Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown Malware [RESOLVED]


  • This topic is locked This topic is locked

#1
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Member
  • PipPip
  • 11 posts
Hi, I've been poking around these forums the past day or so, and using some of your guides to deal with some malware that my Dad picked up on his computer. Anyhow, it continually will try to open up pages in Explorer, and will open up Windows system messages saying that the computer has contracted a virus, and it can be removed it you click this link, blah blah blah.

Anyhow, here is the HJT log from the computer:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:39 AM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146603021390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158800323549
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7691 bytes


Here is the AVG report:

AVG 8.0 Anti-Virus command line scanner
Copyright © 1992 - 2008 AVG Technologies
Program version 8.0.134, engine 8.0.0
Virus Database: Version 270.4.6/1538 2008-07-07

C:\Documents and Settings\Administrator.HPOFFICE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Administrator.HPOFFICE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Administrator.HPOFFICE\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\Administrator.HPOFFICE\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Locked file. Not tested.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\LocalService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\LocalService\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\Program Files\Brother\Brmfl06d\FaxData\Bro30C.tmp Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\Prefetch\Layout.ini Locked file. Not tested.
C:\WINDOWS\system32\config\default Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\software Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\system Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 577181
Found infections : 0
Found PUPs : 0
Healed infections : 0
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------


I think I've nailed down most of the malware. The work I've been doing has been done from the administrator account while in Safe Mode. However, when I boot back into the default user account, it has restricted access to the computer itself. Before contracting this virus, the default user account on this machine didn't have any sort of restricted access to anything. What I mean by restricted access is that I cannot change registry values, I cannot access "My Computer", I cannot open the task manager, and a few other things. However, I can do all of these things from the administrator account that is selectable when I boot into Safe Mode.

My Dad has been running BitDefender as his antivirus software, and as far as I can tell, it is up-to-date. I have also used ad-aware on his machine.

Also of note, whenever I log into the default user account "VIRUS DETECTED" shows up next to the system clock in the lower-right-hand corner of Windows.

I could not get Panda Activescan to work.
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello KrunkMcGrunk

Welcome to G2Go. :)
=====================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK. I'm running DSS now. I'll have a log for you shortly.

DSS Log
Deckard's System Scanner v20071014.68
Run by HP_Owner on 2008-07-08 12:40:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
102: 2008-07-08 16:40:41 UTC - RP892 - Deckard's System Scanner Restore Point
101: 2008-07-07 18:15:30 UTC - RP891 - Installed AVG Free 8.0
100: 2008-07-07 13:00:27 UTC - RP890 - Installed Windows Defender
99: 2008-07-07 12:51:12 UTC - RP889 - Installed Ad-Aware
98: 2008-07-06 18:10:39 UTC - RP888 - Last known good configuration


-- First Restore Point --
1: 2008-07-06 18:10:01 UTC - RP791 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45: VIRUS ALERT!, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Palm\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\BUFFALO\HDBackup\HDBackup.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BA3028F-FD37-46BF-AD27-733734684F06} - C:\WINDOWS\system32\awtrRLBr.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: QXK Olive - {8663655C-F6D4-4520-859E-67008902A889} - C:\WINDOWS\kgqfweltmrg.dll (file missing)
O2 - BHO: (no name) - {9FC92682-9A45-4A4F-A463-94CBDDC25DB3} - C:\WINDOWS\system32\bat.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BBA7A630-4EF3-47DF-B9DF-BF6AC7D3F54D} - C:\WINDOWS\system32\urqPjIxV.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1396644203-1976962670-181085288-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'QBDataServiceUser')
O4 - HKUS\S-1-5-21-1396644203-1976962670-181085288-1012\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'QBDataServiceUser17')
O4 - Startup: BUFFALO EasyBackup.lnk = C:\Program Files\BUFFALO\HDBackup\HDBackup.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146603021390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158800323549
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: awtrRLBr - awtrRLBr.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 11478 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080707-195809-650 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
backup-20080708-100433-334 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
backup-20080708-100555-146 O3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dll (file missing)
backup-20080708-100555-750 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
backup-20080708-100555-971 O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
backup-20080708-100914-917 O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
backup-20080708-110631-113 O4 - HKLM\..\Run: [74d31d7c] rundll32.exe "C:\WINDOWS\system32\uaxrqihx.dll",b
backup-20080708-110631-120 O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
backup-20080708-110631-252 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080708-110631-451 O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
backup-20080708-110631-805 O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.cust...l/java/RntX.cab
backup-20080708-110631-985 O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
backup-20080708-110632-509 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080708-110632-624 O21 - SSODL: okmdepgb - {087F744C-F6DB-48F5-89B0-A01D777EDF3A} - C:\WINDOWS\okmdepgb.dll
backup-20080708-110632-646 O21 - SSODL: axrfgvek - {3A7A8A13-1BAF-4E87-A8FB-0890A963DB8D} - C:\WINDOWS\axrfgvek.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 bdpredir - c:\program files\softwin\bitdefender10\bdpredir.sys <Not Verified; Softwin SRL; BitDefender 10>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - f:\instal~e\core\bvrpmpr5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor4.0 (Adobe Active File Monitor V4) - c:\program files\adobe\photoshop elements 4.0\photoshopelementsfileagent.exe
R2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3AF5311D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\3AF5311D800
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-07-02 07:02:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-08 11:12:38 0 d-------- C:\Program Files\smitRem
2008-07-08 09:56:52 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Bitdefender
2008-07-07 20:18:10 88576 --a------ C:\WINDOWS\system32\bat.dll
2008-07-07 20:14:40 89088 --a------ C:\WINDOWS\system32\uaxrqihx.dll
2008-07-07 20:06:39 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Lavasoft
2008-07-07 20:04:50 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Mozilla
2008-07-07 20:01:59 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Identities
2008-07-07 20:01:59 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Apple Computer
2008-07-07 20:01:58 0 dr-h----- C:\Documents and Settings\Administrator.HPOFFICE\SendTo
2008-07-07 20:01:58 0 dr-h----- C:\Documents and Settings\Administrator.HPOFFICE\Recent
2008-07-07 20:01:58 0 d--h----- C:\Documents and Settings\Administrator.HPOFFICE\PrintHood
2008-07-07 20:01:58 0 d--h----- C:\Documents and Settings\Administrator.HPOFFICE\NetHood
2008-07-07 20:01:58 0 dr------- C:\Documents and Settings\Administrator.HPOFFICE\My Documents
2008-07-07 20:01:58 0 d--h----- C:\Documents and Settings\Administrator.HPOFFICE\Local Settings
2008-07-07 20:01:58 0 dr------- C:\Documents and Settings\Administrator.HPOFFICE\Favorites
2008-07-07 20:01:58 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Desktop
2008-07-07 20:01:58 0 d--hs---- C:\Documents and Settings\Administrator.HPOFFICE\Cookies
2008-07-07 20:01:58 0 dr-h----- C:\Documents and Settings\Administrator.HPOFFICE\Application Data
2008-07-07 20:01:58 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Symantec
2008-07-07 20:01:58 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Sun
2008-07-07 20:01:58 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Sonic
2008-07-07 20:01:58 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\SampleView
2008-07-07 20:01:58 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Real
2008-07-07 20:01:58 0 d---s---- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Microsoft
2008-07-07 20:01:57 0 d-------- C:\Documents and Settings\Administrator.HPOFFICE\WINDOWS
2008-07-07 20:01:57 0 d--h----- C:\Documents and Settings\Administrator.HPOFFICE\Templates
2008-07-07 20:01:57 0 dr------- C:\Documents and Settings\Administrator.HPOFFICE\Start Menu
2008-07-07 20:01:56 1048576 --ah----- C:\Documents and Settings\Administrator.HPOFFICE\NTUSER.DAT
2008-07-07 19:55:10 0 d-------- C:\Program Files\Trend Micro
2008-07-07 19:52:07 0 d-------- C:\Program Files\Panda Security
2008-07-07 15:51:33 0 d--h----- C:\$AVG8.VAULT$
2008-07-07 14:16:09 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-07 14:15:43 0 d-------- C:\Program Files\AVG
2008-07-07 14:15:42 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-07 13:08:39 6758 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-07 08:51:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-07 08:50:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 20:12:51 89088 --a------ C:\WINDOWS\system32\mbddrtve.dll
2008-07-06 14:09:50 258163 --ahs---- C:\WINDOWS\system32\VxIjPqru.ini2
2008-07-06 14:09:46 318720 --a------ C:\WINDOWS\system32\urqPjIxV.dll
2008-07-06 14:05:13 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\TmpRecentIcons
2008-07-06 14:01:05 344064 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-06 14:00:10 90112 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-06 13:59:07 0 d-------- C:\Program Files\VAV
2008-07-06 13:58:52 299008 --a------ C:\WINDOWS\okmdepgb.dll
2008-07-06 13:58:25 0 d-------- C:\Program Files\PCHealthCenter
2008-06-28 09:26:04 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\ICWUSA.com, Inc


-- Find3M Report ---------------------------------------------------------------

2008-07-08 12:42:13 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-07 08:51:26 0 d-------- C:\Program Files\Lavasoft
2008-07-07 08:50:07 0 d-------- C:\Program Files\Common Files
2008-06-28 09:26:07 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Mozilla
2008-06-28 09:23:56 0 d-------- C:\Program Files\ICW
2008-06-19 09:10:08 0 d-------- C:\Program Files\The Weather Channel FW
2008-05-02 08:23:43 20200 --a------ C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BA3028F-FD37-46BF-AD27-733734684F06}]
C:\WINDOWS\system32\awtrRLBr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8663655C-F6D4-4520-859E-67008902A889}]
C:\WINDOWS\kgqfweltmrg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FC92682-9A45-4A4F-A463-94CBDDC25DB3}]
08/04/2004 08:00: VIRUS ALERT! 88576 --a------ C:\WINDOWS\system32\bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBA7A630-4EF3-47DF-B9DF-BF6AC7D3F54D}]
07/06/2008 14:09: VIRUS ALERT! 318720 --a------ C:\WINDOWS\system32\urqPjIxV.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/21/2004 01:51: VIRUS ALERT!]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [06/07/2004 21:53: VIRUS ALERT!]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [06/07/2004 21:42: VIRUS ALERT!]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 23:02: VIRUS ALERT!]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 23:43: VIRUS ALERT!]
"VTTimer"="VTTimer.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 23:47: VIRUS ALERT! C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 20:06: VIRUS ALERT! C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [07/29/2004 03:40: VIRUS ALERT! C:\WINDOWS\SOUNDMAN.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/16/2002 19:57: VIRUS ALERT!]
"AlcWzrd"="ALCWZRD.EXE" [07/29/2004 04:34: VIRUS ALERT! C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [07/20/2004 20:22: VIRUS ALERT! C:\WINDOWS\ALCMTR.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/15/2004 00:54: VIRUS ALERT!]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 23:32: VIRUS ALERT!]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 16:45: VIRUS ALERT!]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [09/09/2005 01:18: VIRUS ALERT!]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [10/16/2006 21:17: VIRUS ALERT!]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [10/16/2006 21:13: VIRUS ALERT!]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [08/21/2007 15:50: VIRUS ALERT!]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [03/26/2007 15:49: VIRUS ALERT!]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [01/29/2007 21:12: VIRUS ALERT!]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [01/29/2007 21:10: VIRUS ALERT!]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [02/01/2007 13:46: VIRUS ALERT!]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [03/02/2007 16:32: VIRUS ALERT!]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [11/07/2006 19:03: VIRUS ALERT!]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [04/17/2004 16:41: VIRUS ALERT!]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [02/16/2005 16:15: VIRUS ALERT!]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16: VIRUS ALERT!]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 23:13: VIRUS ALERT!]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/07/2008 14:15: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00: VIRUS ALERT!]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/06/2007 11:44: VIRUS ALERT!]
"DW4"="" []

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
BUFFALO EasyBackup.lnk - C:\Program Files\BUFFALO\HDBackup\HDBackup.exe [4/13/2005 1:35:58 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2/16/2006 7:49:03 AM]
HotSync Manager.lnk - C:\Palm\Hotsync.exe [6/9/2004 3:16:08 PM]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [6/9/2004 3:16:08 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/29/2004 8:31:38 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [3/18/2008 9:41:30 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)
"NoDispCPL"=1 (0x1)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3BA3028F-FD37-46BF-AD27-733734684F06}"= C:\WINDOWS\system32\awtrRLBr.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrRLBr]
awtrRLBr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap C:\WINDOWS\system32\urqPjIxV

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-08 12:49:26 ------------

Edited by KrunkMcGrunk, 08 July 2008 - 10:53 AM.

  • 0

#4
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK - an update.

It seems that the pop-up messages, and browser hijackings have stopped. I hadn't spent any appreciable amount of time out of Safe Mode when I created this thread.

However, the computer is still running incredibly slow. And I'm still locked out of My Computer, Network Places, and several other areas of the computer that I was able to access before this fiasco on this user account. Also, I am still seeing "VIRUS ALERT" next to the clock in Windows. I think it's laughing at me.

e: OK, nevermind on the cessation of malware. AVG just put up a warning saying that it just intercepted some malware.

Edited by KrunkMcGrunk, 08 July 2008 - 11:13 AM.

  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
  • 0

#6
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Alright, I will do just that.

I'll keep you guys up-to-date from my laptop.

e: I'm assuming you guys want me to boot up into the special recovery mode?

Edited by KrunkMcGrunk, 08 July 2008 - 11:21 AM.

  • 0

#7
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix is running now. I'm running it under the default user, I am not in safe mode, or the special recovery mode - just plain old Windows XP.
  • 0

#8
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Is it normal for Combofix to hang after it has completed all of the stages, and is deleting files/folders? It's been here about half an hour, and hasn't shown any signs of progress.
  • 0

#9
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the Combofix Log

ComboFix 08-07-07.3 - HP_Owner 2008-07-08 13:32:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.155 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Owner\Desktop\Error Cleaner.url
C:\Documents and Settings\HP_Owner\Desktop\Privacy Protector.url
C:\Documents and Settings\HP_Owner\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\HP_Owner\Favorites\Error Cleaner.url
C:\Documents and Settings\HP_Owner\Favorites\Privacy Protector.url
C:\Documents and Settings\HP_Owner\Favorites\Spyware&Malware Protection.url
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\VAV
C:\Program Files\VAV\vav.cpl
C:\Program Files\VAV\vav.ooo
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\WINDOWS\system32\bat.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\evtrddbm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\upgxvacu.ini
C:\WINDOWS\system32\urqPjIxV.dll
C:\WINDOWS\system32\VxIjPqru.ini
C:\WINDOWS\system32\VxIjPqru.ini2
C:\WINDOWS\system32\xhiqrxau.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Deckard
2008-07-08 11:12 . 2008-07-08 11:14 <DIR> d-------- C:\Program Files\smitRem
2008-07-08 09:56 . 2008-07-08 09:56 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Bitdefender
2008-07-07 20:14 . 2008-07-07 20:14 89,088 --a------ C:\WINDOWS\system32\uaxrqihx.dll
2008-07-07 20:06 . 2008-07-07 20:06 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Lavasoft
2008-07-07 20:01 . 2004-10-21 21:59 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\WINDOWS
2008-07-07 20:01 . 2004-10-22 17:12 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Symantec
2008-07-07 20:01 . 2004-10-21 22:52 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Sonic
2008-07-07 20:01 . 2004-10-21 22:52 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\SampleView
2008-07-07 20:01 . 2004-10-21 21:58 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Apple Computer
2008-07-07 20:01 . 2008-07-07 20:02 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE
2008-07-07 19:55 . 2008-07-07 19:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 19:52 . 2008-07-07 19:52 <DIR> d-------- C:\Program Files\Panda Security
2008-07-07 15:51 . 2008-07-08 13:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-07 14:16 . 2008-07-07 14:20 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-07 14:16 . 2008-07-07 14:16 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-07 14:16 . 2008-07-07 14:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-07 14:15 . 2008-07-07 14:15 <DIR> d-------- C:\Program Files\AVG
2008-07-07 14:15 . 2008-07-07 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-07 13:08 . 2008-07-07 13:22 6,758 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-07 08:51 . 2008-07-07 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-07 08:50 . 2008-07-07 08:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 20:12 . 2008-07-06 20:12 89,088 --a------ C:\WINDOWS\system32\mbddrtve.dll
2008-07-06 14:01 . 2008-07-05 21:48 344,064 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-06 14:00 . 2008-07-05 21:48 90,112 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-06 13:58 . 2008-07-05 21:48 299,008 --a------ C:\WINDOWS\okmdepgb.dll
2008-06-28 09:26 . 2008-06-28 09:26 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\ICWUSA.com, Inc
2008-06-11 06:21 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:21 . 2008-06-13 09:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 12:51 --------- d-----w C:\Program Files\Lavasoft
2008-06-28 13:23 --------- d-----w C:\Program Files\ICW
2008-06-19 13:10 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-04 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-02 12:23 20,200 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2006-12-19 15:59 28,672 ----a-w C:\Documents and Settings\HP_Owner\atwbxdet.dll
2004-08-04 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2006-05-18 15:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2004-08-04 12:00 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 12:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 12:00 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 11:44 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-21 01:51 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 21:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 00:54 253952]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45 278528]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17 1941784]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13 87584]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-08-21 15:50 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 21:12 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 21:10 46632]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 13:46 255528]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-02 16:32 630784]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 19:03 65536]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 16:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-07 14:15 1232152]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 23:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-29 03:40 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 04:34 2551808 C:\WINDOWS\ALCWZRD.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
BUFFALO EasyBackup.lnk - C:\Program Files\BUFFALO\HDBackup\HDBackup.exe [2005-04-13 01:35:58 249856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2006-02-16 07:49:03 221295]
HotSync Manager.lnk - C:\Palm\Hotsync.exe [2004-06-09 15:16:08 471040]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [2004-06-09 15:16:08 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 08:31:38 241664]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 21:41:30 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\BUFFALO\\HDBackup\\HDBackup.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-07 14:16]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-07 14:15]
R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe [2006-09-13 11:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 11:02:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{3BA3028F-FD37-46BF-AD27-733734684F06} - C:\WINDOWS\system32\awtrRLBr.dll
BHO-{8663655C-F6D4-4520-859E-67008902A889} - C:\WINDOWS\kgqfweltmrg.dll
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-DW4 - (no file)
HKLM-Run-VTTimer - VTTimer.exe
ShellExecuteHooks-{3BA3028F-FD37-46BF-AD27-733734684F06} - C:\WINDOWS\system32\awtrRLBr.dll
Notify-awtrRLBr - awtrRLBr.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 14:27:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
.
**************************************************************************
.
Completion time: 2008-07-08 14:44:12 - machine was rebooted [HP_Owner]
ComboFix-quarantined-files.txt 2008-07-08 18:43:39

Pre-Run: 156,555,411,456 bytes free
Post-Run: 156,928,712,704 bytes free

199 --- E O F --- 2008-07-08 18:39:20



It seems to have taken care of most of the problems I was having. The default account (HP_Owner) has been given access back to all of the things that it was previously allowed to do - essentially, admin rights. However, the computer itself is still running awfully slow. Though, I do have both BitDefender and AVG running right now.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes you must uninstall one of those av's it will almost cripple your system ti run both at once.
I recommend getting rid of Bit Defender.
PLease do uninstall one of those before proceeding with the next steps.
====================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\uaxrqihx.dll
C:\WINDOWS\system32\mbddrtve.dll
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\okmdepgb.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

Advertisements


#11
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry for the delay -

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:37, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iPod\bin\iPodService.exe

ComboFix Log

ComboFix 08-07-09.2 - HP_Owner 2008-07-09 20:46:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\okmdepgb.dll
C:\WINDOWS\system32\mbddrtve.dll
C:\WINDOWS\system32\uaxrqihx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\uaxrqihx.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Deckard
2008-07-08 11:12 . 2008-07-08 11:14 <DIR> d-------- C:\Program Files\smitRem
2008-07-07 20:06 . 2008-07-07 20:06 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Lavasoft
2008-07-07 20:01 . 2004-10-21 21:59 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\WINDOWS
2008-07-07 20:01 . 2004-10-22 17:12 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Symantec
2008-07-07 20:01 . 2004-10-21 22:52 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Sonic
2008-07-07 20:01 . 2004-10-21 22:52 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\SampleView
2008-07-07 20:01 . 2004-10-21 21:58 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE\Application Data\Apple Computer
2008-07-07 20:01 . 2008-07-07 20:02 <DIR> d-------- C:\Documents and Settings\Administrator.HPOFFICE
2008-07-07 19:55 . 2008-07-07 19:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 19:52 . 2008-07-07 19:52 <DIR> d-------- C:\Program Files\Panda Security
2008-07-07 15:51 . 2008-07-09 16:13 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-07 14:16 . 2008-07-09 08:30 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-07 14:16 . 2008-07-07 14:16 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-07 14:16 . 2008-07-07 14:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-07 14:15 . 2008-07-07 14:15 <DIR> d-------- C:\Program Files\AVG
2008-07-07 14:15 . 2008-07-07 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-07 13:08 . 2008-07-07 13:22 6,758 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-07 08:51 . 2008-07-07 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-07 08:50 . 2008-07-07 08:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-28 09:26 . 2008-06-28 09:26 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\ICWUSA.com, Inc
2008-06-11 06:21 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:21 . 2008-06-13 09:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-07-07 12:51 --------- d-----w C:\Program Files\Lavasoft
2008-06-28 13:23 --------- d-----w C:\Program Files\ICW
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 13:10 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-04 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-05-02 12:23 20,200 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2006-12-19 15:59 28,672 ----a-w C:\Documents and Settings\HP_Owner\atwbxdet.dll
2004-08-04 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2006-05-18 15:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2004-08-04 12:00 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 12:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 12:00 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-08_14.42.05.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-08 18:25:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 00:51:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-07-15 05:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_aspnet_isapi.dll
+ 2004-07-15 04:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_CORPerfMonExt.dll
+ 2004-07-15 04:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_fusion.dll
+ 2004-07-15 04:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_mscorjit.dll
+ 2004-07-15 18:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_mscorlib.dll
+ 2003-02-21 09:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_mscorsn.dll
+ 2004-07-15 04:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_mscorsvr.dll
+ 2004-07-15 04:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_mscorwks.dll
+ 2003-02-21 18:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_msvcr71.dll
+ 2004-07-15 04:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2720\_PerfCounter.dll
+ 2004-07-15 05:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_aspnet_isapi.dll
+ 2004-07-15 04:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_CORPerfMonExt.dll
+ 2004-07-15 04:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_fusion.dll
+ 2004-07-15 04:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_mscorjit.dll
+ 2004-07-15 18:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_mscorlib.dll
+ 2003-02-21 09:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_mscorsn.dll
+ 2004-07-15 04:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_mscorsvr.dll
+ 2004-07-15 04:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_mscorwks.dll
+ 2003-02-21 18:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_msvcr71.dll
+ 2004-07-15 04:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4952\_PerfCounter.dll
- 2008-07-08 18:31:05 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
+ 2008-07-09 14:22:04 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
- 2004-08-04 12:00:00 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 12:00:00 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 12:00:00 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
- 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-21 01:51 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 21:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 00:54 253952]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45 278528]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17 1941784]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13 87584]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 21:12 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 21:10 46632]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 13:46 255528]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-02 16:32 630784]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 19:03 65536]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 16:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-07 14:15 1232152]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 23:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-29 03:40 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 04:34 2551808 C:\WINDOWS\ALCWZRD.EXE]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=C:\WINDOWS\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^BUFFALO EasyBackup.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\BUFFALO EasyBackup.lnk
backup=C:\WINDOWS\pss\BUFFALO EasyBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-06 11:44 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\BUFFALO\\HDBackup\\HDBackup.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-07 14:16]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-07 14:15]
R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe [2006-09-13 11:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-09 11:02:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 22:16:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-09 22:21:42 - machine was rebooted [HP_Owner]
ComboFix-quarantined-files.txt 2008-07-10 02:21:36
ComboFix2.txt 2008-07-08 18:44:18

Pre-Run: 156,846,075,904 bytes free
Post-Run: 156,861,526,016 bytes free

213 --- E O F --- 2008-07-09 07:01:20
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Everything back to normal?
  • 0

#13
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Seems to be running fine. No pop-ups, no browser hijacks, no noticeable malware to speak of.

If that changes, I'll surely be letting you guys know. :)

Thanks for the help.
  • 0

#14
KrunkMcGrunk

KrunkMcGrunk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Haha, well that was quick!

AVG is setting off an alert saying that there are some threats detected.

Both are coming from the C:\System Volume Information\_restoreXXX... etc

The first is "Trojan Horse Downloader.Zlob.ZHG" the second is "Trojan Horse Downloader.Zlob.ZHM". I'm just going to have AVG remove the threats.
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Those are no longer a threat they are items that have been deleted and are in your system restore points.
Doing the below will remove those items and what we used.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

Also delete\uninstall anything that we used that is left over.
============================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP