« previous next »
Pages: [1]

Author Topic: Other friends comp got sick  (Read 462 times)

Offline resevil83

  • Full Member
  • ***
  • Posts: 189
  • Karma: +0/-0
    • View Profile
Other friends comp got sick
« on: August 01, 2010, 05:20:21 PM »
So my friend had some weird virus protection pop-up jazz going on. I did a combofix scan and a malware bytes scan in safemode. The malware bytes didn't find anything.

Here is the hijack log and combo log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:19:46 PM, on 8/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BitZipperSearch Toolbar - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - C:\Program Files\BitZipperSearch\tbBit0.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: BitZipperSearch Toolbar - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - C:\Program Files\BitZipperSearch\tbBit0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Owner\Start Menu\Programs\UB\UB.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Owner\Start Menu\Programs\UB\UB.lnk (HKCU)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - https://forms.mlbcontrol.net/forms/jinitiator/jinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 6824 bytes




ComboFix 10-07-31.04 - Owner 08/01/2010  16:36:00.2.1 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.894.686 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\Owner\Application Data\EurekaLog
c:\documents and settings\Owner\Local Settings\Application Data\xvdhfkpwh
c:\documents and settings\Owner\Local Settings\Application Data\xvdhfkpwh\fjfdjnatssd.exe
c:\program files\Pe
c:\program files\Pe\AEGAXS.dll
c:\program files\Pe\App.ico
c:\program files\Pe\BPData.dll
c:\program files\Pe\CageDLL.dll
c:\program files\Pe\Configs.xml
c:\program files\Pe\dnscache.dll
c:\program files\Pe\FTData.dll
c:\program files\Pe\HuD.xml
c:\program files\Pe\HudMoveDLL.dll
c:\program files\Pe\iexplore.exe
c:\program files\Pe\iexplore.exe.config
c:\program files\Pe\Interop.VXPLibrary.dll
c:\program files\Pe\Lib\accllistbar.dll
c:\program files\Pe\Lib\AxInterop.SHDocVw.dll
c:\program files\Pe\Lib\Infragistics.Shared.v3.2.dll
c:\program files\Pe\Lib\Infragistics.UltraChart.Core.v4.1.dll
c:\program files\Pe\Lib\Infragistics.UltraChart.Data.v4.1.dll
c:\program files\Pe\Lib\Infragistics.UltraChart.Render.v4.1.dll
c:\program files\Pe\Lib\Infragistics.UltraChart.Resources.v4.1.dll
c:\program files\Pe\Lib\Infragistics.Win.Misc.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinChart.v4.1.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinDock.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinEditors.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinListBar.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinTabControl.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.UltraWinToolbars.v3.2.dll
c:\program files\Pe\Lib\Infragistics.Win.v3.2.dll
c:\program files\Pe\Lib\Interop.SHDocVw.dll
c:\program files\Pe\Lib\MessageBoxExLib.dll
c:\program files\Pe\Lib\pecomm.dll
c:\program files\Pe\Lib\PokerHUD.dll
c:\program files\Pe\Lib\shellstyle.dll
c:\program files\Pe\Lib\xpexplorerbar.dll
c:\program files\Pe\License.txt
c:\program files\Pe\Lobby Edge\Interop.VXPLibrary.dll
c:\program files\Pe\Lobby Edge\LobbyEdge.exe
c:\program files\Pe\Lobby Edge\LobbyEdge.exe.config
c:\program files\Pe\Lobby Edge\rules.ini
c:\program files\Pe\Lobby Edge\SpHeader.dll
c:\program files\Pe\Lobby Edge\tfplugin_interface_library.dll
c:\program files\Pe\Lobby Edge\VXPLib.dll
c:\program files\Pe\Lobby Edge\XPExplorerBar.dll
c:\program files\Pe\Notes.xml
c:\program files\Pe\NTGA11X.dll
c:\program files\Pe\PE4Hud.dll
c:\program files\Pe\Readme.txt
c:\program files\Pe\S_MinerX.exe
c:\program files\Pe\Settings.xml
c:\program files\Pe\TPData.dll
c:\program files\Pe\VXPLib.dll

.
(((((((((((((((((((((((((   Files Created from 2010-07-01 to 2010-08-01  )))))))))))))))))))))))))))))))
.

2010-07-16 13:44 . 2010-07-16 13:44   --------   d-----w-   c:\program files\Oracle
2010-07-16 13:44 . 2005-04-05 09:38   36962   ------w-   c:\windows\system32\ActPanel.dll
2010-07-14 03:47 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2010-07-04 05:14 . 2010-07-01 18:51   43008   ----a-w-   c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7invx9rj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-04 05:14 . 2010-07-01 18:51   338944   ----a-w-   c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7invx9rj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-04 05:14 . 2010-07-01 18:51   346112   ----a-w-   c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7invx9rj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-04 05:14 . 2010-07-01 18:52   1496064   ----a-w-   c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7invx9rj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 22:10 . 2009-11-06 08:00   --------   d-----w-   c:\program files\UltimateBet
2010-07-23 15:38 . 2010-04-28 16:44   --------   d-----w-   c:\documents and settings\Owner\Application Data\vlc
2010-07-16 13:44 . 2006-02-15 12:10   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-06-23 17:36 . 2010-06-23 17:36   50354   ----a-w-   c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe
2010-06-23 17:36 . 2010-06-23 17:36   --------   d-----w-   c:\documents and settings\Owner\Application Data\Facebook
2010-06-14 14:31 . 2005-01-10 01:09   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 13:54 . 2009-09-22 05:36   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-10 13:31 . 2007-11-21 19:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-09 10:45 . 2010-06-09 10:45   5591040   ----a-w-   c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-05-06 10:41 . 2005-01-09 23:48   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-04 08:10 . 2010-05-04 08:10   159744   ----a-w-   c:\documents and settings\Owner\Application Data\UB\DownLoadInst\liveupdate.exe
2007-08-16 17:10 . 2007-08-16 17:10   774144   ----a-w-   c:\program files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
2010-06-29 16:46   2515552   ----a-w-   c:\program files\BitZipperSearch\tbBit0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit0.dll" [2010-06-29 2515552]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{97BCEB59-CFCD-4B16-A863-B3F72CF9F196}"= "c:\program files\BitZipperSearch\tbBit0.dll" [2010-06-29 2515552]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-5-22 139776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 13:05   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140006624\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140006624\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140006624\\EE\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/16/2009 2:37 PM 108552]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/16/2009 2:37 PM 335240]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/22/2009 12:20 PM 297752]
.
Contents of the 'Scheduled Tasks' folder

2010-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxps://forms.mlbcontrol.net/forms/jinitiator/jinit.exe
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7invx9rj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1304867&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1304867&SearchSource=2&q=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7invx9rj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7invx9rj.default\extensions\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}\components\FFExternalAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13122.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Desktop Software - c:\program files\Common Files\SupportSoft\bin\bcont.exe
HKCU-Run-xkwobbuo - c:\documents and settings\Owner\Local Settings\Application Data\xvdhfkpwh\fjfdjnatssd.exe
HKLM-Run-xkwobbuo - c:\documents and settings\Owner\Local Settings\Application Data\xvdhfkpwh\fjfdjnatssd.exe
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 16:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-08-01  16:41:21
ComboFix-quarantined-files.txt  2010-08-01 21:41

Pre-Run: 95,686,262,784 bytes free
Post-Run: 95,688,257,536 bytes free

- - End Of File - - 4192139B6256A9CA72BEE2EE10D8C459
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Other friends comp got sick
« Reply #1 on: August 02, 2010, 12:53:14 PM »
Can you do the following please
Download DDS and save it to your desktop from [color="#FF0000"]here[/color]
Disable any script blocker, and then double click  on dds.scr and run it
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to this topic.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mengskx

  • Full Member
  • ***
  • Posts: 174
  • Karma: +0/-0
    • View Profile
Other friends comp got sick
« Reply #2 on: August 24, 2010, 12:14:12 AM »
ComboFix 10-08-18.04 - Mengsk 08/19/2010  23:45:06.1.4 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3326.2123 [GMT -5:00]
Running from: c:\users\Mengsk\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 72 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Mengsk\AppData\Local\Windows Server
c:\users\Mengsk\AppData\Local\Windows Server\admin.txt
c:\users\Mengsk\AppData\Local\Windows Server\flags.ini
c:\users\Mengsk\AppData\Local\Windows Server\hlp.dat
c:\users\Mengsk\AppData\Local\Windows Server\server.dat
c:\users\Mengsk\AppData\Local\Windows Server\uses32.dat
c:\users\Mengsk\AppData\Roaming\5D9D82DF7469F71EBD1AFDEC4BC901CE
c:\users\Mengsk\AppData\Roaming\5D9D82DF7469F71EBD1AFDEC4BC901CE\enemies-names.txt
c:\users\Mengsk\AppData\Roaming\5D9D82DF7469F71EBD1AFDEC4BC901CE\local.ini
c:\users\Mengsk\AppData\Roaming\5D9D82DF7469F71EBD1AFDEC4BC901CE\newsecureapp70700.exe
c:\users\Mengsk\AppData\Roaming\inst.exe
c:\users\Mengsk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
c:\users\Mengsk\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk
c:\users\Mengsk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\users\Mengsk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\users\Mengsk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\users\Mengsk\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp
c:\users\Mengsk\Desktop\Antimalware Doctor.lnk
D:\install.exe

.
(((((((((((((((((((((((((   Files Created from 2010-07-20 to 2010-08-20  )))))))))))))))))))))))))))))))
.

2010-08-20 04:51 . 2010-08-20 04:51   --------   d-----w-   c:\users\Mengsk\AppData\Local\temp
2010-08-20 04:41 . 2010-08-20 04:41   --------   d-----w-   C:\32788R22FWJFW
2010-08-19 22:44 . 2010-08-20 03:55   --------   d-----w-   c:\users\Mengsk\AppData\Local\Windows
2010-08-15 01:41 . 2010-08-15 01:41   --------   d-----w-   c:\windows\LastGood
2010-08-12 20:14 . 2010-06-16 16:04   905088   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2010-08-06 03:57 . 2010-08-06 03:57   47364   ----a-w-   c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-08-05 03:49 . 2010-08-05 03:52   --------   d-----w-   C:\Starcraft2_Video_Touchup
2010-08-04 07:27 . 2010-08-05 22:30   --------   d-----w-   C:\Fraps
2010-07-31 18:26 . 2010-07-31 18:31   --------   d-----w-   c:\users\Mengsk\AppData\Roaming\gtk-2.0
2010-07-31 18:17 . 2010-07-31 18:17   --------   d-----w-   c:\program files\SystemRequirementsLab
2010-07-31 18:17 . 2010-07-31 18:17   85504   ----a-w-   c:\users\Mengsk\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-07-31 18:17 . 2010-07-31 18:17   --------   d-----w-   c:\users\Mengsk\AppData\Roaming\SystemRequirementsLab
2010-07-29 05:20 . 2010-07-29 05:20   --------   d-----w-   c:\program files\iPod
2010-07-29 05:17 . 2010-07-29 05:17   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-27 20:53 . 2010-07-27 20:53   --------   d-----w-   c:\users\Mengsk\SC2-WingsOfLiberty-enUS-Installer
2010-07-27 20:28 . 2010-08-17 16:53   --------   d-----w-   c:\program files\StarCraft II
2010-07-23 22:36 . 2010-07-23 22:36   2863   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp [Tag From Filename] Codec.dat
2010-07-23 22:36 . 2010-07-23 22:36   2894   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp [ReplayGain] Codec.dat
2010-07-23 22:36 . 2010-07-23 22:36   2996   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp [Multi Encoder] Codec.dat
2010-07-23 22:36 . 2010-07-23 22:36   2856   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp [Length Split] Codec.dat
2010-07-23 22:36 . 2010-07-23 22:36   2830   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp [ID Tag Update] Codec.dat
2010-07-23 22:36 . 2010-07-23 22:36   2993   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp [Channel Split] Codec.dat
2010-07-23 22:35 . 2010-07-23 22:35   2865   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp [Audio Info] Codec.dat
2010-07-23 22:35 . 2010-07-23 22:35   2873   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp [Arrange Audio] Codec.dat
2010-07-23 22:34 . 2010-07-23 22:34   10999   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2010-07-23 22:34 . 2010-07-23 22:34   14639   ----a-w-   c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2010-07-23 22:33 . 2010-07-23 22:33   --------   d-----w-   c:\program files\Illustrate
2010-07-23 22:27 . 2002-07-17 21:23   45056   ----a-w-   c:\windows\system32\WNASPI32.DLL
2010-07-23 22:27 . 2002-07-17 21:20   84832   ----a-w-   c:\windows\system32\drivers\ASPI32.SYS
2010-07-22 19:56 . 2010-07-22 19:56   --------   d-----w-   C:\starcraftmaps
2010-07-22 05:48 . 2010-08-03 10:19   --------   d-----w-   c:\program files\Common Files\Steam
2010-07-22 05:48 . 2010-08-13 10:33   --------   d-----w-   c:\program files\Steam
2010-07-21 14:21 . 2010-07-21 14:21   4368224   ----a-w-   c:\programdata\avg9\update\backup\avgcorex.dll
2010-07-21 14:21 . 2010-07-21 14:21   1615200   ----a-w-   c:\programdata\avg9\update\backup\avgssie.dll
2010-07-21 14:21 . 2010-07-21 14:21   1373536   ----a-w-   c:\programdata\avg9\update\backup\avgssff.dll
2010-07-21 14:21 . 2010-07-21 14:21   1107296   ----a-w-   c:\programdata\avg9\update\backup\avgxpl.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-20 04:40 . 2010-03-01 06:52   --------   d-----w-   c:\program files\PeerGuardian2
2010-08-20 04:32 . 2009-12-03 02:47   --------   d-----w-   c:\program files\Common Files\Akamai
2010-08-20 04:21 . 2010-02-14 03:58   0   ----a-w-   c:\users\Mengsk\AppData\Local\prvlcl.dat
2010-08-20 04:10 . 2008-08-31 23:05   --------   d-----w-   c:\users\Mengsk\AppData\Roaming\BitTorrent
2010-08-20 02:51 . 2009-04-07 17:04   --------   d-----w-   c:\programdata\Google Updater
2010-08-17 16:52 . 2010-03-04 19:36   --------   d-----w-   c:\program files\Common Files\Blizzard Entertainment
2010-08-13 10:11 . 2009-02-10 18:22   --------   d-----w-   c:\programdata\Microsoft Help
2010-08-13 10:01 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-08-10 05:21 . 2009-01-30 20:25   1   ----a-w-   c:\users\Mengsk\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-29 05:20 . 2009-01-13 23:58   --------   d-----w-   c:\program files\iTunes
2010-07-29 05:20 . 2008-07-19 02:11   --------   d-----w-   c:\program files\Common Files\Apple
2010-07-27 20:42 . 2010-05-13 19:39   --------   d-----w-   c:\programdata\Blizzard Entertainment
2010-07-26 04:01 . 2010-06-10 00:58   --------   d-----w-   c:\program files\DVDFab 7
2010-07-26 04:01 . 2008-12-31 05:43   --------   d-----w-   c:\users\Mengsk\AppData\Roaming\Vso
2010-07-20 05:09 . 2008-12-26 08:05   --------   d-----w-   c:\program files\AVS4YOU
2010-07-20 02:18 . 2010-07-20 02:18   --------   d-----w-   c:\program files\YouTube Downloader
2010-07-16 08:11 . 2009-12-07 02:20   --------   d-----w-   c:\program files\Cheat Engine
2010-07-15 13:23 . 2010-02-10 03:22   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:23 . 2010-07-15 13:23   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-15 13:23 . 2010-02-10 03:22   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-07-06 05:42 . 2009-02-20 05:07   --------   d-----w-   c:\programdata\DVD Shrink
2010-07-06 04:11 . 2010-07-06 04:11   --------   d-----w-   c:\users\Mengsk\AppData\Roaming\ImgBurn
2010-07-06 02:55 . 2010-07-06 02:54   --------   d-----w-   c:\program files\ImgBurn
2010-07-05 17:56 . 2008-07-19 02:13   --------   d-----w-   c:\users\Mengsk\AppData\Roaming\Apple Computer
2010-07-05 05:08 . 2010-07-05 05:07   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-05 05:06 . 2010-07-05 05:05   --------   d-----w-   c:\program files\QuickTime
2010-07-05 05:01 . 2008-07-19 02:13   --------   d-----w-   c:\program files\Bonjour
2010-06-29 15:47 . 2010-08-12 20:15   834048   ----a-w-   c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-12 20:15   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-06-25 10:01 . 2009-02-10 18:25   --------   d-----w-   c:\program files\Microsoft.NET
2010-06-21 13:37 . 2010-08-12 20:15   2037760   ----a-w-   c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-12 20:15   36864   ----a-w-   c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-12 20:15   302080   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-12 20:15   144896   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-06-11 16:16 . 2010-08-12 20:15   274944   ----a-w-   c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-12 20:15   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-12 20:15   3548040   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-12 20:15   3600768   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-06-02 13:28 . 2010-02-10 03:22   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-27 20:08 . 2010-08-12 20:15   81920   ----a-w-   c:\windows\system32\iccvid.dll
2010-05-26 17:06 . 2010-06-10 00:07   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 00:07   289792   ----a-w-   c:\windows\system32\atmfd.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25   2117704   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Google Update"="c:\users\Mengsk\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]
"Steam"="c:\program files\Steam\Steam.exe" [2010-07-27 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-02-19 170528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-19 13507104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-19 92704]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DLCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-7-18 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Mengsk^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Mengsk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40   155648   ----a-w-   c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2009-07-08 08:53   472112   ----a-w-   c:\program files\Pure Networks\Network Magic\nmapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-11-02 08:38   167936   ----a-w-   c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 19:10   56928   ------w-   c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2009-11-20 19:29   5262834   ----a-w-   c:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />:58,a7,6c,dc,b8,64,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c912f4171e9450;Google Update Service (gupdate1c912f4171e9450);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-10 133104]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2007-06-15 143256]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-15 27992]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-03-06 20376]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-08-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]

2010-08-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-07 17:04]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-10 03:19]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-10 03:19]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3144074192-4086266024-1217872548-1000Core.job
- c:\users\Mengsk\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-26 06:45]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3144074192-4086266024-1217872548-1000UA.job
- c:\users\Mengsk\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-26 06:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
mStart Page = hxxp://www.alienware.com/mothership
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Mengsk\AppData\Roaming\Mozilla\Firefox\Profiles\nkn6p427.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\users\Mengsk\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Mengsk\AppData\Roaming\Move Networks\plugins\npqmp071502000008.dll
FF - plugin: c:\users\Mengsk\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-newsecureapp70700.exe - c:\users\Mengsk\AppData\Roaming\5D9D82DF7469F71EBD1AFDEC4BC901CE\newsecureapp70700.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-ICQ - c:\program files\ICQ6.5\ICQ.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
AddRemove-Adobe_32fdd767b4383606e8168e834af5d90 - c:\program files\Common Files\Adobe\Installers\32fdd767b4383606e8168e834af5d90\Setup.exe
AddRemove-Adobe_85df662426fa6bb25f7d596f4d1b2a2 - c:\program files\Common Files\Adobe\Installers\85df662426fa6bb25f7d596f4d1b2a2\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-19 23:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3144074192-4086266024-1217872548-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5706BF73-D3AB-D393-33C1-3B24ACEE3136}*]
"hacchkokfpaiebnc"=hex:6a,61,6c,67,69,64,68,64,6e,61,63,61,6d,69,70,69,66,69,
   6c,6c,00,3c
"iambnohfiaicbecbpj"=hex:6a,61,62,68,67,67,6f,63,65,6a,6d,70,63,6c,66,6a,6d,61,
   6f,67,00,3c
.
Completion time: 2010-08-19  23:54:40
ComboFix-quarantined-files.txt  2010-08-20 04:54

Pre-Run: 80,543,137,792 bytes free
Post-Run: 80,966,254,592 bytes free

- - End Of File - - 5BC4D927CE646C2EF66EBBC45F09DF7A
Logged

Offline mengskx

  • Full Member
  • ***
  • Posts: 174
  • Karma: +0/-0
    • View Profile
Other friends comp got sick
« Reply #3 on: August 24, 2010, 12:16:52 AM »
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4451

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

8/20/2010 12:40:41 AM
mbam-log-2010-08-20 (00-40-41).txt

Scan type: Quick scan
Objects scanned: 145357
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Mengsk\AppData\Local\Windows\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
Logged

Offline mengskx

  • Full Member
  • ***
  • Posts: 174
  • Karma: +0/-0
    • View Profile
Other friends comp got sick
« Reply #4 on: August 30, 2010, 08:51:06 PM »
The virus is affecting AVG. I constantly get the pop up saying there is a threat "c:\Users\Mengsk\AppData\Local\Windows\winhelp.exe";"Trojan horse Agent_r.TW";"Infected"
One thing I noticed was how it was affecting the web browsing. I will be try going to wikipedia or something and it will just load a different site, some antivirus type site that probably is a virus.
« Last Edit: August 30, 2010, 08:52:41 PM by mengskx »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Other friends comp got sick
« Reply #5 on: August 30, 2010, 09:00:46 PM »
I'm a bit confused, I had  resevil83 posting a problem about the following computer
Platform: Windows XP SP3 (WinNT 5.01.2600)


 mengskx, I have you posting in the same topic about the following computer
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2123

I'll assume that resevil83 is not returning to this topic and lock it
mengskx, please start your own topic and let me know what problems your experiencing, it will make it far less
confusing
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »