Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Go to first new post Family Cyber Removal
Go to first new post System Check problem
Go to first new post hijack this log ......
Go to first new post Trojan virus
Go to first new post "svchost application error 0x6fe217 ...
Go to first new post Cannot access any google sites - youtube ...
Go to first new post My computer is slowly dying
Go to first new post Trojan Hider
Go to first new post We Got System Checked :-(
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Incredibar Removal - Support Pls!
Go to first new post need help regarding malware/spyware
Go to first new post Somethings Amiss....
Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Need Urgent Help! Infected Lsass.exe

Page 2 of 4 1 2 34
Reply  
Thread Tools
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
29-May-2009, 02:26 PM #16
\Ext\Stats\{7c7e fe99-c71f-48b8-8cc8-ba506ca76a33} (Password.Stealer) -> Quarantined and deleted successfully.
\Explorer\Brows er Helper Objects\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Password.Stealer) ->

Does this mean all my PW are compromised? Please let me know when its safe, I feel I should change all my passwords.

Ran HTJ with no problems this time. Here is a fresh log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:09 PM, on 5/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O20 - Winlogon Notify: reset5c - C:\WINDOWS\
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EvenSystam - Unknown owner - c:\Recyclers\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 4766 bytes
Register for free to hide this ad!
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
30-May-2009, 01:29 PM #17
Yes, you should defnitely go ahead and change all passwords for log ins to site and banking information, etc.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

JRE 6 Update 13

Instructions for Kaspersky scan:
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
__________________
Microsoft MVP - Consumer Security
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
30-May-2009, 07:56 PM #18
Hi cookie, I changed all my passwords and my computer is running the scan right now, should be finished soon.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, May 31, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, May 31, 2009 03:01:05
Records in database: 2281902
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 70701
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 04:39:16

No malware has been detected. The scan area is clean.

The selected area was scanned.
Last edited by hadley420; 31-May-2009 at 04:41 AM.. Reason: Scan results
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
31-May-2009, 01:29 PM #19
That's good.

Please post another HijackThis log and let me know how things are with the system.
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
31-May-2009, 04:50 PM #20
Thanks again for all your help. My system seems much better, even a couple errors I got every start-up are now gone. You have taken a huge load off my shoulders knowing all my songs are safe. I thought I was going to have to re-format and start 3 years of work all over again. Needless to say I'll be making a donation to this site as soon as I can. Here's a new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:12 PM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O20 - Winlogon Notify: reset5c - C:\WINDOWS\
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EvenSystam - Unknown owner - c:\Recyclers\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 4671 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
31-May-2009, 08:53 PM #21
Go to Start - Run and copy and paste the following command, then click OK:

sc delete EvenSystam

Repeat the same process for the following command:

sc delete npggsvc

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

O2 - BHO: (no name) - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O20 - Winlogon Notify: reset5c - C:\WINDOWS\

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 14 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u14-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment, JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


Reboot and post a new HijackThis log please.
__________________
Microsoft MVP - Consumer Security
Last edited by Cookiegal; 08-Nov-2009 at 05:52 PM..
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
01-Jun-2009, 01:02 PM #22
Ok, completed the instructions above. Here's a new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:53 AM, on 6/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 4316 bytes
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
01-Jun-2009, 06:29 PM #23
O2 - BHO: (no name) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - (no file)

I was sure I checked this entry, did I do something wrong?
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
02-Jun-2009, 06:01 PM #24
bump
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
04-Jun-2009, 04:24 PM #25
Bump

Had a problem with my AV scans. They weren't running, every time a scan was started I got an error message. As a result my computer had not been scanned for 6 days. When I fixed this and ran an updated scan I picked up this.

Infected: C\windows\system32\magks32.dll
gen.adware.heur.201c7d7d7d Disinfection failed. File was quarantined.

A sign I'm still infected maybe?
Last edited by hadley420; 04-Jun-2009 at 06:34 PM.. Reason: Virus
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
04-Jun-2009, 08:28 PM #26
It seems so. Please remove the version of ComboFix you currently have by dragging it to the recycle bin and grab the latest version and run a new scan then post the log please.

Please visit Combofix Guide & Instructions for instructions for installing and downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.
__________________
Microsoft MVP - Consumer Security
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
05-Jun-2009, 02:47 PM #27
Thanks Cookie, here is the combofix log.

ComboFix 09-06-04.A1 - Drossed 06/05/2009 13:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.682 [GMT -4:00]
Running from: c:\documents and settings\Drossed\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-04 18:55 . 2009-06-04 18:55 -------- d-----w- c:\documents and settings\Drossed\Application Data\BitDefender
2009-06-04 18:54 . 2009-06-04 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-06-04 18:54 . 2009-06-04 18:55 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-01 15:49 . 2009-06-01 15:48 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-29 16:55 . 2009-05-29 16:55 -------- d-----w- c:\documents and settings\Drossed\Application Data\Malwarebytes
2009-05-29 16:54 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 16:54 . 2009-05-29 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 16:54 . 2009-05-29 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 16:54 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-26 23:11 . 2009-05-26 23:11 -------- d-----w- c:\program files\Trend Micro
2009-05-25 14:38 . 2009-05-25 14:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-25 07:05 . 2009-05-25 07:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-05-21 03:14 . 2009-05-21 03:15 -------- d-----w- c:\program files\Har-Bal 2.3
2009-05-21 03:14 . 2003-07-06 13:10 17408 ------w- c:\windows\system32\minimp3.exe
2009-05-21 02:23 . 2009-05-21 03:20 -------- d-----w- c:\program files\HarBal 1.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 17:13 . 2007-08-17 02:41 -------- d-----w- c:\documents and settings\Drossed\Application Data\Azureus
2009-06-04 21:02 . 2009-04-29 07:58 81984 ----a-w- c:\windows\system32\bdod.bin
2009-06-04 18:54 . 2009-04-29 07:43 -------- d-----w- c:\program files\BitDefender
2009-06-01 15:48 . 2007-08-16 23:44 -------- d-----w- c:\program files\Java
2009-05-31 07:54 . 2007-08-16 23:44 -------- d-----w- c:\program files\LimeWire
2009-05-30 16:37 . 2009-04-24 16:56 -------- d-----w- c:\program files\3rdVstPlugins
2009-05-26 23:10 . 2009-04-30 16:49 -------- d-----w- c:\program files\TrojanHunter 5.0
2009-05-25 06:56 . 2009-05-31 07:27 142862 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-05-24 06:50 . 2007-08-17 00:05 16704 ----a-w- c:\documents and settings\Drossed\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 03:43 . 2007-01-04 07:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-13 07:59 . 2007-01-23 00:29 7114736 ----a-w- c:\documents and settings\Drossed\Application Data\Azureus\plugins\azemp\azmplay.exe
2009-05-13 07:58 . 2007-08-16 23:45 -------- d-----w- c:\program files\Azureus
2009-05-01 06:34 . 2007-08-17 00:27 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-04-30 17:09 . 2009-04-30 17:09 -------- d-----w- c:\documents and settings\Drossed\Application Data\TrojanHunter
2009-04-30 17:00 . 2009-04-30 17:00 -------- d-----w- c:\program files\TrojanHunter
2009-04-29 07:47 . 2009-04-29 05:07 -------- d-----w- c:\program files\ESET
2009-04-29 06:53 . 2009-04-29 05:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-04-29 05:03 . 2009-04-29 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-29 04:46 . 2009-04-29 04:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-04-27 07:14 . 2007-08-17 15:13 -------- d-----w- c:\documents and settings\Drossed\Application Data\LimeWire
2009-04-25 21:24 . 2009-04-25 21:24 -------- d-----w- c:\program files\VstPlugins
2009-04-25 21:18 . 2009-04-25 21:18 -------- d-----w- c:\documents and settings\Drossed\Application Data\FabFilter
2009-04-25 00:42 . 2009-04-25 00:42 -------- d-----w- c:\program files\Steinberg
2009-04-25 00:40 . 2009-04-25 00:40 -------- d-----w- c:\program files\GForce
2009-04-25 00:38 . 2009-04-25 00:38 -------- d-----w- c:\program files\FabFilter
2009-04-24 16:56 . 2009-04-24 16:56 -------- d-----w- c:\program files\ASIO4ALL v2
2009-04-24 16:56 . 2009-04-24 16:52 -------- d-----w- c:\program files\Image-Line
2009-04-24 16:55 . 2009-04-24 16:55 -------- d-----w- c:\program files\Outsim
2009-04-20 07:47 . 2009-04-14 18:12 -------- d-----w- c:\program files\Operation Flashpoint
2009-04-18 22:19 . 2009-03-16 12:46 -------- d-----w- c:\program files\EA Games
2009-04-14 18:15 . 2009-04-13 06:21 69632 ----a-r- c:\documents and settings\Drossed\Application Data\Microsoft\Installer\{8FF6FFEC-E59D-40FD-9089-8B71F51CF67F}\NewIcon.exe
2009-04-14 18:15 . 2009-04-13 06:21 40960 ----a-r- c:\documents and settings\Drossed\Application Data\Microsoft\Installer\{8FF6FFEC-E59D-40FD-9089-8B71F51CF67F}\ARPPRODUCTICON.exe
2009-04-14 18:15 . 2009-04-13 06:21 2998 ----a-r- c:\documents and settings\Drossed\Application Data\Microsoft\Installer\{8FF6FFEC-E59D-40FD-9089-8B71F51CF67F}\NewIcon2.exe
2009-04-14 18:15 . 2009-04-13 06:21 2998 ----a-r- c:\documents and settings\Drossed\Application Data\Microsoft\Installer\{8FF6FFEC-E59D-40FD-9089-8B71F51CF67F}\NewIcon1.exe
2009-04-14 18:02 . 2009-04-14 18:02 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-04-14 17:52 . 2009-04-14 17:52 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-04-14 17:52 . 2007-08-17 01:03 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-03-17 21:19 . 2007-01-25 01:02 1189 ----a-w- c:\windows\eReg.dat
2009-03-05 22:08 . 2009-06-04 19:07 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2007-01-09 22:43 . 2007-01-09 22:06 80 --sh--r- c:\windows\system32\A03F23E67F.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-27_15.34.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-05 17:17 . 2009-06-05 17:17 16384 c:\windows\Temp\Perflib_Perfdata_1a0.dat
+ 2009-04-29 07:44 . 2009-06-04 18:56 57344 c:\windows\Installer\{0801DB64-A004-4640-BF13-F05D75409627}\texticon.exe
- 2009-04-29 07:44 . 2009-04-29 07:44 57344 c:\windows\Installer\{0801DB64-A004-4640-BF13-F05D75409627}\texticon.exe
+ 2009-04-29 07:44 . 2009-06-04 18:56 22486 c:\windows\Installer\{0801DB64-A004-4640-BF13-F05D75409627}\register_icon.exe
- 2009-04-29 07:44 . 2009-04-29 07:44 22486 c:\windows\Installer\{0801DB64-A004-4640-BF13-F05D75409627}\register_icon.exe
+ 2009-04-29 07:44 . 2009-06-04 18:56 32768 c:\windows\Installer\{0801DB64-A004-4640-BF13-F05D75409627}\maintenance_icon.exe
- 2009-04-29 07:44 . 2009-04-29 07:44 32768 c:\windows\Installer\{0801DB64-A004-4640-BF13-F05D75409627}\maintenance_icon.exe
- 2009-04-29 07:44 . 2009-04-29 07:44 61440 c:\windows\Installer\{0801DB64-A004-4640-BF13-F05D75409627}\helpicon.exe
+ 2009-04-29 07:44 . 2009-06-04 18:56 61440 c:\windows\Installer\{0801DB64-A004-4640-BF13-F05D75409627}\helpicon.exe
+ 2009-06-01 15:49 . 2009-06-01 15:48 148888 c:\windows\system32\javaws.exe
+ 2009-06-01 15:49 . 2009-06-01 15:48 144792 c:\windows\system32\javaw.exe
+ 2009-06-01 15:49 . 2009-06-01 15:48 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2009-04-13 1061536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-06-04 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Drossed^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\Drossed\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"LexBceS"=2 (0x2)
"ImapiService"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force V-Bar.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Operation Flashpoint\\FLASHPOINTRESISTANCE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\lsass.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2E1A9DE4-ADA0-4501-A46E-6633CDB01654}]
rundll32 magks32.dll,InitO
.
Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-08-17 13:04]
.
.
------- Supplementary Scan -------
.
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Drossed\Application Data\Mozilla\Firefox\Profiles\uwo8eut5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 13:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-05 13:40
ComboFix-quarantined-files.txt 2009-06-05 17:40
ComboFix2.txt 2009-05-27 15:37

Pre-Run: 21,925,564,416 bytes free
Post-Run: 21,986,353,152 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
174 --- E O F --- 2009-05-13 18:33
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
05-Jun-2009, 02:53 PM #28
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:43 PM, on 6/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O20 - Winlogon Notify: reset5c - C:\WINDOWS\
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 4843 bytes
hadley420's Avatar
Computer Specs
Member with 37 posts.
  
Join Date: May 2009
Location: Canada
Experience: Beginner
05-Jun-2009, 05:41 PM #29
When I ran combofix, my desktop background changed to an older picture. Is that normal?
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,282 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
06-Jun-2009, 09:23 PM #30
Sometimes the wallpaper doesn't go back to normal. You should be able to just change it back.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

O2 - BHO: (no name) - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7C7EFE99-C71F-48b8-8CC8-BA506CA76A33} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O20 - Winlogon Notify: reset5c - C:\WINDOWS\

Open Notepad and copy and paste the text in the code box below into it:

Code:
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\lsass.exe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2E1A9DE4-ADA0-4501-A46E-6633CDB01654}]
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
__________________
Microsoft MVP - Consumer Security
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 2 of 4 1 2 34

Tags
help!, hijackthis, lsass.exe virus

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 04:08 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.