Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Vundo & Win32/BHO [RESOLVED]

Started by Becky715 , May 25 2008 05:37 PM

  • This topic is locked This topic is locked

#1
Becky715
Posted 25 May 2008 - 05:37 PM

Becky715

    Member

  • Member
  • PipPip
  • 20 posts
It started out with having pop-ups, my browser was messed up/wouldnt let me go to any sites except fake sites to download "spyware removers" and etc. So I can here as a friend told me to come check this site out, that I could find help here.

I followed all the steps listed in the "Must Read Forum" and it has seemed to help out tremendously, with a few exceptions....

My start menu still isnt correct, as the "Run, Control Panel, and everything that should be in that area are not there. And my clock is set to military time and next to that it says "VIRUS ALERT!" Cant figure out how to get everything back to normal.

So Ive ran all the nessicary tests and scans. Here are the logs.

Malwarebytes' Anti-Malware 1.12
Database version: 786

Scan type: Quick Scan
Objects scanned: 35612
Time elapsed: 8 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 21
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ljJAQijH.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\cbXpOghh.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0cb5e12b-3edb-4382-8b4c-659a385f8ed6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0cb5e12b-3edb-4382-8b4c-659a385f8ed6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4a3f62a9-afeb-4543-ae4d-dc2442444e64} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4a3f62a9-afeb-4543-ae4d-dc2442444e64} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxpoghh (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4a3f62a9-afeb-4543-ae4d-dc2442444e64} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vltdfabw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vregfwlx (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjaqijh -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjaqijh -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\emxxwspj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jpswxxme.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJAQijH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\HjiQAJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\HjiQAJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psvlkjqv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vqjklvsp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXpOghh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\opnkkkjG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


SUPERAntiSpyware Scan Log
Generated 05/25/2008 at 05:34 PM

Application Version : 3.6.1000

Core Rules Database Version : 3468
Trace Rules Database Version: 1459

Scan type : Complete Scan
Total Scan Time : 00:52:58

Memory items scanned : 345
Memory threats detected : 0
Registry items scanned : 4076
Registry threats detected : 0
File items scanned : 29286
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

Trace.Known Threat Sources
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OAKIV26Y\CATKCB55.htm


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-25 19:04:50
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.524 7.5.524 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location R
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description R
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069 R
176382 HIGH MS07-057 R
170907 HIGH MS07-046 R
170906 HIGH MS07-045 R
170904 HIGH MS07-043 R
164913 HIGH MS07-033 R
160623 HIGH MS07-027 R
150253 HIGH MS07-016 R
141030 HIGH MS06-072 R
137568 HIGH MS06-067 R
126083 HIGH MS06-042 R
120814 HIGH MS06-021 R
114664 HIGH MS06-013 R
;===============================================================================
=================================================================================
===================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31: VIRUS ALERT!, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {48E10E4B-D46F-422A-9903-E3435DFC6921} - (no file)
O2 - BHO: (no name) - {4A3F62A9-AFEB-4543-AE4D-DC2442444E64} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8924F6E3-E79E-4FC8-B2D7-F4DC53951DE3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Owner\LOCALS~1\Temp\rbnpsrv.exe/r
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208126683827
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: SysMon - {aa2aaa9c-6e17-46c0-8bd1-539fbcd4e959} - C:\WINDOWS\Resources\SysMon.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: (no name) - http://us.f313.mail..../...ead=b&Idx=3

--
End of file - 6445 bytes


UNINSTALL LIST

3D Groove Playback Engine
Adobe Flash Player ActiveX
AVG 7.5
Drivers Install For Linksys Easylink Advisor
HijackThis 2.0.2
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Java™ 6 Update 5
Lexmark 510 Series
Linksys EasyLink Advisor 1.6 (0032)
Malwarebytes' Anti-Malware
Microsoft Office 2000 Professional
Panda ActiveScan 2.0
RealPlayer
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
SUPERAntiSpyware Free Edition
The Weather Channel Desktop 6
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar



So, If someone can please help me out here, Id greatly appreciate it. Im thinking it wont be much as everything seems to be running alot better now, as theres no more pop-ups and etc, just cant get the time area and start menu area to be normal again. Thanks in advance!
  • 0

Advertisements

#2
fenzodahl512
Posted 27 May 2008 - 01:58 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Becky715, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following..

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {48E10E4B-D46F-422A-9903-E3435DFC6921} - (no file)
O2 - BHO: (no name) - {4A3F62A9-AFEB-4543-AE4D-DC2442444E64} - (no file)
O2 - BHO: (no name) - {8924F6E3-E79E-4FC8-B2D7-F4DC53951DE3} - (no file)
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator



Please post the following logs in your next reply...

1. SDFix
2. Deckard System Scanner (both main.txt and extra.txt)

Please post each log in separate post..


Regards
fenzodahl512
  • 0

#3
Becky715
Posted 27 May 2008 - 04:57 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here is the SDFix log:

SDFix: Version 1.186
Run by Owner on Tue 05/27/2008 at 06:38 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\MYDOCU~1\SDFix

Checking Services :

Name :
NTY73

Path :
\SystemRoot\System32\Drivers\ntY73.sys

NTY73 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\drivers\NTY73.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 18:46:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\Owner\MYDOCU~1\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BITE.tmp"
Sun 13 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 13 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 13 Apr 2008 8 A..H. --- "C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 13 Apr 2008 8 A..H. --- "C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"

Finished!



Also, when I go to My Computer, the only things showing up is "Shared Documents and Owner's Documents" My hard drive isnt showing up....
  • 0

#4
Becky715
Posted 27 May 2008 - 05:07 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
When I try to run the Deckard System Scanner it gets almost to the end and then a window pops up saying that it has encountered a problem and needs to close =( And thank you in advance for your help with this nasty little bugger of malware
  • 0

#5
fenzodahl512
Posted 27 May 2008 - 11:11 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello,

Also, when I go to My Computer, the only things showing up is "Shared Documents and Owner's Documents" My hard drive isnt showing up....


Try these steps:

1. Right click My Computer and select Manage
2. Click on Disk Management

In the right hand window you should see all of your drives with their drive letter. Assuming you have one internal drive and one CD/DVD drive you should see

C:
D:

If you see another drive listed but without a drive letter do the following:

1. Right click the drive and select Change Drive Letter and Paths
2. Click the Change button.
3. Select a Drive letter and click OK.

Now check My Computer for the drive. Please tell me if you can see them..
  • 0

#6
Becky715
Posted 28 May 2008 - 12:39 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello again and Thank You,

When I go into the disk management screen, theres only one drive, where as there should be 2 as you stated...

C: which is my harddrive

Theres no D: which would be my cd-rom drive.

So there would be no need to Change Drive Letter, correct?

Yet, neither drive is showing up in My Computer window. =(
  • 0

#7
fenzodahl512
Posted 28 May 2008 - 12:52 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, can you please try Deckard System Scanner again.. Please post the log if you can get it.. Please inform me if you couldn't..

Thank you :)
  • 0

#8
Becky715
Posted 28 May 2008 - 05:44 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Alright, well Ive tried running the Deckard System Scanner again, and again it encounters a problem..... it seems to be encountering this problem everytime when it gets to the point where its checking the event logs, if thats any help.
  • 0

#9
fenzodahl512
Posted 28 May 2008 - 07:40 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Becky, lets do this..

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.
  • 0

#10
Becky715
Posted 29 May 2008 - 01:24 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
=) So far seems like everything is back to normal!! Although Im sure there might be a step or two more that needs to be done?

But here is the combofix log:

ComboFix 08-05-29.1 - Owner 2008-05-29 15:10:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.88 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbXpOghh.dll
C:\WINDOWS\system32\CMoYxyxx.ini
C:\WINDOWS\system32\CMoYxyxx.ini2
C:\WINDOWS\system32\gkawsdnu.ini
C:\WINDOWS\system32\HjiQAJjl.ini
C:\WINDOWS\system32\jPWwxyay.ini
C:\WINDOWS\system32\jPWwxyay.ini2
C:\WINDOWS\system32\ljJAQijH.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 14:39 . 2008-05-28 14:41 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-27 18:59 . 2008-05-27 18:59 <DIR> d-------- C:\Deckard
2008-05-27 18:34 . 2008-05-27 18:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-27 18:28 . 2008-05-27 03:12 <DIR> d-------- C:\SDFix
2008-05-26 14:32 . 2008-05-26 14:52 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-26 14:29 . 2008-05-26 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-26 14:28 . 2008-05-26 14:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-26 14:28 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-25 19:30 . 2008-05-25 19:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 18:16 . 2008-05-25 18:16 <DIR> d-------- C:\Program Files\Panda Security
2008-05-25 16:34 . 2008-05-25 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 16:33 . 2008-05-26 14:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 16:33 . 2008-05-26 14:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-25 16:14 . 2008-05-25 16:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-25 16:13 . 2008-05-25 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 16:11 . 2008-05-25 16:11 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-25 02:38 . 2008-05-26 14:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-25 02:13 . 2008-05-25 02:14 202 --a------ C:\WINDOWS\wininit.ini
2008-05-24 15:42 . 2008-05-27 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 15:42 . 2008-05-26 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 14:16 . 2008-05-24 14:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-05-24 14:10 . 2008-05-24 14:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-24 14:09 . 2008-04-13 17:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-05-24 14:09 . 2008-05-24 14:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-24 13:57 . 2008-05-24 13:57 149 --a------ C:\345543.bat
2008-05-20 12:10 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-16 16:54 . 2008-05-28 08:38 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-02 17:05 . 2008-05-02 17:05 <DIR> d-------- C:\Program Files\3DGroove

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 12:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-05-24 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-28 21:23 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-28 21:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-04-16 03:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-15 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-14 17:47 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-14 17:46 --------- d-----w C:\Program Files\Real
2008-04-14 17:46 --------- d-----w C:\Program Files\Common Files\Real
2008-04-14 00:37 --------- d-----w C:\Program Files\Java
2008-04-14 00:35 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 00:06 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-14 00:06 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-14 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-13 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-13 23:52 --------- d-----w C:\Program Files\Yahoo!
2008-04-13 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-13 23:32 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-04-13 23:28 --------- d-----w C:\Program Files\The Weather Channel FW
2008-04-13 22:43 --------- d-----w C:\Program Files\Lexmark 510 Series
2008-04-13 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 22:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 21:01 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-04-13 21:01 --------- d--h--w C:\Documents and Settings\Owner\Application Data\GTek
2008-04-13 21:01 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-03-17 13:08 801904]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-29 20:13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-29 20:13 118784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:59 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 13:46 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-13 20:06 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysMon"= {aa2aaa9c-6e17-46c0-8bd1-539fbcd4e959} - C:\WINDOWS\Resources\SysMon.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xdI40.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

S0 xdI40;xdI40;C:\WINDOWS\system32\Drivers\xdI40.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 15:16:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
.
**************************************************************************
.
Completion time: 2008-05-29 15:22:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 19:21:44

Pre-Run: 36,122,791,936 bytes free
Post-Run: 36,136,833,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

146 --- E O F --- 2008-05-17 03:58:57



And here is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:25 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208126683827
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O21 - SSODL: SysMon - {aa2aaa9c-6e17-46c0-8bd1-539fbcd4e959} - C:\WINDOWS\Resources\SysMon.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: (no name) - http://us.f313.mail..../...ead=b&Idx=3

--
End of file - 5964 bytes
  • 0

Advertisements

#11
fenzodahl512
Posted 29 May 2008 - 02:39 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Becky, thanks for the reply.. Please do the following..

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
xdI40

File::
C:\WINDOWS\Resources\SysMon.dll
C:\WINDOWS\system32\Drivers\xdI40.sys
C:\345543.bat

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysMon"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#12
Becky715
Posted 29 May 2008 - 04:17 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello fenz-

Thank you for all your help! Here is the combofix log:

ComboFix 08-05-29.1 - Owner 2008-05-29 18:06:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\345543.bat
C:\WINDOWS\Resources\SysMon.dll
C:\WINDOWS\system32\Drivers\xdI40.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\345543.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_xdI40


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 14:39 . 2008-05-28 14:41 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-27 18:59 . 2008-05-27 18:59 <DIR> d-------- C:\Deckard
2008-05-27 18:34 . 2008-05-27 18:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-27 18:28 . 2008-05-27 03:12 <DIR> d-------- C:\SDFix
2008-05-26 14:32 . 2008-05-26 14:52 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-26 14:29 . 2008-05-26 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-26 14:28 . 2008-05-26 14:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-26 14:28 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-25 19:30 . 2008-05-25 19:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 18:16 . 2008-05-25 18:16 <DIR> d-------- C:\Program Files\Panda Security
2008-05-25 16:34 . 2008-05-25 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 16:33 . 2008-05-26 14:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 16:33 . 2008-05-26 14:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-25 16:14 . 2008-05-25 16:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-25 16:13 . 2008-05-25 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 16:11 . 2008-05-25 16:11 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-25 02:38 . 2008-05-26 14:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-25 02:13 . 2008-05-25 02:14 202 --a------ C:\WINDOWS\wininit.ini
2008-05-24 15:42 . 2008-05-27 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 15:42 . 2008-05-26 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 14:16 . 2008-05-24 14:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-05-24 14:10 . 2008-05-24 14:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-24 14:09 . 2008-04-13 17:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-05-24 14:09 . 2008-05-24 14:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-20 12:10 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-16 16:54 . 2008-05-28 08:38 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-02 17:05 . 2008-05-02 17:05 <DIR> d-------- C:\Program Files\3DGroove

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 12:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-05-24 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-28 21:23 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-28 21:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-04-16 03:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-15 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-14 17:47 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-14 17:46 --------- d-----w C:\Program Files\Real
2008-04-14 17:46 --------- d-----w C:\Program Files\Common Files\Real
2008-04-14 00:37 --------- d-----w C:\Program Files\Java
2008-04-14 00:35 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 00:06 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-14 00:06 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-14 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-13 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-13 23:52 --------- d-----w C:\Program Files\Yahoo!
2008-04-13 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-13 23:32 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-04-13 23:28 --------- d-----w C:\Program Files\The Weather Channel FW
2008-04-13 22:43 --------- d-----w C:\Program Files\Lexmark 510 Series
2008-04-13 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 22:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 21:01 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-04-13 21:01 --------- d--h--w C:\Documents and Settings\Owner\Application Data\GTek
2008-04-13 21:01 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_15.21.17.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 19:15:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 22:09:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-03-17 13:08 801904]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-29 20:13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-29 20:13 118784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:59 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 13:46 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-13 20:06 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xdI40.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 18:10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
.
**************************************************************************
.
Completion time: 2008-05-29 18:15:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 22:14:46
ComboFix2.txt 2008-05-29 19:22:29

Pre-Run: 36,132,442,112 bytes free
Post-Run: 36,131,545,088 bytes free

141 --- E O F --- 2008-05-17 03:58:57


And here is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:27 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208126683827
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: (no name) - http://us.f313.mail..../...ead=b&Idx=3

--
End of file - 5872 bytes
  • 0

#13
fenzodahl512
Posted 29 May 2008 - 06:49 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Becky, thanks for the reply.. Now lets do the following..

Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Please include a fresh Deckard System Scanner log in your next reply.. Tell us about your computer behaviour..

Regards
fenzodahl512
  • 0

#14
Becky715
Posted 29 May 2008 - 07:44 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello again-

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.12
Database version: 799

Scan type: Full Scan (C:\|)
Objects scanned: 63942
Time elapsed: 18 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Once again, when I ran the Deckard System Scanner, it got all the way to "Checking Event Logs" and then an error message popped up saying that dds has encountered an unexpected error and must close. =(

Otherwise, the Computer seems to be running great again, Everything is where it should be on the Start Menu, I can access my harddrive from the My Computer Screen, the clock is back to normal.........
  • 0

#15
fenzodahl512
Posted 30 May 2008 - 06:19 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Becky, thanks for the reply.. Firstly, please noticed that your AVG7 is out-of-date and no longer supported by Grisoft.. It has been replaced by AVG8.. Please visit this website for more details :)


Lets do one more scan..

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Regards
fenzodahl512

Edited by fenzodahl512, 30 May 2008 - 06:19 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP