Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

how to remove Downloader.Delf.12.AN [RESOLVED]


  • This topic is locked This topic is locked

#1
redriller

redriller

    Member

  • Member
  • PipPip
  • 11 posts
Hi Geekstogo!
I'm in trouble with this thing. Please help me. I use AVG 8.0 Free Edition. When I open My Computer, My Document and Internet Explorer, AVG warned me and removed it. However, after that it's still there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:49 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\UniKey\UniKey.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.vn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {9CDD13C0-711E-4827-8949-7C45C3E399FC} - C:\WINDOWS\system32\dinpu.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [UniKey] C:\Program Files\UniKey\UniKey.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 5058 bytes
  • 0

Advertisements


#2
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello redriller and welcome at Geekstogo,

I am Thunderbird1988 and I am going to remove your malwareproblems. If you have any questions, feel free to ask :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thunderbird1988
  • 0

#3
redriller

redriller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I've followed the instruction before posting a Hijackthis log. I have activescan log and malwarebyts'antimalware log. Should I post them? Here is combofix log.

ComboFix 08-07-14.2 - Administrator 2008-07-16 9:45:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.292 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\UWA7P

.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-06-30 18:18 . 2008-07-14 22:01 268 --ah----- C:\sqmdata19.sqm
2008-06-30 18:18 . 2008-07-14 22:01 244 --ah----- C:\sqmnoopt19.sqm
2008-06-29 19:55 . 2008-07-14 06:06 268 --ah----- C:\sqmdata18.sqm
2008-06-29 19:55 . 2008-07-14 06:06 244 --ah----- C:\sqmnoopt18.sqm
2008-06-29 19:45 . 2008-07-14 00:02 268 --ah----- C:\sqmdata17.sqm
2008-06-29 19:45 . 2008-07-14 00:02 244 --ah----- C:\sqmnoopt17.sqm
2008-06-29 17:20 . 2008-07-12 21:40 268 --ah----- C:\sqmdata16.sqm
2008-06-29 17:20 . 2008-07-12 21:40 244 --ah----- C:\sqmnoopt16.sqm
2008-06-29 17:15 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-06-29 17:12 . 2004-09-15 22:22 2,146,304 --------- C:\WINDOWS\UNNeroVision.exe
2008-06-29 17:12 . 2005-02-17 23:03 116,418 --------- C:\WINDOWS\UNNeroVision.cfg
2008-06-29 17:11 . 2008-06-29 17:11 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-29 17:11 . 2008-06-29 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-06-29 17:11 . 2004-07-20 16:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-06-29 17:11 . 2004-07-20 16:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-06-29 17:11 . 2004-07-20 16:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-06-29 17:11 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-06-29 17:11 . 2004-07-20 16:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-06-29 17:11 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-06-29 17:11 . 2001-06-26 07:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-06-28 22:45 . 2008-07-12 19:00 268 --ah----- C:\sqmdata15.sqm
2008-06-28 22:45 . 2008-07-12 19:00 244 --ah----- C:\sqmnoopt15.sqm
2008-06-28 18:16 . 2008-07-11 11:13 268 --ah----- C:\sqmdata14.sqm
2008-06-28 18:16 . 2008-07-11 11:13 244 --ah----- C:\sqmnoopt14.sqm
2008-06-28 07:21 . 2008-07-10 22:10 268 --ah----- C:\sqmdata13.sqm
2008-06-28 07:21 . 2008-07-10 22:10 244 --ah----- C:\sqmnoopt13.sqm
2008-06-27 22:44 . 2008-07-09 06:00 268 --ah----- C:\sqmdata12.sqm
2008-06-27 22:44 . 2008-07-09 06:00 244 --ah----- C:\sqmnoopt12.sqm
2008-06-26 23:42 . 2008-07-08 23:06 268 --ah----- C:\sqmdata11.sqm
2008-06-26 23:42 . 2008-07-08 23:06 244 --ah----- C:\sqmnoopt11.sqm
2008-06-26 01:07 . 2008-07-07 23:02 268 --ah----- C:\sqmdata10.sqm
2008-06-26 01:07 . 2008-07-07 23:02 244 --ah----- C:\sqmnoopt10.sqm
2008-06-25 22:23 . 2008-07-06 22:44 268 --ah----- C:\sqmdata09.sqm
2008-06-25 22:23 . 2008-07-06 22:44 244 --ah----- C:\sqmnoopt09.sqm
2008-06-25 16:54 . 2008-07-06 18:28 268 --ah----- C:\sqmdata08.sqm
2008-06-25 16:54 . 2008-07-06 18:28 244 --ah----- C:\sqmnoopt08.sqm
2008-06-24 22:52 . 2008-07-06 15:26 268 --ah----- C:\sqmdata07.sqm
2008-06-24 22:52 . 2008-07-06 15:26 244 --ah----- C:\sqmnoopt07.sqm
2008-06-24 21:10 . 2008-07-05 22:00 268 --ah----- C:\sqmdata06.sqm
2008-06-24 21:10 . 2008-07-05 22:00 244 --ah----- C:\sqmnoopt06.sqm
2008-06-24 20:03 . 2008-07-05 07:45 268 --ah----- C:\sqmdata05.sqm
2008-06-24 20:03 . 2008-07-05 07:45 244 --ah----- C:\sqmnoopt05.sqm
2008-06-24 19:01 . 2008-07-04 12:47 268 --ah----- C:\sqmdata04.sqm
2008-06-24 19:01 . 2008-07-04 12:47 244 --ah----- C:\sqmnoopt04.sqm
2008-06-23 21:22 . 2008-07-03 00:19 268 --ah----- C:\sqmdata03.sqm
2008-06-23 21:22 . 2008-07-03 00:19 244 --ah----- C:\sqmnoopt03.sqm
2008-06-23 06:29 . 2008-07-16 09:25 268 --ah----- C:\sqmdata02.sqm
2008-06-23 06:29 . 2008-07-16 09:25 244 --ah----- C:\sqmnoopt02.sqm
2008-06-22 20:33 . 2008-07-15 21:49 268 --ah----- C:\sqmdata01.sqm
2008-06-22 20:33 . 2008-07-15 21:49 244 --ah----- C:\sqmnoopt01.sqm
2008-06-21 20:57 . 2008-07-15 19:15 268 --ah----- C:\sqmdata00.sqm
2008-06-21 20:57 . 2008-07-15 19:15 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 02:42 --------- d-----w C:\Program Files\FlashGet
2008-07-05 11:50 --------- d-----w C:\Program Files\mtd2002
2008-06-29 10:16 --------- d-----w C:\Program Files\Ahead
2008-06-25 11:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-06-07 03:55 --------- d-----w C:\Program Files\MSN Messenger
2008-05-21 14:46 --------- d-----w C:\Program Files\Plaxis8x
2008-05-14 12:05 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
.

------- Sigcheck -------

2004-08-04 08:07 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 08:07 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CDD13C0-711E-4827-8949-7C45C3E399FC}]
2004-08-04 08:07 104448 --a------ C:\WINDOWS\system32\dinpu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UniKey"="C:\Program Files\UniKey\UniKey.exe" [2004-04-08 05:34 122880]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-27 19:09 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-27 18:56 118784]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 19:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 09:35 536576]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-14 19:04 1177368]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\mtd2002\\mtdserver.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 lfvvxzdp;lfvvxzdp;C:\WINDOWS\system32\drivers\ooacqqqv.dat []
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-14 19:05]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-14 19:04]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-14 19:04]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-14 19:05]
S3 GT680xNT;ColorPage-Vivid 1200X;C:\WINDOWS\system32\drivers\gt680x.sys [2003-02-27 05:55]
S3 hpk;hpk;C:\WINDOWS\system32\drivers\hpk.sys [2007-11-07 20:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e904b445-c09f-11dc-a844-000f1f1692b9}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 09:50:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\lfvvxzdp]
"ImagePath"="system32\drivers\ooacqqqv.dat"
.
Completion time: 2008-07-16 9:53:39
ComboFix-quarantined-files.txt 2008-07-16 02:53:27

Pre-Run: 13,094,973,440 bytes free
Post-Run: 13,364,666,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

150

_____________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:48 AM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UniKey\UniKey.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = http://google.com.vn/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,HomeOldSP = about:blank
O2 - BHO: IeCatch5 Class -

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} -

C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) -

{9CDD13C0-711E-4827-8949-7C45C3E399FC} -

C:\WINDOWS\system32\dinpu.dll
O2 - BHO: AVG Security Toolbar -

{A057A204-BACC-4D26-9990-79A187E2698E} -

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: gFlash Class -

{F156768E-81EF-470C-9057-481BA8380DBA} -

C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar -

{E0E899AB-F487-11D5-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AVG Security Toolbar -

{A057A204-BACC-4D26-9990-79A187E2698E} -

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY]

C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [UniKey] C:\Program

Files\UniKey\UniKey.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Download All with

FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet -

C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet -

C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet -

C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8}

(ActiveScan 2.0 Installer Class) -

http://acs.pandasoft...abs/as2stubie.c

ab
O18 - Protocol: linkscanner -

{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk -

C:\Program Files\Common Files\Autodesk

Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG

Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies

CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 5107 bytes

Edited by redriller, 16 July 2008 - 08:04 PM.

  • 0

#4
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello redriller,

Yes, please post the logs of Malwarebyte and activescan.

Please do also do the following.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\dinpu.dll
C:\WINDOWS\system32\drivers\ooacqqqv.dat

Folder::

Driver::
lfvvxzdp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CDD13C0-711E-4827-8949-7C45C3E399FC}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Thunderbird1988
  • 0

#5
redriller

redriller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi thunderbird1988.
Here are activescan log and malwarebytes log.

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-16 14:03:39
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 2
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00041492 adware/cws.aboutblank Adware No 0 Yes No hkey_local_machine\software\microsoft\internet explorer\main\homeoldsp
00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
00046160 adware/searchexe Adware No 0 Yes No HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar
00046160 adware/searchexe Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\homeoldsp
02866161 Adware/AVSystemCare Adware No 0 Yes No C:\WINDOWS\system32\dinpu.4
02878114 Adware/AVSystemCare Adware No 0 Yes No C:\WINDOWS\system32\dinpu.5
02887975 Trj/BHO.AA Virus/Trojan No 0 Yes No C:\WINDOWS\system32\dinpu.6
02897170 Rootkit/Agent.HWS HackTools No 0 Yes No C:\WINDOWS\system32\drivers\ooacqqqv.dat
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location i
;===============================================================================
=================================================================================
===================
No C:\WINDOWS\system32\dinpu.2 i
No C:\WINDOWS\system32\dinpu.3 i
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description i
;===============================================================================
=================================================================================
===================
184380 MEDIUM MS08-002 i
184379 MEDIUM MS08-001 i
182048 HIGH MS07-069 i
182046 HIGH MS07-067 i
182043 HIGH MS07-064 i
179553 HIGH MS07-061 i
176382 HIGH MS07-057 i
176383 HIGH MS07-058 i
170911 HIGH MS07-050 i
170907 HIGH MS07-046 i
170906 HIGH MS07-045 i
170904 HIGH MS07-043 i
164915 HIGH MS07-035 i
164913 HIGH MS07-033 i
164911 HIGH MS07-031 i
160623 HIGH MS07-027 i
157262 HIGH MS07-022 i
157261 HIGH MS07-021 i
157260 HIGH MS07-020 i
157259 HIGH MS07-019 i
156477 HIGH MS07-017 i
150253 HIGH MS07-016 i
150249 HIGH MS07-013 i
150248 HIGH MS07-012 i
150247 HIGH MS07-011 i
150243 HIGH MS07-008 i
150242 HIGH MS07-007 i
150241 MEDIUM MS07-006 i
141034 HIGH MS06-076 i
141033 MEDIUM MS06-075 i
141030 HIGH MS06-072 i
137571 HIGH MS06-070 i
137568 HIGH MS06-067 i
133387 MEDIUM MS06-065 i
133386 MEDIUM MS06-064 i
133385 MEDIUM MS06-063 i
133379 HIGH MS06-057 i
131654 HIGH MS06-055 i
129977 MEDIUM MS06-053 i
129976 MEDIUM MS06-052 i
126093 HIGH MS06-051 i
126092 MEDIUM MS06-050 i
126087 HIGH MS06-046 i
126086 MEDIUM MS06-045 i
126083 HIGH MS06-042 i
126082 HIGH MS06-041 i
126081 HIGH MS06-040 i
123421 HIGH MS06-036 i
123420 HIGH MS06-035 i
120825 MEDIUM MS06-032 i
120823 MEDIUM MS06-030 i
120818 HIGH MS06-025 i
120815 HIGH MS06-022 i
120814 HIGH MS06-021 i
117384 MEDIUM MS06-018 i
114666 HIGH MS06-015 i
114664 HIGH MS06-013 i
108744 MEDIUM MS06-008 i
108743 MEDIUM MS06-007 i
108742 MEDIUM MS06-006 i
104567 HIGH MS06-002 i
104237 HIGH MS06-001 i
96574 HIGH MS05-053 i
93395 HIGH MS05-051 i
93394 HIGH MS05-050 i
93454 MEDIUM MS05-049 i
;===============================================================================
=================================================================================
===================

_______________________________

Malwarebytes' Anti-Malware 1.20
Database version: 957
Windows 5.1.2600 Service Pack 2

5:16:25 PM 7/16/2008
mbam-log-7-16-2008 (17-16-25).txt

Scan type: Quick Scan
Objects scanned: 37934
Time elapsed: 10 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks so much.
  • 0

#6
redriller

redriller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I have them here.

ComboFix 08-07-14.2 - Administrator 2008-07-17 15:23:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.304 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\dinpu.dll
C:\WINDOWS\system32\drivers\ooacqqqv.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dinpu.dll
C:\WINDOWS\system32\drivers\ooacqqqv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LFVVXZDP
-------\Service_lfvvxzdp


((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-17 15:22 . 2008-07-17 15:22 169 --a------ C:\Start_.cmd
2008-07-16 14:05 . 2008-07-16 14:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 14:05 . 2008-07-16 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 14:05 . 2008-07-16 14:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-16 14:05 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-16 14:05 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-16 11:36 . 2008-07-16 11:36 <DIR> d-------- C:\Program Files\Panda Security
2008-07-16 11:36 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-16 10:25 . 2008-07-16 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-16 10:25 . 2008-07-16 11:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-16 10:19 . 2008-07-16 10:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 18:18 . 2008-07-14 22:01 268 --ah----- C:\sqmdata19.sqm
2008-06-30 18:18 . 2008-07-14 22:01 244 --ah----- C:\sqmnoopt19.sqm
2008-06-29 19:55 . 2008-07-14 06:06 268 --ah----- C:\sqmdata18.sqm
2008-06-29 19:55 . 2008-07-14 06:06 244 --ah----- C:\sqmnoopt18.sqm
2008-06-29 19:45 . 2008-07-14 00:02 268 --ah----- C:\sqmdata17.sqm
2008-06-29 19:45 . 2008-07-14 00:02 244 --ah----- C:\sqmnoopt17.sqm
2008-06-29 17:20 . 2008-07-12 21:40 268 --ah----- C:\sqmdata16.sqm
2008-06-29 17:20 . 2008-07-12 21:40 244 --ah----- C:\sqmnoopt16.sqm
2008-06-29 17:15 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-06-29 17:11 . 2008-06-29 17:11 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-29 17:11 . 2008-06-29 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-06-29 17:11 . 2004-07-20 16:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-06-29 17:11 . 2004-07-20 16:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-06-29 17:11 . 2004-07-20 16:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-06-29 17:11 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-06-29 17:11 . 2004-07-20 16:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-06-29 17:11 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-06-29 17:11 . 2001-06-26 07:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-06-28 22:45 . 2008-07-12 19:00 268 --ah----- C:\sqmdata15.sqm
2008-06-28 22:45 . 2008-07-12 19:00 244 --ah----- C:\sqmnoopt15.sqm
2008-06-28 18:16 . 2008-07-11 11:13 268 --ah----- C:\sqmdata14.sqm
2008-06-28 18:16 . 2008-07-11 11:13 244 --ah----- C:\sqmnoopt14.sqm
2008-06-28 07:21 . 2008-07-10 22:10 268 --ah----- C:\sqmdata13.sqm
2008-06-28 07:21 . 2008-07-10 22:10 244 --ah----- C:\sqmnoopt13.sqm
2008-06-27 22:44 . 2008-07-09 06:00 268 --ah----- C:\sqmdata12.sqm
2008-06-27 22:44 . 2008-07-09 06:00 244 --ah----- C:\sqmnoopt12.sqm
2008-06-26 23:42 . 2008-07-08 23:06 268 --ah----- C:\sqmdata11.sqm
2008-06-26 23:42 . 2008-07-08 23:06 244 --ah----- C:\sqmnoopt11.sqm
2008-06-26 01:07 . 2008-07-07 23:02 268 --ah----- C:\sqmdata10.sqm
2008-06-26 01:07 . 2008-07-07 23:02 244 --ah----- C:\sqmnoopt10.sqm
2008-06-25 22:23 . 2008-07-06 22:44 268 --ah----- C:\sqmdata09.sqm
2008-06-25 22:23 . 2008-07-06 22:44 244 --ah----- C:\sqmnoopt09.sqm
2008-06-25 16:54 . 2008-07-06 18:28 268 --ah----- C:\sqmdata08.sqm
2008-06-25 16:54 . 2008-07-06 18:28 244 --ah----- C:\sqmnoopt08.sqm
2008-06-24 22:52 . 2008-07-06 15:26 268 --ah----- C:\sqmdata07.sqm
2008-06-24 22:52 . 2008-07-06 15:26 244 --ah----- C:\sqmnoopt07.sqm
2008-06-24 21:10 . 2008-07-05 22:00 268 --ah----- C:\sqmdata06.sqm
2008-06-24 21:10 . 2008-07-05 22:00 244 --ah----- C:\sqmnoopt06.sqm
2008-06-24 20:03 . 2008-07-05 07:45 268 --ah----- C:\sqmdata05.sqm
2008-06-24 20:03 . 2008-07-05 07:45 244 --ah----- C:\sqmnoopt05.sqm
2008-06-24 19:01 . 2008-07-04 12:47 268 --ah----- C:\sqmdata04.sqm
2008-06-24 19:01 . 2008-07-04 12:47 244 --ah----- C:\sqmnoopt04.sqm
2008-06-23 21:22 . 2008-07-16 11:16 268 --ah----- C:\sqmdata03.sqm
2008-06-23 21:22 . 2008-07-16 11:16 244 --ah----- C:\sqmnoopt03.sqm
2008-06-23 06:29 . 2008-07-16 09:25 268 --ah----- C:\sqmdata02.sqm
2008-06-23 06:29 . 2008-07-16 09:25 244 --ah----- C:\sqmnoopt02.sqm
2008-06-22 20:33 . 2008-07-15 21:49 268 --ah----- C:\sqmdata01.sqm
2008-06-22 20:33 . 2008-07-15 21:49 244 --ah----- C:\sqmnoopt01.sqm
2008-06-21 20:57 . 2008-07-15 19:15 268 --ah----- C:\sqmdata00.sqm
2008-06-21 20:57 . 2008-07-15 19:15 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 02:19 --------- d-----w C:\Program Files\FlashGet
2008-07-16 04:26 --------- d-----w C:\Program Files\Ahead
2008-07-05 11:50 --------- d-----w C:\Program Files\mtd2002
2008-06-25 11:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-05-21 14:46 --------- d-----w C:\Program Files\Plaxis8x
2008-05-14 12:05 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
.

------- Sigcheck -------

2004-08-04 08:07 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 08:07 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_ 9.52.46.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-30 03:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2005-10-20 13:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-03-17 13:16:45 53,166 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-16 04:22:00 53,166 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-17 13:16:45 380,918 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-16 04:22:01 380,918 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UniKey"="C:\Program Files\UniKey\UniKey.exe" [2004-04-08 05:34 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-27 19:09 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-27 18:56 118784]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 19:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 09:35 536576]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-14 19:04 1177368]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\mtd2002\\mtdserver.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-14 19:05]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-14 19:04]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-14 19:04]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-14 19:05]
S3 GT680xNT;ColorPage-Vivid 1200X;C:\WINDOWS\system32\drivers\gt680x.sys [2003-02-27 05:55]
S3 hpk;hpk;C:\WINDOWS\system32\drivers\hpk.sys [2007-11-07 20:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e904b445-c09f-11dc-a844-000f1f1692b9}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e904b446-c09f-11dc-a844-000f1f1692b9}]
\Shell\AutoRun\command - F:\Secret.exe
\Shell\explore\Command - F:\Secret.exe
\Shell\open\Command - F:\Secret.exe

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 15:29:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\d9b4e091-8e5a-4e0e-bbaa-683b4b712de3.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\UniKey\UKHook35.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-17 15:33:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-17 08:33:28

Pre-Run: 13,264,957,440 bytes free
Post-Run: 13,206,892,544 bytes free

177

_______________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:55 PM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\UniKey\UniKey.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.vn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [UniKey] C:\Program Files\UniKey\UniKey.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 5041 bytes
  • 0

#7
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello redriller,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\dinpu.4
C:\WINDOWS\system32\dinpu.5
C:\WINDOWS\system32\dinpu.6


Folder::

Driver::
lfvvxzdp

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e904b445-c09f-11dc-a844-000f1f1692b9}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e904b446-c09f-11dc-a844-000f1f1692b9}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please tell me also how your computer is running.

Thunderbird1988
  • 0

#8
redriller

redriller

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Now it works smoothly. Thanks so much.

ComboFix 08-07-14.2 - Administrator 2008-07-18 8:07:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.299 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\dinpu.4
C:\WINDOWS\system32\dinpu.5
C:\WINDOWS\system32\dinpu.6
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dinpu.4
C:\WINDOWS\system32\dinpu.5
C:\WINDOWS\system32\dinpu.6

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-17 15:22 . 2008-07-18 08:07 169 --a------ C:\Start_.cmd
2008-07-16 14:05 . 2008-07-16 14:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 14:05 . 2008-07-16 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 14:05 . 2008-07-16 14:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-16 14:05 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-16 14:05 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-16 11:36 . 2008-07-16 11:36 <DIR> d-------- C:\Program Files\Panda Security
2008-07-16 11:36 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-16 10:25 . 2008-07-16 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-16 10:25 . 2008-07-16 11:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-16 10:19 . 2008-07-16 10:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 18:18 . 2008-07-14 22:01 268 --ah----- C:\sqmdata19.sqm
2008-06-30 18:18 . 2008-07-14 22:01 244 --ah----- C:\sqmnoopt19.sqm
2008-06-29 19:55 . 2008-07-14 06:06 268 --ah----- C:\sqmdata18.sqm
2008-06-29 19:55 . 2008-07-14 06:06 244 --ah----- C:\sqmnoopt18.sqm
2008-06-29 19:45 . 2008-07-14 00:02 268 --ah----- C:\sqmdata17.sqm
2008-06-29 19:45 . 2008-07-14 00:02 244 --ah----- C:\sqmnoopt17.sqm
2008-06-29 17:20 . 2008-07-12 21:40 268 --ah----- C:\sqmdata16.sqm
2008-06-29 17:20 . 2008-07-12 21:40 244 --ah----- C:\sqmnoopt16.sqm
2008-06-29 17:15 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-06-29 17:11 . 2008-06-29 17:11 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-29 17:11 . 2008-06-29 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-06-29 17:11 . 2004-07-20 16:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-06-29 17:11 . 2004-07-20 16:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-06-29 17:11 . 2004-07-20 16:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-06-29 17:11 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-06-29 17:11 . 2004-07-20 16:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-06-29 17:11 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-06-29 17:11 . 2001-06-26 07:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-06-28 22:45 . 2008-07-12 19:00 268 --ah----- C:\sqmdata15.sqm
2008-06-28 22:45 . 2008-07-12 19:00 244 --ah----- C:\sqmnoopt15.sqm
2008-06-28 18:16 . 2008-07-11 11:13 268 --ah----- C:\sqmdata14.sqm
2008-06-28 18:16 . 2008-07-11 11:13 244 --ah----- C:\sqmnoopt14.sqm
2008-06-28 07:21 . 2008-07-10 22:10 268 --ah----- C:\sqmdata13.sqm
2008-06-28 07:21 . 2008-07-10 22:10 244 --ah----- C:\sqmnoopt13.sqm
2008-06-27 22:44 . 2008-07-09 06:00 268 --ah----- C:\sqmdata12.sqm
2008-06-27 22:44 . 2008-07-09 06:00 244 --ah----- C:\sqmnoopt12.sqm
2008-06-26 23:42 . 2008-07-08 23:06 268 --ah----- C:\sqmdata11.sqm
2008-06-26 23:42 . 2008-07-08 23:06 244 --ah----- C:\sqmnoopt11.sqm
2008-06-26 01:07 . 2008-07-07 23:02 268 --ah----- C:\sqmdata10.sqm
2008-06-26 01:07 . 2008-07-07 23:02 244 --ah----- C:\sqmnoopt10.sqm
2008-06-25 22:23 . 2008-07-06 22:44 268 --ah----- C:\sqmdata09.sqm
2008-06-25 22:23 . 2008-07-06 22:44 244 --ah----- C:\sqmnoopt09.sqm
2008-06-25 16:54 . 2008-07-06 18:28 268 --ah----- C:\sqmdata08.sqm
2008-06-25 16:54 . 2008-07-06 18:28 244 --ah----- C:\sqmnoopt08.sqm
2008-06-24 22:52 . 2008-07-06 15:26 268 --ah----- C:\sqmdata07.sqm
2008-06-24 22:52 . 2008-07-06 15:26 244 --ah----- C:\sqmnoopt07.sqm
2008-06-24 21:10 . 2008-07-05 22:00 268 --ah----- C:\sqmdata06.sqm
2008-06-24 21:10 . 2008-07-05 22:00 244 --ah----- C:\sqmnoopt06.sqm
2008-06-24 20:03 . 2008-07-05 07:45 268 --ah----- C:\sqmdata05.sqm
2008-06-24 20:03 . 2008-07-05 07:45 244 --ah----- C:\sqmnoopt05.sqm
2008-06-24 19:01 . 2008-07-04 12:47 268 --ah----- C:\sqmdata04.sqm
2008-06-24 19:01 . 2008-07-04 12:47 244 --ah----- C:\sqmnoopt04.sqm
2008-06-23 21:22 . 2008-07-16 11:16 268 --ah----- C:\sqmdata03.sqm
2008-06-23 21:22 . 2008-07-16 11:16 244 --ah----- C:\sqmnoopt03.sqm
2008-06-23 06:29 . 2008-07-16 09:25 268 --ah----- C:\sqmdata02.sqm
2008-06-23 06:29 . 2008-07-16 09:25 244 --ah----- C:\sqmnoopt02.sqm
2008-06-22 20:33 . 2008-07-15 21:49 268 --ah----- C:\sqmdata01.sqm
2008-06-22 20:33 . 2008-07-15 21:49 244 --ah----- C:\sqmnoopt01.sqm
2008-06-21 20:57 . 2008-07-15 19:15 268 --ah----- C:\sqmdata00.sqm
2008-06-21 20:57 . 2008-07-15 19:15 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 02:19 --------- d-----w C:\Program Files\FlashGet
2008-07-16 04:26 --------- d-----w C:\Program Files\Ahead
2008-07-05 11:50 --------- d-----w C:\Program Files\mtd2002
2008-06-25 11:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-05-21 14:46 --------- d-----w C:\Program Files\Plaxis8x
2008-05-14 12:05 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
.

------- Sigcheck -------

2004-08-04 08:07 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 08:07 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_ 9.52.46.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-30 03:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2005-10-20 13:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-03-17 13:16:45 53,166 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-16 04:22:00 53,166 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-17 13:16:45 380,918 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-16 04:22:01 380,918 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UniKey"="C:\Program Files\UniKey\UniKey.exe" [2004-04-08 05:34 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-27 19:09 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-27 18:56 118784]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 19:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 09:35 536576]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-14 19:04 1177368]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\mtd2002\\mtdserver.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-14 19:05]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-14 19:04]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-14 19:04]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-14 19:05]
S3 GT680xNT;ColorPage-Vivid 1200X;C:\WINDOWS\system32\drivers\gt680x.sys [2003-02-27 05:55]
S3 hpk;hpk;C:\WINDOWS\system32\drivers\hpk.sys [2007-11-07 20:07]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 08:09:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-18 8:11:49
ComboFix-quarantined-files.txt 2008-07-18 01:11:45

Pre-Run: 13,196,017,664 bytes free
Post-Run: 13,187,358,720 bytes free

150

____________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:47 AM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\UniKey\UniKey.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.vn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [UniKey] C:\Program Files\UniKey\UniKey.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 4894 bytes
  • 0

#9
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello redriller,

Congratulations, your log is clean.

b]Follow these steps to uninstall Combofix and tools used in the removal of malware[/b]
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety


Thunderbird1988
  • 0

#10
Thunderbird1988

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP