AV Security Suite

View previous topic View next topic Go down

AV Security Suite

Post by Swerdna on Tue 06 Jul 2010, 10:58 pm

After being infected with the AV Security Suite and what seemed like a whooe load of other stuff as well, I followed Dr Inferno's removal guide. This seems to have mostly cleared the problems. However two remian.

1: I get a Rundll error on power up - error loading qeimqdty.dll. On running HiJackThis I noted the fllowing line - O4 - HKLM\..\Run: [skb] rundll32 "qeimqdty.dll",,Run - and I was wondering if it should be removed.

2: All google searches are getting redirected to another search engine or unrelated sites. This is a bit annoying

Full HiJackThis list below. Can you offer some advice please

Swerdna

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:27:59, on 30/06/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\DNA\btdna .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix
DSP\EmuPatchMixDSP.exe
C:\Program Files\Norton PC Checkup\Norton PC
Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
C:\Program Files\Norton PC Checkup\Norton PC
Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
[You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
[You must be registered and logged in to see this link.]

LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
[You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
[You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=127.0.0.1:1040
R3 - URLSearchHook: AVG Security Toolbar BHO -
{A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9

\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
(no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO -
{A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9

\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
C:\Program Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: CCAB - {C6A91056-83E0-4C6E-8DCC-43FC0DFE7A0A} -
C:\WINDOWS\system32\XHyAoBB0.dll
O3 - Toolbar: AVG Security Toolbar -
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9

\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:\Program Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program
Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask



.exe" -atboottime
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [skb] rundll32 "qeimqdty.dll",,Run
O4 - HKLM\..\Run: [Uqunomu] rundll32.exe
"C:\WINDOWS\uhedewiyohupo.dll",Startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
(User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop
Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.]
Files\Google\Google

Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe (file

missing)
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader
5 Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader
5 Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

[You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common
Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common
Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. -
C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd
- C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. -
C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. -
C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program
Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6

\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company
- C:\Program

Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -
C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton PC Checkup Application Launcher - Symantec
Corporation - C:\Program Files\Norton PC

Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec
Corporation - C:\Program Files\Norton PC

Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

--
End of file - 9044 bytes




Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Belahzur on Wed 07 Jul 2010, 2:14 am

Hello.
Please re-post your log, this time, switch off Word Wrap. To do so, in Notepad, go into the Format menu, and untick Word Wrap.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 08 Jul 2010, 7:46 am

Belahzur

Having problems with preview and send - trying first half of new scan file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:29:43, on 07/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\DNA\btdna .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1040
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: CCAB - {C6A91056-83E0-4C6E-8DCC-43FC0DFE7A0A} - C:\WINDOWS\system32\XHyAoBB0.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 08 Jul 2010, 7:48 am

Next bit of scan file

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [skb] rundll32 "qeimqdty.dll",,Run
O4 - HKLM\..\Run: [Uqunomu] rundll32.exe "C:\WINDOWS\uhedewiyohupo.dll",Startup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna .exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [{5A0B78FB-EF7E-927A-8F43-343C5371ED19}] "C:\Documents and Settings\Graham\Application Data\Ewpoze\xiohn.exe"
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [SYS32DLL] SYS32DLL (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [LowRiskFileTypes] C:\WINDOWS\sysguard.exe (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [James] C:\Documents and Settings\James\James.exe (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [Dgenamisa] rundll32.exe "C:\WINDOWS\comqpin.dll",Startup (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [guqlwexcbd] c:\documents and settings\james\local settings\application data\fqkoqtfhl\xyxynie.exe (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [lvcioupe] c:\documents and settings\james\local settings\application data\sqdxnv\uopylog.exe (User 'James')
O4 - HKUS\S-1-5-21-3730413843-1403681469-2399024052-1008\..\Run: [{5A0B78FB-EF7E-927A-CDCC-479E11FE9EBB}] "C:\Documents and Settings\James\Application Data\Xomei\awfo.exe" (User 'James')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-3730413843-1403681469-2399024052-1008 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'James')
O4 - S-1-5-21-3730413843-1403681469-2399024052-1008 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'James')
O4 - .DEFAULT User Startup: coorir.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 08 Jul 2010, 7:51 am

O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 08 Jul 2010, 7:54 am

However small I make the cut and paste of this last bit i get a cant connect to webpage message

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 08 Jul 2010, 7:55 am

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 08 Jul 2010, 7:56 am

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: cbssreg - C:\Documents and Settings\All Users\Documents\Settings\cbss.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
O23 - Service: Common Client Job Manager Servi

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 08 Jul 2010, 8:11 am

Belahzur

There is a line from HiJackThis scan that seems to cause 'Send' to go to a webpage not found. I have even tried typing it in manually but still does not work. Very strange. Its start 016 - DPF and has a update.microsoft.com address

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 08 Jul 2010, 8:12 am

Apologies that this is in so many bits
Swerdna

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Belahzur on Thu 08 Jul 2010, 10:26 am

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Fri 09 Jul 2010, 8:36 am

Belahzur
Combo-fix txt file

ComboFix 10-07-07.02 - Graham 08/07/2010 22:05:59.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.561 [GMT 1:00]
Running from: c:\combo-fix\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\cbss.dll
c:\documents and settings\All Users\Documents\Settings\cbss.dll
c:\documents and settings\claire\Local Settings\Application Data\{A8D3F714-1F66-4D6A-9AB4-64163E1BE9E7}
c:\documents and settings\claire\Local Settings\Application Data\{A8D3F714-1F66-4D6A-9AB4-64163E1BE9E7}\chrome.manifest
c:\documents and settings\claire\Local Settings\Application Data\{A8D3F714-1F66-4D6A-9AB4-64163E1BE9E7}\chrome\content\_cfg.js
c:\documents and settings\claire\Local Settings\Application Data\{A8D3F714-1F66-4D6A-9AB4-64163E1BE9E7}\chrome\content\overlay.xul
c:\documents and settings\claire\Local Settings\Application Data\{A8D3F714-1F66-4D6A-9AB4-64163E1BE9E7}\install.rdf
c:\documents and settings\Graham\Application Data\Ewpoze\xiohn.exe
c:\documents and settings\Graham\Local Settings\Application Data\{3A059B48-5229-4745-815C-88714E636B01}
c:\documents and settings\Graham\Local Settings\Application Data\{3A059B48-5229-4745-815C-88714E636B01}\chrome.manifest
c:\documents and settings\Graham\Local Settings\Application Data\{3A059B48-5229-4745-815C-88714E636B01}\chrome\content\_cfg.js
c:\documents and settings\Graham\Local Settings\Application Data\{3A059B48-5229-4745-815C-88714E636B01}\chrome\content\overlay.xul
c:\documents and settings\Graham\Local Settings\Application Data\{3A059B48-5229-4745-815C-88714E636B01}\install.rdf
c:\program files\$NtUninstallWTF1012$
c:\program files\RegGenie
c:\program files\RegGenie\Backups\40359.8555179051
c:\program files\RegGenie\RegGenie.ini
c:\program files\RegGenie\RegGenieOnUninstall.exe
c:\windows\$NtUninstallMTF1011$
c:\windows\explorer(2).exe
c:\windows\settings.reg
c:\windows\uhedewiyohupo.dll

Infected copy of c:\windows\system32\drivers\avgtdix.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 20:25 . 2010-07-08 20:25 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG9
2010-07-01 20:29 . 2010-07-01 20:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-06-25 21:36 . 2010-06-25 21:36 -------- d-----w- c:\documents and settings\Graham\Application Data\uTorrent
2010-06-23 19:03 . 2010-06-28 14:07 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\mygcgob
2010-06-22 20:55 . 2010-06-28 14:09 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\sqdxnv
2010-06-20 15:47 . 2010-06-28 14:07 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\vybwaty
2010-06-20 15:23 . 2010-06-28 14:07 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\qeocdtp
2010-06-18 13:38 . 2010-06-28 14:07 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\rwjweetch
2010-06-18 06:18 . 2010-06-28 14:07 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\ydvohx
2010-06-17 19:20 . 2010-06-28 14:07 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\idhuatel
2010-06-17 12:52 . 2010-07-07 21:08 120 ----a-w- c:\windows\Dbidodu.dat
2010-06-17 12:52 . 2010-07-07 16:23 0 ----a-w- c:\windows\Xvedevube.bin
2010-06-17 12:52 . 2010-06-17 12:52 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\{45E829A9-41CC-41A6-9799-A7C37E7F754C}
2010-06-17 12:51 . 2010-06-28 14:09 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\fqkoqtfhl
2010-06-17 12:51 . 2010-06-17 12:51 50981 ----a-w- c:\windows\system32\qcttioebsgnpepj.exe
2010-06-17 12:50 . 2010-06-17 12:53 -------- d-----w- c:\documents and settings\James\Application Data\B16B6208DEA01B20762D9080A051C5D2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-07-08 13:40 . 2008-09-25 13:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-08 13:34 . 2009-12-05 08:28 -------- d-----w- c:\documents and settings\James\Application Data\Xomei
2010-07-08 13:26 . 2010-01-18 20:31 -------- d-----w- c:\documents and settings\Graham\Application Data\Ewpoze
2010-07-07 16:23 . 2009-05-19 08:37 -------- d-----w- c:\documents and settings\James\Application Data\Feoxbe
2010-07-06 19:43 . 2009-05-20 05:30 -------- d-----w- c:\documents and settings\Graham\Application Data\Etdey
2010-07-06 15:51 . 2010-02-20 05:33 -------- d-----w- c:\documents and settings\James\Application Data\uTorrent
2010-07-03 17:25 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-03 17:03 . 2008-09-03 14:36 64768 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-29 19:40 . 2008-09-07 21:54 -------- d-----w- c:\program files\QuickTime
2010-06-29 19:31 . 2009-08-10 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-28 13:56 . 2008-09-07 21:56 -------- d-----w- c:\program files\iTunes
2010-06-27 18:49 . 2005-12-09 09:36 -------- d-----w- c:\program files\Sonic
2010-06-27 18:48 . 2005-12-09 09:36 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-06-27 18:01 . 2008-12-24 20:08 -------- d-----w- c:\program files\DNA
2010-06-27 17:57 . 2005-12-09 09:35 -------- d-----w- c:\program files\Dell Support
2010-06-26 20:52 . 2010-06-17 19:32 112 ----a-w- c:\documents and settings\All Users\Application Data\H38GMGLwl.dat
2010-06-22 20:55 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2010-06-20 16:07 . 2010-05-15 17:00 -------- d-----w- c:\documents and settings\Graham\Application Data\FileZilla
2010-06-09 08:00 . 2010-06-09 08:00 503808 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a125a4-n\msvcp71.dll
2010-06-09 08:00 . 2010-06-09 08:00 499712 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a125a4-n\jmc.dll
2010-06-09 08:00 . 2010-06-09 08:00 348160 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a125a4-n\msvcr71.dll
2010-06-05 12:46 . 2008-08-08 20:59 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-05 12:46 . 2008-08-08 20:59 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-24 20:55 . 2010-05-24 20:55 -------- d-----w- c:\program files\FileZilla FTP Client
2010-05-15 16:49 . 2010-05-15 16:49 -------- d-----w- c:\program files\Free FTP
2010-05-04 17:20 . 2005-08-16 04:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 04:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 04:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-02-26 15:25 . 2010-02-26 15:25 604 ---ha-w- c:\program files\STLL Notifier
2008-09-03 14:36 . 2008-09-03 14:36 251 ---ha-w- c:\program files\wt3d.ini
.
Code:
<pre>
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Dell Support\DSAgnt .exe
c:\program files\DNA\btdna .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask                                                                                                                                                                                                                              .exe
c:\windows\UpdReg .exe
c:\windows\ehome\ehtray .exe
c:\windows\system32\CTXFIHLP .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2006-08-04 25600]
"BitTorrent DNA"="c:\program files\DNA\btdna .exe" [2009-11-12 323392]
"AdobeBridge"="" [N/A]
"{5A0B78FB-EF7E-927A-8F43-343C5371ED19}"="c:\documents and settings\Graham\Application Data\Ewpoze\xiohn.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"P17Helper"="P17.dll" [2004-06-10 60928]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"CTHelper"="CTHELPER.EXE" [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [N/A]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]
"skb"="qeimqdty.dll" [N/A]
"Uqunomu"="c:\windows\uhedewiyohupo.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 17:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna .exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/03/2010 18:47 308064]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [05/08/2009 13:49 284016]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [20/12/2009 13:01 103280]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [20/12/2009 13:01 126392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2010 22:15 135664]
S3 Osstotrnn;Osstotrnn; [x]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:15]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:15]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:1040
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1040
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {45E829A9-41CC-41A6-9799-A7C37E7F754C} - c:\documents and settings\James\Local Settings\Application Data\{45E829A9-41CC-41A6-9799-A7C37E7F754C}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-08 22:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCCUJobMgr]
"ImagePath"=""c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe" /s "PCCUJobMgr" /m "c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3730413843-1403681469-2399024052-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
c:\windows\system32\dllhost.exe
c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\hsplayer.exe
.
**************************************************************************
.
Completion time: 2010-07-08 22:29:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 21:29
ComboFix2.txt 2009-08-21 20:44

Pre-Run: 51,105,157,120 bytes free
Post-Run: 55,658,446,848 bytes free

- - End Of File - - FB57E7A2FCA35379663A15963410225B

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Belahzur on Fri 09 Jul 2010, 8:51 am

Hello.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    File::
    c:\windows\Dbidodu.dat
    c:\windows\Xvedevube.bin
    c:\windows\system32\qcttioebsgnpepj.exe

    Folder::
    c:\documents and settings\Graham\Local Settings\Application Data\mygcgob
    c:\documents and settings\James\Local Settings\Application Data\sqdxnv
    c:\documents and settings\Graham\Local Settings\Application Data\vybwaty
    c:\documents and settings\Graham\Local Settings\Application Data\qeocdtp
    c:\documents and settings\Graham\Local Settings\Application Data\rwjweetch
    c:\documents and settings\Graham\Local Settings\Application Data\ydvohx
    c:\documents and settings\Graham\Local Settings\Application Data\idhuatel
    c:\documents and settings\James\Local Settings\Application Data\fqkoqtfhl
    c:\documents and settings\James\Application Data\B16B6208DEA01B20762D9080A051C5D2
    c:\documents and settings\James\Application Data\Xomei
    c:\documents and settings\Graham\Application Data\Ewpoze
    c:\documents and settings\James\Application Data\Feoxbe
    c:\documents and settings\Graham\Application Data\Etdey

    RenV::
    c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
    c:\program files\AVG\AVG9\avgtray .exe
    c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
    c:\program files\Common Files\InstallShield\UpdateService\issch .exe
    c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
    c:\program files\Dell Support\DSAgnt .exe
    c:\program files\DNA\btdna .exe
    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\Malwarebytes' Anti-Malware\mbam .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\QuickTime\qttask                                                                                                                                                                                                                              .exe
    c:\windows\UpdReg .exe
    c:\windows\ehome\ehtray .exe
    c:\windows\system32\CTXFIHLP .exe
    c:\windows\system32\rundll32 .exe

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"=-
    "AdobeBridge"=-
    "{5A0B78FB-EF7E-927A-8F43-343C5371ED19}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"=-
    "skb"=-
    "Uqunomu"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\DNA\\btdna .exe"=-

    Driver::
    Osstotrnn

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:1040

    Firefox::
    FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 1040
    FF - prefs.js: network.proxy.type - 1

    Reboot::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Sun 11 Jul 2010, 7:49 am

Belazhur

When Gooredfix was running the window read
Scanning for Goored fix - done
Scanning for Wareout
Then a windows message poped up 'Gooredfix has encountered a problem and needed to close.

I tried this 3 times but the same result each time.

Then I ran Combo-Fix with the text data you sent. During Combo-Fix initial run Windows message - Windows File Protection. Files have been replaced by unrecognised versions - windows must restore the original version - insert your CD. Then a little later : Windows application error - exception Priviledged instruction. Combo-fix ran to termination and rebooted. Log file below.

ComboFix 10-07-07.02 - Graham 10/07/2010 21:18:24.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.440 [GMT 1:00]
Running from: c:\combo-fix\Combo-Fix.exe
Command switches used :: c:\combo-fix\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Dbidodu.dat"
"c:\windows\system32\qcttioebsgnpepj.exe"
"c:\windows\Xvedevube.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Graham\Application Data\Etdey
c:\documents and settings\Graham\Application Data\Ewpoze
c:\documents and settings\Graham\Local Settings\Application Data\idhuatel
c:\documents and settings\Graham\Local Settings\Application Data\mygcgob
c:\documents and settings\Graham\Local Settings\Application Data\qeocdtp
c:\documents and settings\Graham\Local Settings\Application Data\rwjweetch
c:\documents and settings\Graham\Local Settings\Application Data\vybwaty
c:\documents and settings\Graham\Local Settings\Application Data\ydvohx
c:\documents and settings\James\Application Data\B16B6208DEA01B20762D9080A051C5D2
c:\documents and settings\James\Application Data\Feoxbe
c:\documents and settings\James\Application Data\Xomei
c:\documents and settings\James\Local Settings\Application Data\fqkoqtfhl
c:\documents and settings\James\Local Settings\Application Data\sqdxnv
c:\windows\Dbidodu.dat
c:\windows\system32\qcttioebsgnpepj.exe
c:\windows\Xvedevube.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Osstotrnn


((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-08 20:25 . 2010-07-08 20:25 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG9
2010-07-01 20:29 . 2010-07-01 20:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-06-25 21:36 . 2010-06-25 21:36 -------- d-----w- c:\documents and settings\Graham\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 20:30 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-07-10 20:29 . 2008-09-07 21:54 -------- d-----w- c:\program files\QuickTime
2010-07-10 20:18 . 2009-08-10 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 20:18 . 2008-12-24 20:08 -------- d-----w- c:\program files\DNA
2010-07-10 20:18 . 2008-09-07 21:56 -------- d-----w- c:\program files\iTunes
2010-07-10 20:18 . 2005-12-09 09:35 -------- d-----w- c:\program files\Dell Support
2010-07-09 18:35 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-08 13:40 . 2008-09-25 13:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 15:51 . 2010-02-20 05:33 -------- d-----w- c:\documents and settings\James\Application Data\uTorrent
2010-07-03 17:03 . 2008-09-03 14:36 64768 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-27 18:49 . 2005-12-09 09:36 -------- d-----w- c:\program files\Sonic
2010-06-27 18:48 . 2005-12-09 09:36 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-06-26 20:52 . 2010-06-17 19:32 112 ----a-w- c:\documents and settings\All Users\Application Data\H38GMGLwl.dat
2010-06-22 20:55 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2010-06-20 16:07 . 2010-05-15 17:00 -------- d-----w- c:\documents and settings\Graham\Application Data\FileZilla
2010-06-09 08:00 . 2010-06-09 08:00 503808 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a125a4-n\msvcp71.dll
2010-06-09 08:00 . 2010-06-09 08:00 499712 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a125a4-n\jmc.dll
2010-06-09 08:00 . 2010-06-09 08:00 348160 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68a125a4-n\msvcr71.dll
2010-06-05 12:46 . 2008-08-08 20:59 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-05 12:46 . 2008-08-08 20:59 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-24 20:55 . 2010-05-24 20:55 -------- d-----w- c:\program files\FileZilla FTP Client
2010-05-15 16:49 . 2010-05-15 16:49 -------- d-----w- c:\program files\Free FTP
2010-05-04 17:20 . 2005-08-16 04:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 04:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 04:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-02-26 15:25 . 2010-02-26 15:25 604 ---ha-w- c:\program files\STLL Notifier
2008-09-03 14:36 . 2008-09-03 14:36 251 ---ha-w- c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2006-08-04 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 60928]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"CTHelper"="CTHELPER.EXE" [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 17:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/03/2010 18:47 308064]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [05/08/2009 13:49 284016]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [20/12/2009 13:01 103280]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [20/12/2009 13:01 126392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2010 22:15 135664]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:15]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 21:15]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedengine - Google
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-qcttioebsgnpepj - c:\windows\system32\qcttioebsgnpepj.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-10 21:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCCUJobMgr]
"ImagePath"=""c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe" /s "PCCUJobMgr" /m "c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3730413843-1403681469-2399024052-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3124)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
.
**************************************************************************
.
Completion time: 2010-07-10 21:38:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-10 20:38
ComboFix2.txt 2010-07-08 21:29
ComboFix3.txt 2009-08-21 20:44

Pre-Run: 55,544,598,528 bytes free
Post-Run: 55,499,468,800 bytes free

- - End Of File - - 79B1A331A788A4F5F4DBF5640AB1C223


Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Belahzur on Sun 11 Jul 2010, 8:05 am

Hello.
Good work, don't worry about those errors, CFScript ran fine. Okay, before we call this to a close, just a few more things to do now.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Thu 15 Jul 2010, 7:42 am

Belahzur

Output from HiJackThis as requested

924PLC32
ABBYY FineReader 6.0 Sprint
Adobe Acrobat - Reader 6.0.2 Update
Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 Professional
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Importer
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS
Adobe Reader 6.0.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
aiofw
aiofw
aioocr
aioprnt
aioprnt
aioscnnr
aioscnnr
AmpliTube LE
Apple Mobile Device Support
Apple Software Update
ARTEuro
ATI Control Panel
ATI Display Driver
AVG Free 9.0
Bonjour
Cakewalk VST Adapter 4
CCleaner
center
center
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Connect
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Dell Picture Studio v3.0
Dell Support 5.0.0 (630)
Digital Audio System
Digital Line Detect
Digital Photo Navigator 1.0
discWelder BRONZE (E-MU)
DreamStation DXi2
ESPNMotion
FileZilla Client 3.3.2.1
GEAR 32bit Driver Installer
GemMaster Mystic
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Help_CTR
helptut
helpug
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImageMixer
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iTunes
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java DB 10.4.2.1
Java(TM) 6 Update 14
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 14
KODAK AiO Home Center
KODAK All-in-One Printer Software
ksdip
ksDIP
kuler
Learn2 Player (Uninstall Only)
Live 4.1.5
Malwarebytes' Anti-Malware
MCU
Media Player Codec Pack 3.3.1
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Modem Helper
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MuseScore 0.9 MuseScore score typesetter
MyWay Search Assistant
netbrdg
NetWaiting
Norton PC Checkup
Ogg Codecs 0.81.15562
Otto
PDF Settings CS4
Photoshop Camera Raw
Pixel Bender Toolkit
PowerDVD 5.5
PreReq
Proteus X LE
QuickTime
RealPlayer Basic
Search Settings 1.2
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SFR
Sibelius 5
SONAR LE
Sonic Encoders
Sound Blaster Live! 24-bit
Steinberg Cubase LE
Suite Shared Configuration CS4
T-RackS EQ
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WaveLab Lite
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3


Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Belahzur on Thu 15 Jul 2010, 9:54 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java 2 Runtime Environment, SE v1.4.2_03
    Java DB 10.4.2.1
    Java(TM) 6 Update 14
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 14
    MyWay Search Assistant
    Viewpoint Media Player

Updating Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 20.
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.



Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite

Post by Swerdna on Sat 24 Jul 2010, 8:39 pm

Belahzur

Followed instructions above. ESET scan found 40+ threats however there wasnt a 'Scan unwanted applications' option. All seems well now. Many thanks for your fantastic service.

Swerdna

Newbie Surfer
Newbie Surfer

Posts : 39
Joined : 2009-08-09
Operating System : XP

View user profile

Back to top Go down

Re: AV Security Suite

Post by Sponsored content Today at 7:49 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum