Spyware

Desktop = Windows XP Home SP3; 2 internal hard drives; AVG 8.5; Hijack This was deleted because I did not know how to use it; external modem
Me = IT challenged old geezer

I can no longer access the internet or open any applications. I might be able to upload something via a USB flashdrive (suggestions?). Whenever I attempt to open anything, including AVG, or pressing Ctrl Alt Del, a small window pops up:

SECURITY WARNING
Application cannot be executed. The file xxxxxxxxx.exe is infected. Do you want to activate your antivirus software now?_______________YES__________NO______

If I click YES, an internet window opens (with the modem turned off):
http:DOUBLE SLASHwinsecurepro2009DOTcom/purchase?r=49.1
Thereafter about once every minute, other internet pages appear:
wwwDOTadultDOTcom/
wwwDOTviagraDOTcom/
wwwDOTpornoDOTcom/
then it starts again with winsecurepro2009.

If I click NO, another window pops up:
SPYWARE ALERT
Your computer is infected by spyware. 34 serious threats have been found while scanning your files and registry. It is recommended that you disinfect your computer and activate realtime secure protectionagainst future intrussions.
(hyperlink)Why do I need spyware protection?

I am now using my old laptop (Millenium Edition = slow) connected to the same external modem.

Any help would be much appreciated.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Thank you for looking into this. I downloaded HijackThis as instructed above, on a USB flash memory on my old laptop, then transferred the flashdrive to the infected desktop and ran HijackThis. As soon as I turned on the desktop, I had the impression that virus/malware/bad stuff had already dissapeared by itself (????; too good to be true?). Anyway, here is the logfile (via the USB flashdrive; the desktop has not been connected yet to the internet; afraid something might go wrong):

=====================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:34 PM, on 11/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [flailviq] C:\Documents and Settings\Owner\Local Settings\Application Data\lhyfco\vorlsysguard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [flailviq] C:\Documents and Settings\Owner\Local Settings\Application Data\lhyfco\vorlsysguard.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238625949578
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe

--
End of file - 6243 bytes

===============================================

The following observations might (or might not) be of interest::
1. As soon as the desktop booted up, AVG started scanning; it was schedulled to do so last evening, but the desktop was not powered up until right now.

2. I was able to open several folders and start several programs (that was not possible a few days ago).

3. With nothing running except AVG, Windows Task Manager, showed 36 processes. That seems more than usual. I noticed the following duplicates:
-svchost.exe / SYSTEM / 21,412KK
-svchost.exe / SYSTEM / 5,172K

-svchost.exe / LOCAL SERVICE / 3,584 K
-svchost.exe / LOCAL SERVICE / 3,852 K

-svchost.exe / NETWORK SERVICE / 5,060 K
-svchost.exe / NETWORK SERVICE / 4,220 K

Only the memory usage was different; is this normal?

4. I ran HijackThis on the C:/ partition (of the primary hard drive). Should I also run HijackThis on the other partitions? Only the C partition was in use at the time of the attack.

Thank you very much for your time and expertise.

GMK

This might be of interest as well: the results of the AVG scan:

===================================================

"Scan ""Scheduled scan"" was finished."
"Infections";"3";"3";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Sunday, November 22, 2009, 7:05:46 PM"
"Scan finished:";"Sunday, November 22, 2009, 10:53:23 PM (3 hour(s) 47 minute(s) 37 second(s))"
"Total object scanned:";"824742"
"User who launched the scan:";"SYSTEM"

"Infections"
"File";"Infection";"Result"
"C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP453\A0087747.dll";"Trojan horse BHO.JEW";"Moved to Virus Vault"
"C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP453\A0087763.dll";"Trojan horse BHO.JEW";"Moved to Virus Vault"
"C:\WINDOWS\system32\iehelper.dll";"Trojan horse BHO.JEW";"Moved to Virus Vault"



"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"

........and about hunderd more tracking coockies, all moved to the virus vault

===============================================
The scan lasted almost 4 hours; I was away from the PC when the scan was finished. After the scan was completed, the AVG Resident Shield caught another "Trojan horse BHO.JEW", wich I manually moved to the Virus Vault.

===================================================

As with HijackThis, I do not know if AVG only scanned partition C: or if it scanned all partitions or if there is a need to scan all the other partitions. When the attack occured, only partition C was in use.

I have now become so paranoid, that I have not connected my desktop to the internet since the attack.

Thank you,

GMK

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  R3 - URLSearchHook: (no name) - - (no file)
  O4 - HKLM\..\Run: [flailviq] C:\Documents and Settings\Owner\Local Settings\Application Data\lhyfco\vorlsysguard.exe
  O4 - HKCU\..\Run: [flailviq] C:\Documents and Settings\Owner\Local Settings\Application Data\lhyfco\vorlsysguard.exe
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

HIJACK THIS:
Did as instructed.

MBAB:
Did as instructed. Used the MBAB vers. 1.41 of Sept 09, 2009. Unless it has changed overnight, it was the latest. During the MBAB installation (from the USB drive) , got an error message:
error code 732 (0,0)
After I copied the installer to the desktop, everything worked as predicted. 2 more !@#$%^&* removed and quarantained. The MBAB log follows:

====================================================
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/24/2009 7:43:48 PM
mbam-log-2009-11-24 (19-43-48).txt

Scan type: Quick Scan
Objects scanned: 102925
Time elapsed: 12 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\dogpile_sub_installer.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

=====================================================

Otherwise everything "appears" to be normal, but not being on line might give me a false sense of security.

Once again thank you for your time and expertise.

GMK

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

With the help of a friend, I got finally the above instructions sorted out. Since the infection my desktop has not been turned on other than for running HijackThis, MWB Anti-Malware, MS Recovery Console and ComboFix and not been hooked up to the internet other than to download the MS Windows Recovery Console. The combo fix log is as follows:

=====================================================

ComboFix 09-12-06.07 - Owner 12/06/2009 15:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1370 [GMT -6]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\lhyfco
c:\documents and settings\Owner\Local Settings\Application Data\lhyfco\vorlsysguard.exe
c:\recycler\S-1-5-21-3217367115-1376598253-32396715-1003
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-11-25 01:26 . 2009-11-25 01:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-25 01:25 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 01:25 . 2009-11-25 01:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 01:25 . 2009-11-25 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 01:25 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 01:01 . 2009-11-23 01:01 -------- d-----w- c:\program files\Trend Micro
2009-11-10 23:35 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-10 23:35 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-10 23:35 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-10 23:35 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 09:59 . 2006-02-01 12:32 33440 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 13:45 . 2009-08-17 23:06 -------- d-----w- c:\program files\Eagle Lander 3D v212
2009-11-04 01:32 . 2009-08-11 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-01 04:36 . 2006-02-01 09:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-29 09:36 . 2009-10-29 09:34 -------- d-----w- c:\program files\Landing Pattern
2009-10-29 09:35 . 2009-10-29 09:35 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-29 09:34 . 2009-10-29 09:34 -------- d-----w- c:\program files\OpenAL
2009-10-29 09:34 . 2009-10-29 09:34 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-29 09:34 . 2009-10-29 09:34 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-22 10:33 . 2009-11-06 15:14 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-21 02:51 . 2009-10-21 02:51 -------- d-----w- c:\program files\G1000 Route Planning
2009-10-20 14:43 . 2009-10-20 14:43 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-14 20:58 . 2006-02-01 09:30 -------- d-----w- c:\program files\Microsoft Works
2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-11 08:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Cessna NAVIII G1000 Trainer v8.01\\CDUSIMv2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\X-PLANE 9.311 FINAL\\X-Plane.exe"=
"j:\\XP 9.40 FINAL\\X-Plane.exe"=
"j:\\XP 8.xx\\XP 8.64\\X-Plane 864.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/11/2009 2:22 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/11/2009 2:22 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/11/2009 2:21 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/11/2009 2:21 AM 297752]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [2/2/2008 3:25 PM 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [2/2/2008 3:25 PM 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [2/2/2008 3:25 PM 9024]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [8/16/2009 4:15 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [8/16/2009 4:15 PM 3072]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4C304F1E-5DBE-4D8B-A4AE-0BD29B34AC22} = 68.94.156.1 151.164.8.201
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-PictureItSuiteTrial_v11 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=TRIAL VERSION=11
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 15:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2009-12-06 15:10
ComboFix-quarantined-files.txt 2009-12-06 21:10

Pre-Run: 61,302,595,584 bytes free
Post-Run: 62,523,502,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 174E50CCCE8C8E93EBB91D6AA9030B83

=====================================================

When ComboFix completed stage 50, a note appeared that a few files were deleted. I was not fast enough to write down which files this were. At that time also 5 windows popped up, announcing items that were shutdown:
1. Data Execution Prevention – Microsoft Windows

To help protect your computer, Windows has closed this program.
CTF Loader
MS Corporation

2. Realtek Sound Manager

3. Power DVD RC Service

4. AVG 8.5 (was disabled previously – or so I thought)

5. Windows Security Notification App Combo-Fix ?????

Thanks for looking into this and thanks for your time.

GMK

Last edited by GMK on 6th December 2009, 10:06 pm; edited 1 time in total (Reason for editing : EDIT: spelling)

May have just been a slight problem when Combofix run.
The log looks aside, still having problems?

Belahzur wrote:

..................The log looks aside,....

Do you mean: The logs looks OK.

.......... still having problems?

I don't know. Since I became aware of the infection until now, the desktop has been turned on 3 times for a combined total of 15' (at most). The bare minimum to run HijackThis, MWB Anti-Malware, MS Recovery Console and ComboFix. During those 15' I did not notice any problems.

If you think it is safe to run the PC for longer amounts of time, the first thing I will do is upgrade to AVG 9.0, download SpyBot and whatever else you would recommend.

Do you mean: The logs looks OK.

Yeah, it was a long night, sorry about that.

Okay, update AVG and just generally use the computer as you would, let me know how it goes.

Been using the machine for a few days now. Seems everything is fixed. Thank you very much; my donation is on the way.

Question I still have: Is it normal to have 2 of the following in the Windows Task Manager/Processes:
-svchost.exe / SYSTEM
-svchost.exe / LOCAL SERVICE
-svchost.exe / NETWORK SERVICE

I was unable (so far) to upgrade from AVG8.5 to AVG9.0; something about Permissions in the Registry Editor, but that is a subject for another time.

Once again, thank you very much!

Hello.
It's normal for svchost to show up more than once.

Been using the PC for 3 weeks now without any problems. I think you can close this one as SOLVED.

Thank you very much; happy hollidays,


G.M.K.