio Playlist Maker 1.1
AVG Free Edition
Azureus
C-Media WDM Audio Driver
Corel Paint Shop Pro Photo XI
Creative Photo Manager
Creative WebCam Center
Creative WebCam Instant Driver (1.03.02.0425)
Creative WebCam Instant User's Guide (English)
CursorXP
Diner Dash Flo on the Go
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EAX™ Unified (SHELL)
EGS Recipe Center
ErrorDoctor
Eye Candy 4000
Fairy Godmother Tycoon
FinePixViewer Ver.4.2
FUJIFILM USB Driver
Get Yahoo! Messenger
Hijackthis 1.99.1
HijackThis 1.99.1
Hoyle Miami Solitaire
IconPackager
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Jasc Animation Shop 3
Jasc Paint Shop Pro 9
KeyText
Lexmark 4300 Series
Lexmark Fax Solutions
Lexmark Z600 Series
Macromedia Shockwave Player
Magic Match The Genie`s Journey (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mosiac - Tomb of Mystery
Mozilla Firefox (1.5.0.11)
MSXML 4.0 SP2 (KB927978)
Mystery Case Files Ravenhearst
Paint Shop Pro 7 ESD
Pando
Pat Sajak’s Lucky Letters
Printer's Apprentice
PSP Thumbnail Handler
QuickTime
Realtek AC'97 Audio
Registry Mechanic 6.0
Saints And Sinners Bingo
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
SightSpeed (remove only)
Slingo Quest
SmartStartup
SolSuite
Spybot - Search & Destroy 1.4
The Lord of the Rings Online™: Shadows of Angmar™ v07.11.30.50
Theme Manager
Ulead GIF Animator 5
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
WebCam Instant Product Registration
Winamp (remove only)
Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
World Class Solitaire
World of Warcraft
Yahoo! Browser Services
Yahoo! Messenger
  • 0

#4
Jrenter2

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hello Karaloy875,

Let's start off by doing an Online Virus scan and see what else is lurking around before we get rid of this first problem.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
When your done just reply back with the Panda Report.

Thank you,

Joe
  • 0

#5
Karalot875

Karalot875

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello again :whistling: Here is the pnada report. Think I'm going to need some advil for all this lol


Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Owner\Favorites\Health
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.com.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.overture.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.zedo.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.citi.bridgetrack.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.belnk.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.centrport.net/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.landing.domainsponsor.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.seeq.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.www.advnt01.com/]
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.www47.buydomains.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.www48.seeq.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ulfqpq7o.default\cookies.txt[.z1.adserver.com/]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-68b92b08.zip[BaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-68b92b08.zip[VaaaaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-68b92b08.zip[Baaaaa.class]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
  • 0

#6
Jrenter2

Jrenter2

    Member

  • Member
  • PipPipPip
  • 435 posts
Hello Karaloy875,

Overall, not too bad. You won't need as much Advil as you think. LOL. We do need to do a few things though to get you back on track. Let's start.

Step 1

Please submit the following file to one of these online file scanners.

C:\WINDOWS\system32\biepx.dll
Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.

Step 2
Please download ATF Cleaner by Atribune. We'll use this later on.

Step 3

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - <http://host.cycore.n..._5.3.0.228.cab>
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Restart your computer.

Step 4

This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 5

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

[*]Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
[*]Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
[*]Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
[*]AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
[*]If you have any infections you will prompted, then select "Apply all actions"
[*]Next select the "Reports" icon at the top.
[*]Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
[*]Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
[/list]When you have completed the above please post back here with the following:
Online file submission reports
New HJT log
AVG Report
Status of how your computer is doing now

Thank you,

Joe

Edited by Jrenter2, 30 March 2007 - 07:16 AM.

  • 0

#7
Karalot875

Karalot875

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Okie dokie, I see I have to restart the computer in a few, so I'll post the first result here now and off to do the other stuff. I see some of these results say "trojan.keylogger" and I think whew thank god I didn't go banking! lol. Hijack and ATF, Here I come! :whistling:
Yay I can Edit today :blink:
AVG Anti-Spyware wont update for me, it stays at "Downloading updates, recieve data..." and then stays there. The program is responsive if I click somewhere else, it just wont continue any of the update process for me.
Edit 2: Got avg updated, reports edited in :help: Seems to be working smoother now, *so far* haven't froze/paused in the midst of typing anything.

Antivirus Version Update Result
AhnLab-V3 2007.3.30.0 03.30.2007 no virus found
AntiVir 7.3.1.46 03.30.2007 TR/KeylogFTP
Authentium 4.93.8 03.30.2007 no virus found
Avast 4.7.936.0 03.30.2007 Win32:Qhost-AI
AVG 7.5.0.447 03.30.2007 no virus found
BitDefender 7.2 03.30.2007 Trojan.Spy.Delf.MQ
CAT-QuickHeal 9.00 03.29.2007 no virus found
ClamAV devel-20070312 03.30.2007 no virus found
DrWeb 4.33 03.30.2007 no virus found
eSafe 7.0.15.0 03.29.2007 no virus found
eTrust-Vet 30.6.3524 03.30.2007 no virus found
Ewido 4.0 03.30.2007 Trojan.KeylogFTP
FileAdvisor 1 03.30.2007 no virus found
Fortinet 2.85.0.0 03.30.2007 no virus found
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 03.30.2007 no virus found
Ikarus T3.1.1.3 03.30.2007 Email-Worm.Win32.Delf.z
Kaspersky 4.0.2.24 03.30.2007 no virus found
McAfee 4995 03.29.2007 no virus found
Microsoft 1.2306 03.30.2007 no virus found
NOD32v2 2157 03.30.2007 no virus found
Norman 5.80.02 03.30.2007 no virus found
Panda 9.0.0.4 03.30.2007 Generic Trojan
Prevx1 V2 03.30.2007 Polynomial.Code.Exploit
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.29.2007 no virus found
Symantec 10 03.30.2007 no virus found
TheHacker 6.1.6.083 03.30.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 03.29.2007 no virus found
VirusBuster 4.3.7:9 03.30.2007 no virus found
Webwasher-Gateway 6.0.1 03.30.2007 Trojan.KeylogFTP

Aditional Information
File size: 22528 bytes
MD5: 9299060e2b21f612dc8d70e5c9f77381
SHA1: 6f80b066e23d189e4d3636d94abe8cfd4d40617c
Prevx info: http://fileinfo.prev...XC=5a3957970767

HJT LOG:
Logfile of HijackThis v1.99.1
Scan saved at 3:07:17 PM, on 30/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\KeyText\KeyText.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Startup: KeyText.lnk = C:\Program Files\KeyText\KeyText.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} (iSite 3D Renderer Class) - http://www.pc.gc.ca/...in/iS3DCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares....LauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://clubgames.pog...sh.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.pogo.com/...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: biepx.dll - {00000000-0000-0000-0000-000000027019} - C:\WINDOWS\system32\biepx.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

AVG Anti-Spyware Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:02:31 PM 3/30/2007

+ Scan result:



C:\WINDOWS\system32\gtdownls_95.ocx -> Adware.Gdown : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\ErrorDoctor.exe -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups\2007-02-01_21-23-13.reg -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups\2007-02-06_16-40-59.reg -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\icon.ico -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\ignore.lst -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B74DE36A-B95C-49A1-8F41-A09F3D187747} -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor\ErrorDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor\ErrorDoctor\1.4 -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\biepx.dll -> Trojan.KeylogFTP : Cleaned with backup (quarantined).


::Report end

Edited by Karalot875, 30 March 2007 - 12:14 PM.

  • 0

#8
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Karalot875,

Please fix this entry with HJT:
O21 - SSODL: biepx.dll - {00000000-0000-0000-0000-000000027019} - C:\WINDOWS\system32\biepx.dll (file missing)

As you already noticed you had a keylogger.
Any passwords, confidential, or personal info you used while infected should be changed immediately.

Are you getting any more pop-ups, how is the system running now? :whistling:
  • 0

#9
Karalot875

Karalot875

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello :blink:
I fixed the entry, and ever since avg anti spyware got that nasty keylogger, things have seemed perfect! I wen't on a different computer and changed all my passwords as soon as I had the hunch I was affected, so far so good in terms of anything being done.
I did everything to the letter except for one thing lol. I was showing a friend how easy it was to be affected and not know, so I ran avg in normal mode, 0 errors found, then rebooted into safe mode and boom! Within 5 minutes the keylogger was found.
I thank you guys for everything you do, its amazing what you do for free, and on your own time. I have applied to GeekU a week ago, and I hope to be working along side of you guys someday :help:
Thanks Again, you are truly awesome! :whistling:
  • 0

#10
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Karalot875,

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Kerio and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place?
  • 0

#11
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts

I thank you guys for everything you do, its amazing what you do for free, and on your own time. I have applied to GeekU a week ago, and I hope to be working along side of you guys someday :blink:
Thanks Again, you are truly awesome! :whistling:

If you haven't received an email or pm response yet please let me know, I will check with the person who reviews the applications. :help:
  • 0

#12
Karalot875

Karalot875

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thank you sooooo very much, Downloaded SpyBlaster, and i must say.. I Love it!!!!!!!!!!!! :whistling:
I didn't get a pm or email yet, but im waiting patiently with fingers crossed hehe.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP