Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Vundo & Win32/BHO [RESOLVED]

Started by Becky715 , May 25 2008 05:37 PM

  • This topic is locked This topic is locked

#16
Becky715
Posted 30 May 2008 - 07:18 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello again fenz and thank you once again,

After all is said and done, I shall upgrade my AVG to the newest version, thank you for that information.

Here is the Kaspersky log you asked for....seems im still alil infected.....


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 9:19:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 816364
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 35503
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:45:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DFDAAF.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP28\A0004031.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ca skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP28\A0004032.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cn skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP28\A0004033.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cc skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP29\A0004052.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cc skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP47\A0004387.dll Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP47\A0004388.sys Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP47\A0005380.dll Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP47\A0005383.sys Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP47\A0005387.exe Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP47\A0007405.dll Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP47\A0008402.dll Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP48\A0010398.dll Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP48\A0010399.dll Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP48\A0010400.dll Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP49\A0010506.dll Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP49\A0010514.exe Object is locked skipped
C:\System Volume Information\_restore{6A4AC2D2-4C13-4A5C-A797-1CAAE4AEDA27}\RP58\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

Advertisements

#17
fenzodahl512
Posted 30 May 2008 - 08:56 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ah.. Don't worry about that.. Lets do the following...

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xdI40.sys]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#18
Becky715
Posted 31 May 2008 - 03:30 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks once again,

Here is the combofix log:

ComboFix 08-05-29.1 - Owner 2008-05-31 17:22:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 20:20 . 2008-05-30 20:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 20:20 . 2008-05-30 20:20 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-30 20:20 . 2008-05-30 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 21:18 . 2008-05-29 21:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 21:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 21:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 14:39 . 2008-05-28 14:41 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-27 18:59 . 2008-05-27 18:59 <DIR> d-------- C:\Deckard
2008-05-27 18:34 . 2008-05-27 18:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-27 18:28 . 2008-05-27 03:12 <DIR> d-------- C:\SDFix
2008-05-26 14:32 . 2008-05-26 14:52 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-26 14:29 . 2008-05-26 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-26 14:28 . 2008-05-26 14:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-26 14:28 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-25 19:30 . 2008-05-25 19:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 18:16 . 2008-05-25 18:16 <DIR> d-------- C:\Program Files\Panda Security
2008-05-25 16:34 . 2008-05-25 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 16:33 . 2008-05-26 14:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 16:33 . 2008-05-26 14:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-25 16:14 . 2008-05-25 16:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-25 16:13 . 2008-05-25 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 16:11 . 2008-05-25 16:11 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-25 02:38 . 2008-05-26 14:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-25 02:13 . 2008-05-25 02:14 202 --a------ C:\WINDOWS\wininit.ini
2008-05-24 15:42 . 2008-05-27 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 15:42 . 2008-05-26 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 14:16 . 2008-05-24 14:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-05-24 14:10 . 2008-05-24 14:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-24 14:09 . 2008-04-13 17:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-05-24 14:09 . 2008-05-24 14:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-20 12:10 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-16 16:54 . 2008-05-28 08:38 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-02 17:05 . 2008-05-02 17:05 <DIR> d-------- C:\Program Files\3DGroove
2008-04-28 17:28 . 2008-04-28 17:28 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-28 17:25 . 2008-04-28 17:25 <DIR> d-------- C:\WINDOWS\ShellNew
2008-04-28 17:23 . 2008-04-28 17:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-04-14 13:47 . 2008-04-14 13:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-14 13:46 . 2008-04-14 13:46 <DIR> d-------- C:\Program Files\Real
2008-04-14 13:46 . 2008-04-14 13:46 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-13 20:38 . 2008-04-13 20:38 <DIR> d-------- C:\WINDOWS\Sun
2008-04-13 20:37 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-13 20:36 . 2008-04-13 20:37 <DIR> d-------- C:\Program Files\Java
2008-04-13 20:35 . 2008-04-13 20:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-13 20:07 . 2008-05-31 08:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-13 20:06 . 2008-04-15 09:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-13 20:06 . 2008-04-13 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-13 20:06 . 2008-05-24 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-13 20:06 . 2008-04-13 20:06 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-13 20:06 . 2008-04-13 20:06 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-13 19:53 . 2008-04-13 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-13 19:43 . 2008-04-13 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-13 19:34 . 2008-04-15 23:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-13 19:32 . 2008-04-13 19:32 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-04-13 19:29 . 2008-04-13 19:52 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-13 19:28 . 2008-04-13 19:28 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-04-13 18:58 . 2008-04-13 18:58 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-13 18:50 . 2008-05-13 18:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-13 18:50 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-13 18:45 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-13 18:45 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-13 18:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-13 18:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-13 18:45 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-13 18:44 . 2008-04-13 18:44 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2008-04-13 18:43 . 2008-04-13 18:43 <DIR> d-------- C:\Program Files\Lexmark 510 Series
2008-04-13 18:43 . 2008-04-13 18:43 <DIR> d-------- C:\Documents and Settings\Owner\WINDOWS
2008-04-13 18:43 . 2004-02-26 08:55 307,200 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2008-04-13 18:43 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-04-13 18:43 . 2004-02-26 08:55 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2008-04-13 18:43 . 2004-02-26 08:26 200,192 --a------ C:\WINDOWS\system32\lexlmpm.dll
2008-04-13 18:43 . 2004-02-26 08:55 197,120 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2008-04-13 18:43 . 2004-02-26 08:55 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2008-04-13 18:43 . 2004-02-26 08:55 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2008-04-13 18:43 . 2004-02-26 08:58 73,728 --a------ C:\WINDOWS\system32\lxbzpwr.dll
2008-04-13 18:43 . 2008-05-29 08:16 256 --a------ C:\WINDOWS\LEXSTAT.INI
2008-04-13 18:42 . 2008-04-13 18:42 <DIR> d-------- C:\Lxk510
2008-04-13 18:42 . 2008-04-13 18:42 <DIR> d-------- C:\LexmarkDiag
2008-04-13 18:19 . 2003-04-24 17:53 6,842,880 --a------ C:\WINDOWS\system32\alsndmgr.cpl
2008-04-13 18:17 . 2004-01-29 20:13 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-13 18:16 . 2008-04-13 18:19 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 18:16 . 2008-04-13 18:16 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-13 18:13 . 2008-04-13 18:21 <DIR> d-------- C:\cabs
2008-04-13 17:00 . 2008-04-13 17:01 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2008-04-13 17:00 . 2008-04-13 17:01 <DIR> d--h----- C:\Documents and Settings\Owner\Application Data\GTek
2008-04-13 17:00 . 2008-04-13 17:01 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data\GTek

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 21:23 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-01 07:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_15.21.17.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 19:15:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 22:09:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-03-17 13:08 801904]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-29 20:13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-29 20:13 118784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:59 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 13:46 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-13 20:06 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=


*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 17:26:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 17:28:45
ComboFix-quarantined-files.txt 2008-05-31 21:28:28
ComboFix2.txt 2008-05-29 22:15:43
ComboFix3.txt 2008-05-29 19:22:29

Pre-Run: 35,724,201,984 bytes free
Post-Run: 35,863,523,328 bytes free

161 --- E O F --- 2008-05-17 03:58:57


Here is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:57 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208126683827
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: (no name) - http://us.f313.mail..../...ead=b&Idx=3

--
End of file - 5909 bytes
  • 0

#19
fenzodahl512
Posted 31 May 2008 - 03:53 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Becky, I have a good news for you.. Your logs look clean to my eyes :)


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image




NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 6



NEXT


I noticed that you already have

1. AVG7 as your antivirus. Please do remember to update it to AVG8 Free as soon as possible
2. MalwareBytes' Anti-Malware as your antispyware
3. SpywareGuard as your spyware-blocker.


However, I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewal below:
  • Comodo Firewall Pro
  • PC Tools Firewall Plus
    After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.



    Lastly, to keep your operating system up to date please visit the link below monthly
    [list]
  • Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#20
Becky715
Posted 31 May 2008 - 04:54 PM

Becky715

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Everything seems to be running great once again!! Thank you so very much for your help and assistance with everything. Im going to go update my AVG and get one of those firewalls right now.

Again Thank you very much.
  • 0

#21
fenzodahl512
Posted 31 May 2008 - 05:06 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP