Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware and Virus found [RESOLVED]


  • This topic is locked This topic is locked

#16
Mojo_Workin

Mojo_Workin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Am working on shutting down my Anti-virus and such. AVG just came out with version 8 and I haven't figured out all the ins and outs.

I'll get back to you as soon as I figure this out.

MW
  • 0

Advertisements


#17
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
You should be able to just right click on the icon in the system tray and select disable on-access protection (or something to that effect).
  • 0

#18
Mojo_Workin

Mojo_Workin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
That worked in version 7.5, but 8.0 (I have full version) is a bit different and I have to look into how to temporarily disable it.
  • 0

#19
Mojo_Workin

Mojo_Workin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
OK, finally got things done...here are the logs...Combo first then HiJack...

ComboFix:

ComboFix 08-09-01.03 - owner 2008-09-03 8:10:57.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1323 [GMT -4:00]
Running from: C:\Users\owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\8TXAG8RQ\bin.clearspring.com
C:\Users\owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\8TXAG8RQ\bin.clearspring.com\clearspring.sol
C:\Users\owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\8TXAG8RQ\bin.clearspring.com\ws\wan\wanLib.swf\478548f4bc55e3db.sol
C:\Users\owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\8TXAG8RQ\interclick.com
C:\Users\owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\8TXAG8RQ\interclick.com\ud.sol
C:\Users\owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Users\owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Users\owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-02 00:29 . 2008-08-29 04:05 <DIR> d-------- C:\SDFix
2008-08-31 23:48 . 2008-08-31 23:48 <DIR> d-------- C:\Program Files\Panda Security
2008-08-31 23:48 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys
2008-08-30 03:54 . 2008-09-02 12:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-29 22:44 . 2008-09-02 18:38 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-08-29 22:44 . 2008-08-29 22:44 <DIR> d-------- C:\Users\All Users\avg8
2008-08-29 22:44 . 2008-08-29 22:44 <DIR> d-------- C:\ProgramData\avg8
2008-08-29 22:44 . 2008-08-29 22:44 <DIR> d-------- C:\Program Files\AVG
2008-08-29 22:44 . 2008-08-29 22:44 97,928 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-08-29 22:44 . 2008-08-29 22:44 69,128 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-08-29 22:44 . 2008-08-29 22:44 12,936 --a------ C:\Windows\System32\drivers\avgrkx86.sys
2008-08-29 22:44 . 2008-08-29 22:44 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-08-29 22:21 . 2008-08-29 22:21 <DIR> d-------- C:\escwsa
2008-08-29 20:17 . 2008-08-29 20:17 <DIR> d-------- C:\Program Files\Sophos
2008-08-26 21:35 . 2008-08-26 21:35 <DIR> d-------- C:\Program Files\Sun
2008-08-26 21:26 . 2008-08-26 21:29 <DIR> d-------- C:\Users\owner\.SunDownloadManager
2008-08-21 16:50 . 2008-08-21 16:50 <DIR> d-------- C:\Users\owner\AppData\Roaming\Malwarebytes
2008-08-21 16:50 . 2008-08-21 16:50 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-21 16:50 . 2008-08-21 16:50 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-21 16:50 . 2008-08-21 16:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-21 16:50 . 2008-08-17 15:01 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-21 16:50 . 2008-08-17 15:01 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-20 00:34 . 2008-08-20 00:34 <DIR> d-------- C:\Users\owner\AppData\Roaming\Snapfish
2008-08-19 17:51 . 2008-08-19 17:50 838,094 --a------ C:\Windows\System32\oem47.inf
2008-08-19 08:19 . 2008-08-19 08:22 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-19 08:09 . 2008-08-19 08:18 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-19 08:09 . 2008-08-19 08:18 <DIR> d-------- C:\ProgramData\Lavasoft
2008-08-19 08:09 . 2008-08-19 08:09 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-19 08:07 . 2008-08-19 08:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 18:10 . 2008-08-31 23:47 <DIR> d-------- C:\Users\owner\.housecall6.6
2008-08-18 16:14 . 2008-08-18 17:04 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-18 16:14 . 2008-08-18 17:04 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-18 14:36 . 2008-08-18 14:53 <DIR> d-------- C:\Program Files\PCPitstop
2008-08-16 21:53 . 2008-08-18 01:16 <DIR> d--h----- C:\MRI_PE_TEMP
2008-08-16 17:58 . 2008-08-16 17:58 <DIR> d-------- C:\Users\All Users\Geek Squad
2008-08-16 17:58 . 2008-08-16 17:58 <DIR> d-------- C:\ProgramData\Geek Squad
2008-08-15 09:37 . 2008-08-15 09:37 <DIR> d-------- C:\Users\owner\AppData\Roaming\Webroot
2008-08-14 16:27 . 2008-08-14 16:27 <DIR> d-------- C:\Program Files\Western Digital
2008-08-14 16:26 . 2008-08-14 16:26 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-08-13 20:08 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 20:08 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 20:06 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 20:05 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 20:04 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 19:59 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 10:17 25,183 ----a-w C:\Users\owner\AppData\Roaming\nvModes.dat
2008-08-31 02:43 164 ----a-w C:\install.dat
2008-08-29 17:43 --------- d---a-w C:\ProgramData\TEMP
2008-08-27 01:35 --------- d-----w C:\Program Files\Java
2008-08-24 13:20 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-21 12:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-18 20:14 --------- d-----w C:\Program Files\spybot - search & destroy
2008-08-18 19:06 --------- d-----w C:\Program Files\Trend Micro
2008-08-14 19:43 --------- d-----w C:\Program Files\Group Publishing
2008-08-14 04:08 --------- d-----w C:\Program Files\Microsoft Works
2008-08-14 00:35 --------- d-----w C:\Program Files\Windows Mail
2008-08-10 22:07 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-10 12:47 --------- d-----w C:\ProgramData\Roxio
2008-07-23 11:56 --------- d-----w C:\Program Files\Picasa2
2008-07-23 11:55 --------- d-----w C:\Program Files\Google
2008-07-20 11:14 --------- d-----w C:\Program Files\quicktime
2008-07-20 11:13 --------- d-----w C:\ProgramData\Apple Computer
2008-07-20 11:12 --------- d-----w C:\ProgramData\Apple
2008-07-20 11:12 --------- d-----w C:\Program Files\Apple Software Update
2008-07-07 11:13 --------- d-----w C:\Program Files\Quicken
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-01 21:00 174 --sha-w C:\Program Files\desktop.ini
2007-10-26 23:34 123,800 ----a-w C:\Users\owner\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-05-24 03:05 316 ----a-w C:\Users\owner\AppData\Roaming\wklnhst.dat
2007-01-27 01:05 32 ----a-r C:\Users\All Users\hash.dat
2007-01-27 01:05 32 ----a-r C:\ProgramData\hash.dat
2008-04-20 01:05 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-20 01:05 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-20 01:05 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-02-01 11:31 22 --sha-w C:\Windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-02-27 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-02-27 7770112]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-02-27 81920]
"QuickTime Task"="C:\Program Files\quicktime\QTTask.exe" [2008-05-27 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-29 1235736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-07 44128]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2007-01-08 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9C992185-5D6E-44ED-9F98-C31F9BF9852D}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{3ACC661B-F789-435F-8A7A-E0101CA25F46}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{2DEFE7A0-6549-47D4-BA8D-915D57553FBE}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{1582B464-3D60-4D55-9FE9-480DCB471C63}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{3C5C3E18-B552-43A4-AE87-4B028FEA98A6}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{67268AFF-8519-496C-B652-39D25DC3AF34}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{8081FFC9-15FC-44B0-882D-3CCD67033626}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{C0675D90-8287-4F17-94E4-75FA05321750}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{DBE0B740-D34A-4327-94F9-01F67885643D}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BDA8BCA6-AF06-4D5C-AE48-A913B8DA82D1}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2A4D1A12-55E1-443F-94AF-AE75ABF01EE6}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{11D2151D-F182-4624-AB0D-82AD7CBB2DAD}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{54C2E4BA-B39D-4B29-B38D-52B47AEB3D80}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1E7CF3D2-A2E1-4ED0-93E0-13412A238271}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7E413958-46A6-49F5-84C8-14A20DF9CDF3}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DA8FD9FE-5A61-40F2-B57C-F65D902DAF3E}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{18A6D6E6-E89E-43C2-8EBF-7FDC9503E99A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E5FCAC47-7DE1-4AF5-9E2C-867C009997B5}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{894E7B1B-4C8C-4C8A-B887-609889FC2871}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1521A18D-4FF7-45E4-9DC9-60A3A6F0EE60}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2DE9FFA5-BD6E-454C-AE84-82AE29ADF578}"= UDP:C:\Program Files\TurboTax\Home & Business 2006\32bit\ttax.exe:TurboTax
"{7ED95E5B-A7B4-405D-B01A-394F5F1E370F}"= TCP:C:\Program Files\TurboTax\Home & Business 2006\32bit\ttax.exe:TurboTax
"{91B5AAC3-4FB3-4903-AF92-5475188FD44D}"= UDP:C:\Program Files\TurboTax\Home & Business 2006\32bit\updatemgr.exe:TurboTax Update Manager
"{165FC085-45DF-44FE-8E41-7C3BAD3CD42D}"= TCP:C:\Program Files\TurboTax\Home & Business 2006\32bit\updatemgr.exe:TurboTax Update Manager
"{0FFE8AEA-EBB5-4899-A8BD-D375C7B7750D}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{6555B63F-00F3-4199-9CBD-B5332C47D0AE}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{39312E12-5D22-4DE2-AE3B-AF267E3E614B}"= UDP:C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:TurboTax
"{12E803E7-0068-4582-9257-B3EDFC1EA314}"= TCP:C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:TurboTax
"{19169CB5-609C-402C-8A3F-C5BE01A5F026}"= UDP:C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{767DF474-2FCE-4281-AE0F-FACE24A44BE4}"= TCP:C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{52091AE2-9324-4C11-A268-DB1D614D791D}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{74CDEE9B-006E-4962-AC7B-53231F5C1B94}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{E74F72BC-E1A0-4089-8E8B-EB4EE181E74C}"= C:\Program Files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 AvgRkx86;avgrkx86.sys;C:\Windows\system32\Drivers\avgrkx86.sys [2008-08-29 12936]
R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-08-29 1220888]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-08-29 69128]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 188416]
S3 Flash1;Flash1;C:\SwSetup\SP38062\winphlash\Flash1.sys [2006-03-01 3456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87f9a413-6a05-11dd-885e-0016d31a65cb}]
\shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.buffalostate.edu/
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: {54D53429-945C-4188-B460-C81356541882} - hxxp://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CAB
C:\WINDOWS\Downloaded Program Files\HPeServicesLocalPrint.inf
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 08:15:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-03 8:16:26
ComboFix-quarantined-files.txt 2008-09-03 12:16:13

Pre-Run: 65,708,773,376 bytes free
Post-Run: 65,787,633,664 bytes free

220 --- E O F --- 2008-09-02 21:12:17
  • 0

#20
Mojo_Workin

Mojo_Workin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here is HiJack...

Thanks for all the assistance you have given so far...hopefully we can clean this and I can get BB or HP to repair the intermittant powerups...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:46 AM, on 9/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buffalostate.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\quicktime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {54D53429-945C-4188-B460-C81356541882} (SaveImageFiles Class) - http://photosmart.hp...sLocalPrint.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://147.4.73.99/a...sCamControl.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.game...loadControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/...ersion=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Unknown owner - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10051 bytes
  • 0

#21
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi MW,

Nothing of note there, and I'm still not seeing anything active. You are not having any indications that you are infected such as pop-ups, redirects, home page changes, or other odd behavior right? Just the System Analyzer indication?

What concerns me is the fact that I can't even find a copy of this Webroot System Analyzer online. I only get page not found errors. I've also seen a couple of posts in forums claiming the same infection but no other indications from any other tool, just like you.

Since you were able to link this to Trend Micro let's run an online scan with their tool.

TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

Post any details about the scan in your next reply along with a fresh HJT log and a description of how your PC is behaving.
  • 0

#22
Mojo_Workin

Mojo_Workin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
IndiG,

I have tried using the online scanner, however the installation for it's JS prgm says the installation failed. I am not sure why it will not install. Will continue on the path of troubleshooting and get back to you. In the mean time, any other online scanners you might suggest than TM?

Thanks,

MW
  • 0

#23
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
For the Trend Micro scan. Try running IE as an Admin.

Right click on Internet Explorer and select Run as Administrator.

Here's another in case that won't work.

F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient

  • 0

#24
Mojo_Workin

Mojo_Workin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
IndiG,

Sorry for so long for a response. I work weekends and was quite busy.

Here is a scan I ran from F-Secure...

Scanning Report
Monday, September 08, 2008 10:26:53 - 15:15:24
Computer name: DARLENE
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 3 malware found
Backdoor.Win32.Bifrose.zqo (virus)
C:\MY GAMES\MYSTIC INN\HXZGQJC.EXE (Renamed)
TrackingCookie.Atwola (spyware)
System
W32/Malware (virus)
C:\PROGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 95499
System: 5239
Not scanned: 21
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\476A210FD1FC31E66EC0553F504EA0F4_F35710D4-AB08-4DA8-B6A2-9BFC6196DA66
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\99C0010E948A60973C532528B91919AD_F35710D4-AB08-4DA8-B6A2-9BFC6196DA66
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\476A210FD1FC31E66EC0553F504EA0F4_F35710D4-AB08-4DA8-B6A2-9BFC6196DA66
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\99C0010E948A60973C532528B91919AD_F35710D4-AB08-4DA8-B6A2-9BFC6196DA66
C:\BOOT\BCD

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-09-08
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure AVP: 7.0.171, 2008-09-08
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
  • 0

#25
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi,

Not much there...one interesting file I can't find much on was renamed:

C:\MY GAMES\MYSTIC INN\HXZGQJC.EXE

Any idea where that is from? The others were a harmless cookie and a false positive.

Were you able to try and run Trend Micro by running as an Administrator?

How is it running otherwise?
  • 0

Advertisements


#26
Mojo_Workin

Mojo_Workin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
IndiG,

That is a game program file from Big Fish games and I have since uninstalled it. However, I ran the System analyzer and is still says that the Mal/Behav-041 virus exists, and that myweb-my search is still on there as well as kazaa...my wife doesn't even know what kazaa IS...

I am beginning to think that program is garbage. In their help they say how to see where a file is located, however I could not make it work. Something about using the report and opening it in the command prompt window. I guess I just have to find out how to do this in more detail.

Thanks for all the help you have and are providing. I am usually good with working with this stuff, but this on is giving me a headache!

MW
  • 0

#27
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
I have to think that it is a false positive. As far as the MyWebSearch goes it is probably a trace of it somewhere in the registry. It's not actively running.

Kazaa is a P2P program used to share files. We don't advise using these programs as they are a great way to get infected. I did not see any evidence of Kazaa running in your logs. Check and make sure it's not in your installed programs.

http://www.kazaa.com/us/index.htm

Did you have a chance to try Trend Micro running as an Administrator?
  • 0

#28
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Here's a link to a thread that also leads me to really believe this is a false positive. It's hard to really be sure without having a file to identify???

http://www.malwarere...o...=11&t=30786
  • 0

#29
Mojo_Workin

Mojo_Workin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
IndiG,

I was able to run the TM online scan, it found 7 items and removed them (I actually ran the scan twice). Unf. I was unable to see what the items were...I had removed them and started a new scan by accident.

Here is a new HJT log for you perusal...I will research the info you talked of false positives later.


Thanks again....MW

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:38 PM, on 9/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buffalostate.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "C:\Windows\system32\RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\quicktime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {54D53429-945C-4188-B460-C81356541882} (SaveImageFiles Class) - http://photosmart.hp...sLocalPrint.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://147.4.73.99/a...sCamControl.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.game...loadControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/...ersion=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Unknown owner - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10044 bytes
  • 0

#30
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi MW,

Thanks for the update. Have you tried checking to see if the System Analyzer program is still picking up the malware? Since running TM?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP