WiredWX Hobby Weather ToolsLog in

 


Virus

3 posters

descriptionVirus - Page 3 EmptyRe: Virus20th June 2009, 7:53 pm

more_horiz
Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\010112010146118114.dat
C:\487656.bat
c:\windows\system32\RENF.tmp
c:\windows\system32\REN11.tmp
c:\windows\system32\REN10.tmp

Driver::
umfdygjkkuof
zjdcyp

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Virus - Page 3 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionVirus - Page 3 EmptyRe: Virus20th June 2009, 8:53 pm

more_horiz
Here is the latest.

ComboFix 09-06-20.02 - Owner 06/20/2009 15:31.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.225 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\487656.bat"
"c:\windows\010112010146118114.dat"
"c:\windows\system32\REN10.tmp"
"c:\windows\system32\REN11.tmp"
"c:\windows\system32\RENF.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\487656.bat
c:\windows\010112010146118114.dat
c:\windows\system32\REN10.tmp
c:\windows\system32\REN11.tmp
c:\windows\system32\RENF.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UMFDYGJKKUOF
-------\Legacy_ZJDCYP
-------\Service_umfdygjkkuof
-------\Service_zjdcyp


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-20 13:49 . 2009-06-20 14:38 -------- d-s---w- C:\Combo-Fix
2009-06-19 13:12 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-19 13:12 . 2009-06-19 13:39 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-19 13:12 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-19 13:12 . 2009-06-19 13:13 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-19 13:12 . 2008-12-10 17:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-19 13:11 . 2009-06-20 04:56 -------- d-----w- c:\program files\Spyware Doctor
2009-06-19 13:11 . 2009-06-19 13:11 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-06-19 13:11 . 2009-06-19 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-19 10:07 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 10:07 . 2009-06-19 22:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 10:07 . 2009-06-19 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 10:07 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 03:24 . 2009-06-03 03:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-06-03 02:01 . 2009-06-03 02:03 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-06-02 08:04 . 2009-06-20 18:14 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-02 07:50 . 2009-06-02 07:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-02 07:50 . 2009-06-02 07:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-02 07:50 . 2009-06-02 07:50 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-02 07:50 . 2009-06-20 14:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-02 07:50 . 2009-06-02 07:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-02 07:50 . 2009-06-02 07:54 -------- d-----w- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-06-02 07:28 . 2009-06-02 07:28 -------- d-----w- c:\program files\CCleaner
2009-05-29 03:08 . 2009-05-29 03:07 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-29 02:27 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sh3pbpox.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-05-23 23:52 . 2009-05-27 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\17744214

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 20:45 . 2006-11-12 19:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 18:38 . 2006-09-06 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-20 14:58 . 2009-01-31 21:24 -------- d-----w- c:\program files\COMODO
2009-06-19 22:05 . 2004-05-12 07:26 -------- d-----w- c:\program files\Java
2009-06-19 00:28 . 2006-09-06 05:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-03 03:35 . 2005-01-01 16:18 -------- d-----w- c:\program files\Google
2009-06-02 07:49 . 2009-01-31 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-05-29 01:57 . 2004-05-12 11:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 22:24 . 2009-05-19 22:24 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-05-07 15:32 . 2004-05-31 19:15 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-01-22 06:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-09-04 17:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-05-12 06:16 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-05-12 06:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_14.32.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-20 20:44 . 2009-06-20 20:44 16384 c:\windows\temp\Perflib_Perfdata_904.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-02 1947928]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-02 07:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/19/2009 8:12 AM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2009 2:50 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2009 2:50 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/2/2009 2:49 AM 298776]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/19/2009 8:11 AM 348752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 mrtRate;mrtRate; [x]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [9/4/2004 11:44 AM 2944]
S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\drivers\BrFiltLo.sys [9/4/2004 11:44 AM 12160]
S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\drivers\BrFiltUp.sys [9/4/2004 11:44 AM 3968]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [9/4/2004 11:44 AM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [9/4/2004 11:44 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [9/4/2004 11:44 AM 10368]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-06-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 02:40]

2009-06-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{71848431-9C3E-4217-9F76-4772C41E44E5} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/comcast.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: advancedmd.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 15:45
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3960)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-20 15:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 20:51
ComboFix2.txt 2009-06-20 18:38
ComboFix3.txt 2009-06-20 14:38
ComboFix4.txt 2009-01-31 20:58

Pre-Run: 124,487,512,064 bytes free
Post-Run: 124,477,472,768 bytes free

217 --- E O F --- 2009-06-18 21:46

descriptionVirus - Page 3 EmptyRe: Virus21st June 2009, 12:29 am

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Virus - Page 3 CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionVirus - Page 3 EmptyRe: Virus21st June 2009, 12:05 pm

more_horiz
There is no ComboFix/u file to run.

descriptionVirus - Page 3 EmptyRe: Virus21st June 2009, 3:12 pm

more_horiz
Do you mean that the computer does not find ComboFix?

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 1:18 am

more_horiz
Right, it says windows cannot find ComboFix/u to run.

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 2:16 am

more_horiz
I see, manually delete ComboFix via Right Click-->Delete.

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 2:33 am

more_horiz
I deleted the icon from the Desktop. Is that what you meant?

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 2:37 am

more_horiz
Yes thats what I meant, how is the computer running?

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 3:02 am

more_horiz
Much better, still a little slow. Firefox takes about a minute and a half to load. Which is better, but not as quick as it was before. I also don't seem to have any sound. Do you think the virus is now gone? I would really like to get some advice on programs I can remove and how to optimize my computer's performance. Also, what security anti-virus is the best to use. Thank you.

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 3:27 am

more_horiz
I was finally able to run MBAM and got this log.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/21/2009 10:25:08 PM
mbam-log-2009-06-21 (22-25-08).txt

Scan type: Quick Scan
Objects scanned: 88602
Time elapsed: 10 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

I deleted the items it found.

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 12:33 pm

more_horiz
Just some leftovers CF didn't catch. Smile...
Post a new Hijack This log.

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 10:54 pm

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:14 PM, on 6/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackgpthis.exe
C:\Program Files\AVG\AVG8\avgupd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {71848431-9C3E-4217-9F76-4772C41E44E5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5EF06782-55B2-4DF3-A57A-3FE8F1D2A181} (PPMDForms.Forms) - https://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdforms.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
O16 - DPF: {6A6E7E91-B6EB-46B5-A545-12B8EDDD261E} (AMDSControls50.XGroupCategory) - https://app.advancedmd.com/practicemanager/ppmdcontrols/amdscontrols50.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228970026765
O16 - DPF: {9602B3CE-BC91-417D-B4FD-F6538C2ABB3B} (AMDSWSCheck.WSCheck) - https://app.advancedmd.com/practicemanager/ppmdcontrols/amdswscheck.cab
O16 - DPF: {B15C3921-CCFA-4403-9E6F-4470839E835E} (Leadtools.XLead) - https://app.advancedmd.com/practicemanager/ppmdcontrols/leadtools.cab
O16 - DPF: {CC99A86F-EA5D-414A-8231-7C3F1B10A644} (AMDSAudio.XAudio) - https://app.advancedmd.com/practicemanager/ppmdcontrols/amdsaudio.cab
O16 - DPF: {EE8CEFA4-1F91-11D4-B31E-00C04F1D37E6} (PPMDVBDownload.XShowReady) - https://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdvbdownload.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6415 bytes

Things still seem slow. I'm using Firefox but I get a message that I have no firewall. The message also says AVG is turned off.

descriptionVirus - Page 3 EmptyRe: Virus22nd June 2009, 11:38 pm

more_horiz
Yes, because we disabled it for the Combofix run.
Re-enable it now. Smile...

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {71848431-9C3E-4217-9F76-4772C41E44E5} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


  • Press "Fix Checked"
  • Close Hijack This.

Reboot normally.

descriptionVirus - Page 3 EmptyRe: Virus23rd June 2009, 1:56 am

more_horiz
I did all that and it seemed to work fine. I also re-enabled AVG. I also ran MBAM again and it found no infections. Any idea what might have happened to my sound. Should I keep and use Registry Repair or is that not good. What else do you recommend? Is there another forum I should use to try to clean/speed up my computer. Thank you very much for all your help. I will definitely be visiting the donation section of geekpolice. Thank You!

descriptionVirus - Page 3 EmptyRe: Virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum