Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Pop ups Saying That My Computer Is Infected With A Virus Called Worm.W

Started by !NeedOfSomeSeriousHelp! , Apr 30 2008 07:43 PM

This topic is locked

#1
!NeedOfSomeSeriousHelp!

Posted 30 April 2008 - 07:43 PM

Member

Member
13 posts

I've read and followed the forum about AVG, Panda, HijackThis,etc
My computer is bringing up pop ups at random times saying that my computer is infected with Worm.Win32.NetBooster and that I need to download the recomended antispyware , the internet will also pop up randomly with ads for antispyware, antivirus, and other programs. Also there's three icons on my desktop that appeared out of the blue and all three are directing to : http://viruswebprote...om/shandler.php? I downloaded a few different types of programs to help me with the problem, such as: Spybot SD, RegistryBooster 2, SpyZooka (not at same time....deleted from computer) None seem to work though...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\All

Users\Application

Data\nkzchatu\pejslwpy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 5400

Series\ezprint.exe
C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common

Files\AOL\1161093392\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://softwarerefer...om/jump.php?wmi

d=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft....wlink/?LinkId=6

9157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....wlink/?LinkId=5

4896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft....wlink/?LinkId=5

4896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft....wlink/?LinkId=6

9157
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,First Home Page =

http://go.microsoft....wlink/?LinkId=5

4843
O2 - BHO: Lexmark Toolbar -

{1017A80C-6F09-4548-A84D-EDD6AC9525F0} -

C:\Program Files\Lexmark

Toolbar\toolband.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: DVA Gate -

{DB9D1BB8-3615-48A6-BF50-5CB45AB28230} -

C:\WINDOWS\gndarmblaor.dll
O3 - Toolbar: Lexmark Toolbar -

{1017A80C-6F09-4548-A84D-EDD6AC9525F0} -

C:\Program Files\Lexmark

Toolbar\toolband.dll
O3 - Toolbar: wxdbpfvo -

{E1B2B64B-E123-4A7A-98D7-C51065DF3249} -

C:\WINDOWS\wxdbpfvo.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [lxctmon.exe]

"C:\Program Files\Lexmark 5400

Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series

Fax Server] "C:\Program Files\Lexmark

5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program

Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86

\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender]

"C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port

Magic]

"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.e

xe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager]

C:\Program Files\Common

Files\AOL\1161093392\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program

Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware

Protection]

"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP

Scheduler.exe"
O4 - HKLM\..\Run: [EarthLink Installer]

" /C
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop

Search] "C:\Program Files\Google\Google

Desktop Search\GoogleDesktop.exe"

/startup
O4 - HKCU\..\Run: [Antivirus] C:\Program

Files\Antivirus 2008\Antvrs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer]

C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue

RegistryBooster 2] C:\Program

Files\Uniblue\RegistryBooster

2\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run:

[4vqpbZjPq9] C:\Documents and

Settings\All Users\Application

Data\nkzchatu\pejslwpy.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program

Files\IMVU\IMVUClient.exe
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

(no file)
O9 - Extra button: Run IMVU -

{d9288080-1baa-4bc4-9cf8-a92d743db949} -

C:\Documents and Settings\Owner\Start

Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF:

{17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation

Tool) -

http://go.microsoft....wlink/?LinkID=3

9204
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.micros...om/windowsupdat

e/v6/V5Controls/en/x86/client/wuweb_site

.cab?1160496661531
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.micros...om/microsoftupd

ate/v6/V5Controls/en/x86/client/muweb_si

te.cab?1164838269500
O21 - SSODL: qadovnel -

{42958F14-F20A-46AE-B5A0-AD620A24763A} -

C:\WINDOWS\qadovnel.dll
O21 - SSODL: bdkpfxqw -

{43025D42-C4EC-475E-B96F-19F16C218AEC} -

C:\WINDOWS\bdkpfxqw.dll
O23 - Service: AOL Connectivity Service

(AOL ACS) - AOL LLC -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server

(Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service

(Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner

(AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxct_device - -

C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: WAN Miniport (ATW)

Service (WANMiniportService) - America

Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy

Protection -

file:///C:\WINDOWS\privacy_danger\index.

htm

--
End of file

---Please and Thank you

#2
Octagonal

Posted 01 May 2008 - 06:39 AM

Member 2k

Member
2,528 posts

Hi !NeedOfSomeSeriousHelp!,

Welcome to Geeks to Go.

That log is really difficult to read and you didn't quite get the begining of the results (it contains some important information). I will ask you to open HijackThis again and do another scan.

Copy the results from the begining (where is says Logfile of Trend Micro HijackThis v2.0.2). Oh, and please turn off wordwrap in Notepad before you post, it will make it a little easier on my eyes.

Thanks.

#3
!NeedOfSomeSeriousHelp!

Posted 01 May 2008 - 03:55 PM

Member

Topic Starter
Member
13 posts

Oh sorry...a bit new at this..also, my computer has this program on it and i don't know where it came from, its called Antivirus 2008(not Norton) and it keeps sending me pop ups about the results of a scan but the results they have on the scan is not the same as the other scans from diffrent programs that I downloaded before....(sorry that I'm making you do more work)

Edited by !NeedOfSomeSeriousHelp!, 01 May 2008 - 06:03 PM.

#4
!NeedOfSomeSeriousHelp!

Posted 01 May 2008 - 03:58 PM

Member

Topic Starter
Member
13 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:19 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\All Users\Application Data\nkzchatu\pejslwpy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Antivirus 2008\Antvrs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: DVA Gate - {DB9D1BB8-3615-48A6-BF50-5CB45AB28230} - C:\WINDOWS\gndarmblaor.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: wxdbpfvo - {E1B2B64B-E123-4A7A-98D7-C51065DF3249} - C:\WINDOWS\wxdbpfvo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus 2008\Antvrs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run: [4vqpbZjPq9] C:\Documents and Settings\All Users\Application Data\nkzchatu\pejslwpy.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160496661531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1164838269500
O21 - SSODL: qadovnel - {42958F14-F20A-46AE-B5A0-AD620A24763A} - C:\WINDOWS\qadovnel.dll
O21 - SSODL: bdkpfxqw - {43025D42-C4EC-475E-B96F-19F16C218AEC} - C:\WINDOWS\bdkpfxqw.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--

#5
Octagonal

Posted 02 May 2008 - 02:10 AM

Member 2k

Member
2,528 posts

Hi !NeedOfSomeSeriousHelp!,

This will take a couple of sweeps to completey clean the computer, as I need to see the results of the logs before proceding so that I know which course of action to take.

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

#6
!NeedOfSomeSeriousHelp!

Posted 02 May 2008 - 05:36 PM

Member

Topic Starter
Member
13 posts

Whoo! The icons are gone and also the pop ups

.....now just that Antivirus 2008 thing.....but thanks for the help so far

SDFix: Version 1.177
Run by Owner on Fri 05/02/2008 at 06:37 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\Owner\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Owner\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\gndarmblaor.dll - Deleted
C:\WINDOWS\bdkpfxqw.dll - Deleted
C:\WINDOWS\qadovnel.dll - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\spwoqbmv.exe - Deleted
C:\WINDOWS\system32\msvchost.exe - Deleted
C:\WINDOWS\system32\winsystem.exe - Deleted

Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 19:03:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gateway\\HPA\\gwmenu.exe"="C:\\Program Files\\Gateway\\HPA\\gwmenu.exe:*:Enabled:HPA/SCCD/SRCD New Code"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\WINDOWS\\system32\\lxctcoms.exe"="C:\\WINDOWS\\system32\\lxctcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 5400 Series\\LXCTaiox.exe"="C:\\Program Files\\Lexmark 5400 Series\\LXCTaiox.exe:*:Enabled:All-In-One Center"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0c\\waol.exe"="C:\\Program Files\\America Online 9.0c\\waol.exe:*:Enabled:America Online 9.0c"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\America Online 9.0e\\waol.exe"="C:\\Program Files\\America Online 9.0e\\waol.exe:*:Enabled:AOL"
"D:\\AOLSETUP.EXE"="D:\\AOLSETUP.EXE:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 17 Oct 2006 8,124 A..H. --- "C:\TEMP\t4.bak"
Mon 23 Oct 2006 7,158 A..H. --- "C:\TEMP\t4.bak1"
Mon 23 Oct 2006 7,177 A..H. --- "C:\TEMP\t4.bak2"
Tue 25 Dec 2007 6,742 A..H. --- "C:\TEMP\t4.bak3"
Mon 6 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 13 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 25 Dec 2007 2,793 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Mon 6 Nov 2006 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Mon 6 Nov 2006 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 29 Oct 2006 312 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Mon 6 Nov 2006 1,536 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

#7
!NeedOfSomeSeriousHelp!

Posted 02 May 2008 - 05:46 PM

Member

Topic Starter
Member
13 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:55 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Antivirus 2008\Antvrs.exe
C:\WINDOWS\system32\ipklurkd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus 2008\Antvrs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [poejaxcd] C:\WINDOWS\system32\ipklurkd.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160496661531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1164838269500
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

#8
Octagonal

Posted 02 May 2008 - 08:01 PM

Member 2k

Member
2,528 posts

Good job.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#9
!NeedOfSomeSeriousHelp!

Posted 03 May 2008 - 10:53 AM

Member

Topic Starter
Member
13 posts

ComboFix 08-05-01.3 - Owner 2008-05-03 11:46:43.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\FY4PNDEY\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\FY4PNDEY\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\FY4PNDEY\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\setup.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-02 18:34 . 2008-05-02 18:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-02 17:07 . 2008-05-02 19:10 <DIR> d-------- C:\SDFix
2008-05-02 13:39 . 2008-05-02 13:39 102,400 --a------ C:\WINDOWS\system32\tqnqbyny.exe
2008-05-02 04:22 . 2008-05-02 04:22 102,400 --a------ C:\WINDOWS\system32\ujmzcrop.exe
2008-05-01 16:21 . 2008-05-01 16:21 102,400 --a------ C:\WINDOWS\system32\ydabuvcb.exe
2008-05-01 11:48 . 2008-05-01 11:48 110,592 --a------ C:\WINDOWS\system32\hypurizo.exe
2008-05-01 09:55 . 2008-05-01 16:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 09:54 . 2008-05-01 16:18 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-30 20:40 . 2008-04-30 20:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 18:31 . 2008-04-30 18:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-30 17:58 . 2008-04-30 18:20 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-30 17:19 . 2008-04-30 17:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-29 19:44 . 2008-04-30 16:52 <DIR> d-------- C:\Program Files\SpyZooka
2008-04-29 19:32 . 2008-04-29 19:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-28 17:04 . 2008-04-29 18:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 17:04 . 2008-04-29 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 16:12 . 2008-04-28 16:12 <DIR> d-------- C:\Program Files\Antivirus 2008
2008-04-28 16:12 . 2008-04-28 16:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Antivirus
2008-04-28 15:04 . 2008-05-01 11:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-28 13:32 . 2008-04-28 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nkzchatu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 12:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-05-01 13:53 --------- d-----w C:\Program Files\Google
2008-04-29 22:40 --------- d-----w C:\Program Files\Real
2008-04-29 22:40 --------- d-----w C:\Program Files\Common Files\Real
2008-04-28 17:32 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.exe
2008-04-28 17:32 4,096 ----a-w C:\WINDOWS\system32\hoproxy.dll
2008-04-28 17:32 4,096 ----a-w C:\WINDOWS\system32\dpcproxy.exe
2008-04-28 17:32 4,096 ----a-w C:\WINDOWS\system32\bdn.com
2008-04-28 17:32 4,096 ----a-w C:\WINDOWS\system32\awtoolb.dll
2008-04-28 17:32 4,096 ----a-w C:\WINDOWS\system32\akttzn.exe
2008-04-27 00:07 --------- d-----w C:\Program Files\Lx_cats
2008-04-26 16:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-04-24 23:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\IMVU
2008-03-16 23:06 --------- d-----w C:\Program Files\Java
2008-03-16 23:01 --------- d-----w C:\Program Files\Common Files\Java
2008-03-04 21:07 --------- d-----w C:\Program Files\IMVU
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-06-29 12:34 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"Antivirus"="C:\Program Files\Antivirus 2008\Antvrs.exe" [2008-04-28 16:12 649216]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"poejaxcd"="C:\WINDOWS\system32\ipklurkd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 17:35 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:20 579584]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2007-03-19 08:58 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2007-03-19 08:59 304048]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2007-03-19 08:58 82864]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 08:27 106496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 14:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 14:51 118784]
"HostManager"="C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [ ]
"EarthLink Installer"=" /C" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 12:06 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
IMVU.lnk - C:\Program Files\IMVU\IMVUClient.exe [2008-01-25 23:45:28 49408]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gateway\\HPA\\gwmenu.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\lxctcoms.exe"=
"C:\\Program Files\\Lexmark 5400 Series\\LXCTaiox.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 05:47:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 11:53:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-05-03 12:01:33
ComboFix-quarantined-files.txt 2008-05-03 16:00:25

Pre-Run: 29,932,859,392 bytes free
Post-Run: 29,976,764,416 bytes free

132 --- E O F --- 2008-04-10 04:43:05

#10
!NeedOfSomeSeriousHelp!

Posted 03 May 2008 - 10:54 AM

Member

Topic Starter
Member
13 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:26 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Antivirus 2008\Antvrs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus 2008\Antvrs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [poejaxcd] C:\WINDOWS\system32\ipklurkd.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160496661531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1164838269500
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

#11
Octagonal

Posted 03 May 2008 - 08:38 PM

Member 2k

Member
2,528 posts

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes interfere with fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::
Folder::
C:\Program Files\Antivirus 2008
Files::
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\ipklurkd.exe
C:\WINDOWS\system32\tqnqbyny.exe
C:\WINDOWS\system32\ujmzcrop.exe
C:\WINDOWS\system32\ydabuvcb.exe
C:\WINDOWS\system32\hypurizo.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"=-
"poejaxcd"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the Combofix.txt log into your next reply.

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please go HERE to run Panda's TotalScan

Select the bubble for Full scan
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Then the scan will begin
When the scan completes, click the Save button on the right of Scan details
Save it to a convenient location. Post the contents of the TotalScan report

Logs to include in your next post:

Combofix .txt
SUPERAntiSpyware results
Panda's TotalScan results
A fresh HijackThis log

Also let me know how the computer is behaving.

#12
!NeedOfSomeSeriousHelp!

Posted 05 May 2008 - 07:04 PM

Member

Topic Starter
Member
13 posts

My computer is starting starting to run more smoothly, internet is still a bit on the slow side, but I think that is just my connection. There are no more pop ups about the Worm.Win32.NetBooster thing, also the pop ups of the Antivirus 2008 are gone.

ComboFix 08-05-01.3 - Owner 2008-05-04 21:13:37.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Antivirus 2008
C:\Program Files\Antivirus 2008\Antvrs.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-02 18:34 . 2008-05-02 18:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-02 17:07 . 2008-05-02 19:10 <DIR> d-------- C:\SDFix
2008-05-02 13:39 . 2008-05-02 13:39 102,400 --a------ C:\WINDOWS\system32\tqnqbyny.exe
2008-05-02 04:22 . 2008-05-02 04:22 102,400 --a------ C:\WINDOWS\system32\ujmzcrop.exe
2008-05-01 16:21 . 2008-05-01 16:21 102,400 --a------ C:\WINDOWS\system32\ydabuvcb.exe
2008-05-01 11:48 . 2008-05-01 11:48 110,592 --a------ C:\WINDOWS\system32\hypurizo.exe
2008-05-01 09:55 . 2008-05-01 16:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 09:54 . 2008-05-01 16:18 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-30 20:40 . 2008-04-30 20:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 18:31 . 2008-04-30 18:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-30 17:58 . 2008-04-30 18:20 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-30 17:19 . 2008-04-30 17:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-29 19:44 . 2008-04-30 16:52 <DIR> d-------- C:\Program Files\SpyZooka
2008-04-29 19:32 . 2008-04-29 19:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-28 17:04 . 2008-04-29 18:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 17:04 . 2008-04-29 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 16:12 . 2008-04-28 16:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Antivirus
2008-04-28 15:04 . 2008-05-01 11:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-28 13:32 . 2008-05-03 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nkzchatu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 01:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-05-01 13:53 --------- d-----w C:\Program Files\Google
2008-04-29 22:40 --------- d-----w C:\Program Files\Real
2008-04-29 22:40 --------- d-----w C:\Program Files\Common Files\Real
2008-04-27 00:07 --------- d-----w C:\Program Files\Lx_cats
2008-04-26 16:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-04-24 23:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\IMVU
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 23:06 --------- d-----w C:\Program Files\Java
2008-03-16 23:01 --------- d-----w C:\Program Files\Common Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-06-29 12:34 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-03_11.59.37.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-02 22:58:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-05 01:20:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 17:35 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:20 579584]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2007-03-19 08:58 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2007-03-19 08:59 304048]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2007-03-19 08:58 82864]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 08:27 106496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 14:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 14:51 118784]
"HostManager"="C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [ ]
"EarthLink Installer"=" /C" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 12:06 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
IMVU.lnk - C:\Program Files\IMVU\IMVUClient.exe [2008-01-25 23:45:28 49408]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gateway\\HPA\\gwmenu.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\lxctcoms.exe"=
"C:\\Program Files\\Lexmark 5400 Series\\LXCTaiox.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

*Newly Created Service* - ATWPKT2
.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 05:47:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 21:23:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-04 21:53:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-05 01:51:59
ComboFix2.txt 2008-05-03 16:01:37

Pre-Run: 29,917,384,704 bytes free
Post-Run: 30,057,213,952 bytes free

132 --- E O F --- 2008-04-10 04:43:05

#13
!NeedOfSomeSeriousHelp!

Posted 05 May 2008 - 07:07 PM

Member

Topic Starter
Member
13 posts

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/05/2008 at 06:29 PM

Application Version : 4.0.1154

Core Rules Database Version : 3452
Trace Rules Database Version: 1444

Scan type : Complete Scan
Total Scan Time : 00:27:35

Memory items scanned : 382
Memory threats detected : 0
Registry items scanned : 3560
Registry threats detected : 65
File items scanned : 13166
File threats detected : 139

Adware.180solutions/Seekmo
HKLM\Software\Classes\CLSID\{37E5D130-E81C-43E5-A2AD-9C155467F334}
HKCR\CLSID\{37E5D130-E81C-43E5-A2AD-9C155467F334}
HKCR\CLSID\{37E5D130-E81C-43E5-A2AD-9C155467F334}
HKCR\CLSID\{37E5D130-E81C-43E5-A2AD-9C155467F334}\InprocServer32
HKCR\CLSID\{37E5D130-E81C-43E5-A2AD-9C155467F334}\InprocServer32#ThreadingModel
HKCR\CLSID\{37E5D130-E81C-43E5-A2AD-9C155467F334}\ProgID
HKCR\CLSID\{37E5D130-E81C-43E5-A2AD-9C155467F334}\TypeLib
HKCR\CLSID\{37E5D130-E81C-43E5-A2AD-9C155467F334}\VersionIndependentProgID
C:\PROGRAM FILES\SEEKMOTOOLBAR\BIN\4.8.4.0\SKCORESRV.DLL
HKLM\Software\Classes\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}#AppID
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\Control
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\Implemented Categories
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\InprocServer32
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\InprocServer32#ThreadingModel
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\MiscStatus
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\MiscStatus\1
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\ProgID
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\Programmable
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\ToolboxBitmap32
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\TypeLib
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\Version
HKCR\CLSID\{7585AF6A-6D68-4896-A1A1-F23AA8FCF9F1}\VersionIndependentProgID
HKCR\SkCoreSrv.LfgAx
HKCR\SkCoreSrv.LfgAx\CLSID
HKCR\SkCoreSrv.LfgAx\CurVer
HKCR\SkCoreSrv.LfgAx.1
HKCR\SkCoreSrv.LfgAx.1\CLSID
HKCR\SkCoreSrv.SkCoreServices
HKCR\SkCoreSrv.SkCoreServices\CLSID
HKCR\SkCoreSrv.SkCoreServices\CurVer
HKCR\SkCoreSrv.SkCoreServices.1
HKCR\SkCoreSrv.SkCoreServices.1\CLSID
C:\Program Files\SeekmoToolbar\Bin\4.8.4.0\dBenderC.dll
C:\Program Files\SeekmoToolbar\Bin\4.8.4.0\SkHostIE.dll
C:\Program Files\SeekmoToolbar\Bin\4.8.4.0\SkSrv.exe
C:\Program Files\SeekmoToolbar\Bin\4.8.4.0\SkToolbar.dll
C:\Program Files\SeekmoToolbar\Bin\4.8.4.0\SkWallpaper.dll
C:\Program Files\SeekmoToolbar\Bin\4.8.4.0
C:\Program Files\SeekmoToolbar\Bin
C:\Program Files\SeekmoToolbar

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@gomyhit[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@soundclick[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@advancedcleaner[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gomyhit[3].txt
C:\Documents and Settings\Owner\Cookies\owner@antispywaremaster[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][5].txt
C:\Documents and Settings\Owner\Cookies\owner@valueclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sextracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][6].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@nextag[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@adnetserver[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trustedantivirus[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@precisionclick[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt
C:\Documents and Settings\Owner\Cookies\owner@antivirus-scanner[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Adware.Zango Toolbar/Hb
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\ProxyStubClsid
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\ProxyStubClsid32
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\TypeLib
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\TypeLib#Version
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\ProxyStubClsid
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\ProxyStubClsid32
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\TypeLib
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\TypeLib#Version
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\ProxyStubClsid
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\ProxyStubClsid32
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\TypeLib
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\TypeLib#Version
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\ProxyStubClsid
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\ProxyStubClsid32
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\TypeLib
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\TypeLib#Version
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\ProxyStubClsid
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\ProxyStubClsid32
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\TypeLib
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\TypeLib#Version
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\ProxyStubClsid
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\ProxyStubClsid32
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\TypeLib
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\TypeLib#Version

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP541\A0174610.DLL

Trojan.Unclassified/Multi-Dropper
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP541\A0174611.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP542\A0174646.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP542\A0174647.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0175494.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0175495.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0178673.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP548\A0178789.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP548\A0178790.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP548\A0178791.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP548\A0178792.EXE

Rogue.AntiSpywareMaster
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0175459.EXE

Adware.SXGAdvisor-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0178618.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0178630.DLL

#14
!NeedOfSomeSeriousHelp!

Posted 05 May 2008 - 07:08 PM

Member

Topic Starter
Member
13 posts

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-05 20:53:42
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.524 7.5.524 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0178551.exe
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[1].txt
00512518 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP549\A0179760.dll
00512519 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP549\A0179765.dll
00512520 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP549\A0179763.exe
00512521 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP549\A0179762.dll
00512522 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP549\A0179764.dll
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Owner\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP548\A0178759.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP548\A0178749.sys
02887531 Cookie/UltimateCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ucleaner[2].txt
02887532 Cookie/XPAntivirusPro TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
02936919 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0178634.exe
02936919 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP545\A0178621.exe
02936927 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{6F8C994D-1E30-4E2F-980A-CF74BE0A5183}\RP542\A0174645.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

#15
!NeedOfSomeSeriousHelp!

Posted 05 May 2008 - 07:10 PM

Member

Topic Starter
Member
13 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:41 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161093392\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160496661531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1164838269500
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--