1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Removing relevant knowledge

Discussion in 'Virus & Other Malware Removal' started by klaustrophobia, Mar 17, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. klaustrophobia

    klaustrophobia Thread Starter

    Joined:
    Mar 1, 2009
    Messages:
    12
    Dear Forum users

    I have ended up with the spy programme relevant knowledge on my computer and would appreciate any help in removing this properly!

    This programme has installed itself on my computer. This must have happened while downloading files from P2P networks.

    I have deleted all the downloads in question and am now trying to nget rid of this spyprogramme also.

    I have carried out the hjt scan as recommended and i am attaching the scan log in this messgae...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:49:09, on 17/03/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101760&l=dis
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [RelevantKnowledge] C:\program files\relevantknowledge\rlvknlg.exe -boot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Mozilla Firefox
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

    --
    End of file - 4174 bytes


    Thank you for your consideration!
     
  2. km2357

    km2357 Malware Specialist

    Joined:
    Aug 9, 2007
    Messages:
    686
    Hello and welcome to Tech Support Guy.

    My name is km2357 and I will be helping you to remove any infection(s) that you may have.

    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

    Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

    Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

    I will be back as soon as possible with your first instructions!
     
  3. km2357

    km2357 Malware Specialist

    Joined:
    Aug 9, 2007
    Messages:
    686
    Step # 1: Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



    Step # 2: Download and Run ComboFix

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    *Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    When finished, it shall produce a log for you. Please include the Uninstall List,C:\ComboFix.txt and a fresh HiJackThis Log in your next reply.

    Use multiple posts if you can't fit everything into one post.
     
  4. klaustrophobia

    klaustrophobia Thread Starter

    Joined:
    Mar 1, 2009
    Messages:
    12
    Thanks for this detailed reply

    I have in the mean while downloaded adaware and it has detected the programme relevant knowledge and deleted 3 files as well as a large number of cookies.

    I seem to be alright for the moment.


    I would really like to know if this has done the job or not
    I have carried out both scans and i am attaching the log files

    Combo fix log


    ComboFix 09-03-18.01 - Kalus 2009-03-19 2:01:53.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.34.1033.18.1014.653 [GMT 0:00]
    Running from: c:\documents and settings\Kalus\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ADS - WINDOWS: deleted 24 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\e100bmsg.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
    .

    2009-03-17 14:27 . 2009-03-17 14:27 <DIR> d-------- c:\program files\BitTorrent
    2009-03-17 14:27 . 2009-03-18 03:25 <DIR> d-------- c:\documents and settings\Kalus\Application Data\BitTorrent
    2009-03-17 14:08 . 2009-03-09 19:06 15,688 --a------ c:\windows\system32\lsdelete.exe
    2009-03-17 13:01 . 2009-03-17 13:01 <DIR> d----c--- c:\windows\system32\DRVSTORE
    2009-03-17 13:01 . 2009-03-09 19:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
    2009-03-17 12:57 . 2009-03-17 12:57 <DIR> d-------- c:\program files\Lavasoft
    2009-03-17 12:57 . 2009-03-17 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-03-17 12:57 . 2009-03-17 12:57 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
    2009-03-17 08:46 . 2009-03-17 08:46 <DIR> d-------- c:\program files\Trend Micro
    2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
    2009-03-15 23:48 . 2009-03-15 23:48 <DIR> d-------- c:\program files\Common Files\Adobe AIR
    2009-03-15 23:48 . 2009-03-15 23:48 <DIR> d-------- c:\program files\Adobe Media Player
    2009-03-15 11:14 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
    2009-03-15 11:14 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
    2009-03-15 11:14 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
    2009-03-15 11:14 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
    2009-03-10 20:13 . 2009-03-19 01:03 <DIR> d-------- c:\program files\DNA
    2009-03-10 20:13 . 2009-03-10 20:13 <DIR> d-------- c:\program files\AskSearch
    2009-03-10 20:13 . 2009-03-19 02:04 <DIR> d-------- c:\documents and settings\Kalus\Application Data\DNA
    2009-03-10 20:02 . 2009-03-10 20:02 1,971,118 --a------ C:\MVI_1701.mp3
    2009-03-10 20:01 . 2009-03-10 21:21 <DIR> d-------- c:\program files\DoremiSoft
    2009-03-10 19:26 . 2009-03-10 19:26 <DIR> d-------- c:\documents and settings\Kalus\Application Data\avidemux
    2009-03-10 19:24 . 2009-03-10 21:27 <DIR> d-------- c:\program files\Avidemux 2.4
    2009-03-10 19:09 . 2009-03-10 21:22 <DIR> d-------- c:\program files\AviSynth 2.5
    2009-03-10 18:44 . 2007-03-16 21:10 499,712 --a------ c:\windows\system32\MSVCP71.DLL
    2009-03-10 18:44 . 2007-03-16 21:10 348,160 --a------ c:\windows\system32\MSVCR71.DLL
    2009-03-10 18:43 . 2001-08-23 17:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
    2009-03-10 18:43 . 2002-01-05 14:40 487,424 --a------ c:\windows\system32\msvcp70.dll
    2009-03-10 18:43 . 2005-11-25 21:46 421,888 --a------ c:\windows\system32\RealMediaSplitter.ax
    2009-03-10 18:43 . 2002-01-05 15:37 344,064 --a------ c:\windows\system32\msvcr70.dll
    2009-03-10 18:31 . 2009-03-10 18:31 <DIR> d-------- C:\OutputFolder
    2009-03-10 18:30 . 2009-03-10 18:30 170 --a------ c:\windows\system32\test.aok
    2009-03-10 18:29 . 2009-03-10 18:42 <DIR> d-------- c:\program files\Ultra MP4 Video Converter
    2009-03-10 18:29 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
    2009-03-10 18:29 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
    2009-03-10 18:05 . 2009-03-10 18:38 <DIR> d-------- c:\program files\Any Video Converter
    2009-03-10 18:05 . 2009-03-10 18:38 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Any Video Converter
    2009-03-10 17:50 . 2009-03-10 17:50 <DIR> d-------- c:\program files\directx
    2009-03-10 17:50 . 2001-10-19 14:40 1,683,792 --a------ c:\windows\system32\wmvcore2.dll
    2009-03-10 17:50 . 2001-10-19 14:40 665,424 --a------ c:\windows\system32\wmv8dmoe.dll
    2009-03-10 17:50 . 2001-10-19 14:39 572,752 --a------ c:\windows\system32\wmvdmoe.dll
    2009-03-10 17:50 . 2001-10-19 14:40 438,608 --a------ c:\windows\system32\wmv8dmod.dll
    2009-03-10 17:50 . 2001-10-19 02:05 285,184 --a------ c:\windows\system32\wmidx2.ocx
    2009-03-10 17:50 . 2009-03-10 17:50 156,910 --a------ c:\windows\WMSysPr8.prx
    2009-03-10 17:48 . 2009-03-10 17:48 <DIR> d-------- c:\documents and settings\Kalus\WINDOWS
    2009-03-10 17:48 . 2002-08-02 16:32 299,520 --a------ c:\windows\uninst.exe
    2009-03-09 08:09 . 2009-03-09 08:09 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Nero
    2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\program files\Nero
    2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\program files\Common Files\Nero
    2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
    2009-03-08 13:46 . 2009-03-08 13:46 <DIR> d-------- C:\CucusoftOutput
    2009-03-08 13:45 . 2009-03-08 13:45 <DIR> d-------- c:\program files\Cucusoft
    2009-03-08 13:28 . 2009-03-08 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SlySoft
    2009-03-08 13:26 . 2009-03-08 13:26 <DIR> d-------- c:\program files\SlySoft
    2009-03-07 16:15 . 2009-03-07 16:26 <DIR> d-------- c:\documents and settings\Kalus\Application Data\dvdcss
    2009-03-07 14:56 . 2009-03-07 14:56 <DIR> d-------- c:\documents and settings\Kalus\Application Data\vlc
    2009-03-07 14:53 . 2009-03-07 14:53 <DIR> d-------- c:\program files\VideoLAN
    2009-03-07 14:51 . 2009-03-07 14:58 <DIR> d-------- c:\program files\Audacity 1.3 Beta
    2009-03-07 14:43 . 2009-03-10 23:07 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Audacity
    2009-03-06 14:06 . 2009-03-06 14:06 <DIR> dr------- c:\program files\Skype
    2009-03-06 14:06 . 2009-03-06 15:28 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Skype
    2009-03-06 14:05 . 2009-03-06 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
    2009-03-06 12:00 . 2009-03-15 12:01 <DIR> d--h----- C:\$AVG8.VAULT$
    2009-03-05 16:02 . 2009-03-16 12:40 <DIR> d-------- c:\program files\Common Files\Adobe
    2009-03-05 12:36 . 2009-03-05 12:36 <DIR> d-------- c:\program files\Microsoft Works
    2009-03-05 12:35 . 2009-03-05 12:35 <DIR> d-------- c:\program files\Microsoft.NET
    2009-03-05 12:33 . 2009-03-05 12:33 <DIR> dr-h----- C:\MSOCache
    2009-03-05 12:33 . 2009-03-05 12:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-03-05 12:29 . 2009-03-05 12:29 <DIR> d-------- c:\program files\Rainlendar
    2009-03-05 12:29 . 2009-03-05 12:34 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Rainlendar
    2009-03-05 12:29 . 2008-10-16 01:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
    2009-03-05 12:29 . 2008-10-16 01:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
    2009-03-05 12:29 . 2008-10-16 01:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
    2009-03-05 12:14 . 2009-03-05 12:15 <DIR> d-------- c:\program files\Winamp
    2009-03-05 12:14 . 2009-03-05 12:17 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Winamp
    2009-03-05 12:12 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
    2009-03-05 12:11 . 2009-03-05 12:11 0 --a------ c:\windows\nsreg.dat
    2009-03-05 12:05 . 2009-02-09 11:13 1,846,784 -----c--- c:\windows\system32\dllcache\win32k.sys
    2009-03-05 12:03 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
    2009-03-05 12:03 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
    2009-03-05 12:03 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
    2009-03-05 12:03 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
    2009-03-05 12:01 . 2009-03-19 01:06 <DIR> d-------- c:\windows\system32\drivers\Avg
    2009-03-05 12:01 . 2009-03-05 12:04 <DIR> d-------- c:\documents and settings\Kalus\Application Data\AVGTOOLBAR
    2009-03-05 12:01 . 2008-12-12 17:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
    2009-03-05 12:01 . 2009-03-05 12:01 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
    2009-03-05 12:01 . 2009-03-05 12:01 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
    2009-03-05 12:01 . 2009-03-05 12:01 10,520 --a------ c:\windows\system32\avgrsstx.dll
    2009-03-05 12:00 . 2009-03-05 12:00 <DIR> d-------- c:\program files\AVG
    2009-03-05 12:00 . 2009-03-05 12:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2009-03-05 11:58 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
    2009-03-05 11:58 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
    2009-03-05 11:57 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
    2009-03-05 11:57 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
    2009-03-05 11:53 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
    2009-03-05 11:52 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
    2009-03-05 11:48 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
    2009-03-05 11:37 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
    2009-03-04 18:09 . 2009-03-11 13:51 <DIR> d--h----- c:\windows\$hf_mig$
    2009-03-04 17:52 . 2006-02-07 08:40 151,552 --a------ c:\windows\system32\igfxres.dll
    2009-03-04 17:48 . 2005-03-04 00:00 157,696 --a------ c:\windows\system32\drivers\e100b325.sys
    2009-03-04 17:48 . 2005-03-04 00:00 157,696 --a--c--- c:\windows\system32\dllcache\e100b325.sys
    2009-03-04 17:48 . 2005-03-04 00:00 126,976 --a------ c:\windows\system32\Prounstl.exe
    2009-03-04 17:48 . 2005-03-04 00:00 23,040 --a------ c:\windows\system32\IntelNic.dll
    2009-03-04 17:48 . 2005-03-04 00:00 5,110 --a------ c:\windows\system32\e100b325.din
    2009-03-04 17:47 . 2009-03-04 17:47 <DIR> d-------- c:\program files\Synaptics
    2009-03-04 17:46 . 2008-04-14 00:15 172,416 --a------ c:\windows\system32\drivers\kmixer.sys
    2009-03-04 17:46 . 2008-04-14 00:15 172,416 --a--c--- c:\windows\system32\dllcache\kmixer.sys
    2009-03-04 17:46 . 2008-04-14 00:45 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
    2009-03-04 17:46 . 2008-04-14 00:45 60,800 --a--c--- c:\windows\system32\dllcache\sysaudio.sys
    2009-03-04 17:46 . 2008-04-14 00:09 7,552 --a------ c:\windows\system32\drivers\MSKSSRV.sys
    2009-03-04 17:46 . 2008-04-14 00:09 7,552 --a--c--- c:\windows\system32\dllcache\mskssrv.sys
    2009-03-04 17:46 . 2008-04-14 00:09 5,376 --a------ c:\windows\system32\drivers\MSPCLOCK.sys
    2009-03-04 17:46 . 2008-04-14 00:09 5,376 --a--c--- c:\windows\system32\dllcache\mspclock.sys
    2009-03-04 17:46 . 2008-04-14 00:09 4,992 --a------ c:\windows\system32\drivers\MSPQM.sys
    2009-03-04 17:46 . 2008-04-14 00:09 4,992 --a--c--- c:\windows\system32\dllcache\mspqm.sys
    2009-03-04 17:46 . 2008-04-14 00:15 2,944 --a------ c:\windows\system32\drivers\drmkaud.sys
    2009-03-04 17:46 . 2008-04-14 00:15 2,944 --a--c--- c:\windows\system32\dllcache\drmkaud.sys
    2009-03-04 17:45 . 2006-09-27 00:00 2,732,032 --a------ c:\windows\system32\NETw3r32.dll
    2009-03-04 17:45 . 2006-09-27 00:00 1,709,696 --a------ c:\windows\system32\drivers\NETw3x32.sys
    2009-03-04 17:45 . 2006-01-09 00:00 561,664 --a------ c:\windows\system32\drivers\CHDAud.sys
    2009-03-04 17:45 . 2006-09-27 00:00 561,152 --a------ c:\windows\system32\NETw3c32.dll
    2009-03-04 17:45 . 2006-01-09 00:00 61,952 --a------ c:\windows\system32\CHDAudPropShortcut.exe
    2009-03-04 17:45 . 2006-01-09 00:00 24,064 --a------ c:\windows\system32\CHdAudprop.dll
    2009-03-04 17:45 . 2006-01-09 00:00 5,120 --a------ c:\windows\system32\CHdAudPropres.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-04 14:19 --------- d-----w c:\program files\microsoft frontpage
    2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-10 321344]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-13 761946]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-05 1932568]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-01-09 c:\windows\system32\CHDAudPropShortcut.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Kalus\Start Menu\Programs\Startup\
    Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2005-03-25 118784]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\Mozilla Firefox
    Mozilla Firefox (Safe Mode).lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-03-05 307704]
    Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-03-05 307704]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-03-05 12:01 10520 c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-17 64160]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 325640]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-05 107912]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-05 908056]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-05 298264]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2009-03-04 20160]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\Kalus\Application Data\Mozilla\Firefox\Profiles\hhq1yrl8.default\
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-19 02:03:57
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2009-03-19 2:05:08
    ComboFix-quarantined-files.txt 2009-03-19 02:05:05

    Pre-Run: 7,105,273,856 bytes free
    Post-Run: 9,324,453,888 bytes free

    216 --- E O F --- 2009-03-11 16:30:20

    Log from HJT
    (add and remove programs)

    Ad-Aware
    Ad-Aware
    Adobe AIR
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Media Player
    Adobe MPEG Encoder
    AVG 8.5
    Conexant HD Audio
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word 2007
    Microsoft Office Word 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.0.7)
    Rainlendar (remove only)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Skype&#8482; 4.0
    Soft Data Fax Modem with SmartCP
    Synaptics Pointing Device Driver
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 0.9.8a
    Winamp
    Windows XP Service Pack 3
    WinRAR archiver


    Many thanks

    Klaus
     
  5. km2357

    km2357 Malware Specialist

    Joined:
    Aug 9, 2007
    Messages:
    686
    We still have some more to do before I can give you the all-clean. :)


    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    BitTorrent

    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    Also available here.

    My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).



    Seems your missing an important part of your operating system. Let's get it reinstalled in case you ever need it.
    Nothing is going to change on your computer other than we are going to reinstall the Recovery Console.


    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

    Click on the Start button.

    Click on the Run menu option.

    In the Open: field type the following: sysdm.cpl and then click on the OK button.

    A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack.

    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Click and drag the setup package onto ComboFix.exe and drop it.

    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    • At the next prompt, click 'No'.

      [​IMG]

    • When the tool is finished, it will produce a report for you.



    Step # 1: Run CFScript

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      KILLALL::
      
      Folder::
      
      c:\program files\BitTorrent
      c:\documents and settings\Kalus\Application Data\BitTorrent
      c:\program files\DNA
      c:\documents and settings\Kalus\Application Data\DNA
      
      Registry::
      
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "BitTorrent DNA"=-
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
      "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
      "c:\\Program Files\\DNA\\btdna.exe"=-
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




      [​IMG]


      Note: This CFScript is for use on klaustrophobia's computer only! Do not use it on your computer.

    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    In your next post/reply, I need to see the following:

    1. Recovery Console Log
    2. The ComboFix Log that appears after Step 1 has been completed.
    3. A fresh HiJackThis Log taken after Step 1 has been completed.
     
  6. klaustrophobia

    klaustrophobia Thread Starter

    Joined:
    Mar 1, 2009
    Messages:
    12
    Hello KM

    Carried out all the procedures as described
    I reinstalled the recovery console however i failed to save log, now i,m not sure where it went (not on desktop)

    I am attaching the Combo fix log and the HJT log

    Combofix log


    ComboFix 09-03-18.01 - Kalus 2009-03-20 7:30:31.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.34.1033.18.1014.651 [GMT 0:00]
    Running from: c:\documents and settings\Kalus\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Kalus\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Kalus\Application Data\DNA
    c:\documents and settings\Kalus\Application Data\DNA\dht.dat
    c:\documents and settings\Kalus\Application Data\DNA\dht.dat.old
    c:\documents and settings\Kalus\Application Data\DNA\dna.lng
    c:\documents and settings\Kalus\Application Data\DNA\resume.dat
    c:\documents and settings\Kalus\Application Data\DNA\resume.dat.old
    c:\documents and settings\Kalus\Application Data\DNA\rss.dat
    c:\documents and settings\Kalus\Application Data\DNA\rss.dat.old
    c:\documents and settings\Kalus\Application Data\DNA\settings.dat
    c:\documents and settings\Kalus\Application Data\DNA\settings.dat.old
    c:\program files\DNA
    c:\program files\DNA\btdna.exe
    c:\program files\DNA\DNAcpl.cpl
    c:\program files\DNA\plugins\npbtdna.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
    .

    2009-03-17 13:01 . 2009-03-19 11:36 <DIR> d----c--- c:\windows\system32\DRVSTORE
    2009-03-17 12:57 . 2009-03-19 11:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-03-17 08:46 . 2009-03-17 08:46 <DIR> d-------- c:\program files\Trend Micro
    2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
    2009-03-15 23:48 . 2009-03-15 23:48 <DIR> d-------- c:\program files\Common Files\Adobe AIR
    2009-03-15 23:48 . 2009-03-15 23:48 <DIR> d-------- c:\program files\Adobe Media Player
    2009-03-15 11:14 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
    2009-03-15 11:14 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
    2009-03-15 11:14 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
    2009-03-15 11:14 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
    2009-03-10 20:13 . 2009-03-10 20:13 <DIR> d-------- c:\program files\AskSearch
    2009-03-10 20:02 . 2009-03-10 20:02 1,971,118 --a------ C:\MVI_1701.mp3
    2009-03-10 20:01 . 2009-03-10 21:21 <DIR> d-------- c:\program files\DoremiSoft
    2009-03-10 19:26 . 2009-03-10 19:26 <DIR> d-------- c:\documents and settings\Kalus\Application Data\avidemux
    2009-03-10 19:24 . 2009-03-10 21:27 <DIR> d-------- c:\program files\Avidemux 2.4
    2009-03-10 19:09 . 2009-03-10 21:22 <DIR> d-------- c:\program files\AviSynth 2.5
    2009-03-10 18:44 . 2007-03-16 21:10 499,712 --a------ c:\windows\system32\MSVCP71.DLL
    2009-03-10 18:44 . 2007-03-16 21:10 348,160 --a------ c:\windows\system32\MSVCR71.DLL
    2009-03-10 18:43 . 2001-08-23 17:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
    2009-03-10 18:43 . 2002-01-05 14:40 487,424 --a------ c:\windows\system32\msvcp70.dll
    2009-03-10 18:43 . 2005-11-25 21:46 421,888 --a------ c:\windows\system32\RealMediaSplitter.ax
    2009-03-10 18:43 . 2002-01-05 15:37 344,064 --a------ c:\windows\system32\msvcr70.dll
    2009-03-10 18:31 . 2009-03-10 18:31 <DIR> d-------- C:\OutputFolder
    2009-03-10 18:30 . 2009-03-10 18:30 170 --a------ c:\windows\system32\test.aok
    2009-03-10 18:29 . 2009-03-10 18:42 <DIR> d-------- c:\program files\Ultra MP4 Video Converter
    2009-03-10 18:29 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
    2009-03-10 18:29 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
    2009-03-10 18:05 . 2009-03-10 18:38 <DIR> d-------- c:\program files\Any Video Converter
    2009-03-10 18:05 . 2009-03-10 18:38 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Any Video Converter
    2009-03-10 17:50 . 2009-03-10 17:50 <DIR> d-------- c:\program files\directx
    2009-03-10 17:50 . 2001-10-19 14:40 1,683,792 --a------ c:\windows\system32\wmvcore2.dll
    2009-03-10 17:50 . 2001-10-19 14:40 665,424 --a------ c:\windows\system32\wmv8dmoe.dll
    2009-03-10 17:50 . 2001-10-19 14:39 572,752 --a------ c:\windows\system32\wmvdmoe.dll
    2009-03-10 17:50 . 2001-10-19 14:40 438,608 --a------ c:\windows\system32\wmv8dmod.dll
    2009-03-10 17:50 . 2001-10-19 02:05 285,184 --a------ c:\windows\system32\wmidx2.ocx
    2009-03-10 17:50 . 2009-03-10 17:50 156,910 --a------ c:\windows\WMSysPr8.prx
    2009-03-10 17:48 . 2009-03-10 17:48 <DIR> d-------- c:\documents and settings\Kalus\WINDOWS
    2009-03-10 17:48 . 2002-08-02 16:32 299,520 --a------ c:\windows\uninst.exe
    2009-03-09 08:09 . 2009-03-09 08:09 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Nero
    2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\program files\Nero
    2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\program files\Common Files\Nero
    2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
    2009-03-08 13:46 . 2009-03-08 13:46 <DIR> d-------- C:\CucusoftOutput
    2009-03-08 13:45 . 2009-03-08 13:45 <DIR> d-------- c:\program files\Cucusoft
    2009-03-08 13:28 . 2009-03-08 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SlySoft
    2009-03-08 13:26 . 2009-03-08 13:26 <DIR> d-------- c:\program files\SlySoft
    2009-03-07 16:15 . 2009-03-07 16:26 <DIR> d-------- c:\documents and settings\Kalus\Application Data\dvdcss
    2009-03-07 14:56 . 2009-03-07 14:56 <DIR> d-------- c:\documents and settings\Kalus\Application Data\vlc
    2009-03-07 14:53 . 2009-03-07 14:53 <DIR> d-------- c:\program files\VideoLAN
    2009-03-07 14:51 . 2009-03-07 14:58 <DIR> d-------- c:\program files\Audacity 1.3 Beta
    2009-03-07 14:43 . 2009-03-10 23:07 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Audacity
    2009-03-06 14:06 . 2009-03-06 14:06 <DIR> dr------- c:\program files\Skype
    2009-03-06 14:06 . 2009-03-06 15:28 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Skype
    2009-03-06 14:05 . 2009-03-06 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
    2009-03-06 12:00 . 2009-03-19 12:01 <DIR> d--h----- C:\$AVG8.VAULT$
    2009-03-05 16:02 . 2009-03-16 12:40 <DIR> d-------- c:\program files\Common Files\Adobe
    2009-03-05 12:36 . 2009-03-05 12:36 <DIR> d-------- c:\program files\Microsoft Works
    2009-03-05 12:35 . 2009-03-05 12:35 <DIR> d-------- c:\program files\Microsoft.NET
    2009-03-05 12:33 . 2009-03-05 12:33 <DIR> dr-h----- C:\MSOCache
    2009-03-05 12:33 . 2009-03-05 12:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-03-05 12:29 . 2009-03-05 12:29 <DIR> d-------- c:\program files\Rainlendar
    2009-03-05 12:29 . 2009-03-05 12:34 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Rainlendar
    2009-03-05 12:29 . 2008-10-16 01:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
    2009-03-05 12:29 . 2008-10-16 01:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
    2009-03-05 12:29 . 2008-10-16 01:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
    2009-03-05 12:14 . 2009-03-05 12:15 <DIR> d-------- c:\program files\Winamp
    2009-03-05 12:14 . 2009-03-05 12:17 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Winamp
    2009-03-05 12:12 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
    2009-03-05 12:11 . 2009-03-05 12:11 0 --a------ c:\windows\nsreg.dat
    2009-03-05 12:05 . 2009-02-09 11:13 1,846,784 -----c--- c:\windows\system32\dllcache\win32k.sys
    2009-03-05 12:03 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
    2009-03-05 12:03 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
    2009-03-05 12:03 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
    2009-03-05 12:03 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
    2009-03-05 12:01 . 2009-03-19 11:35 <DIR> d-------- c:\windows\system32\drivers\Avg
    2009-03-05 12:01 . 2009-03-05 12:04 <DIR> d-------- c:\documents and settings\Kalus\Application Data\AVGTOOLBAR
    2009-03-05 12:01 . 2008-12-12 17:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
    2009-03-05 12:01 . 2009-03-05 12:01 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
    2009-03-05 12:01 . 2009-03-05 12:01 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
    2009-03-05 12:01 . 2009-03-05 12:01 10,520 --a------ c:\windows\system32\avgrsstx.dll
    2009-03-05 12:00 . 2009-03-05 12:00 <DIR> d-------- c:\program files\AVG
    2009-03-05 12:00 . 2009-03-05 12:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2009-03-05 11:58 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
    2009-03-05 11:58 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
    2009-03-05 11:57 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
    2009-03-05 11:57 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
    2009-03-05 11:53 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
    2009-03-05 11:52 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
    2009-03-05 11:48 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
    2009-03-05 11:37 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
    2009-03-04 18:09 . 2009-03-11 13:51 <DIR> d--h----- c:\windows\$hf_mig$
    2009-03-04 17:52 . 2006-02-07 08:40 151,552 --a------ c:\windows\system32\igfxres.dll
    2009-03-04 17:48 . 2005-03-04 00:00 157,696 --a------ c:\windows\system32\drivers\e100b325.sys
    2009-03-04 17:48 . 2005-03-04 00:00 157,696 --a--c--- c:\windows\system32\dllcache\e100b325.sys
    2009-03-04 17:48 . 2005-03-04 00:00 126,976 --a------ c:\windows\system32\Prounstl.exe
    2009-03-04 17:48 . 2005-03-04 00:00 23,040 --a------ c:\windows\system32\IntelNic.dll
    2009-03-04 17:48 . 2005-03-04 00:00 5,110 --a------ c:\windows\system32\e100b325.din
    2009-03-04 17:47 . 2009-03-04 17:47 <DIR> d-------- c:\program files\Synaptics
    2009-03-04 17:46 . 2008-04-14 00:15 172,416 --a------ c:\windows\system32\drivers\kmixer.sys
    2009-03-04 17:46 . 2008-04-14 00:15 172,416 --a--c--- c:\windows\system32\dllcache\kmixer.sys
    2009-03-04 17:46 . 2008-04-14 00:45 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
    2009-03-04 17:46 . 2008-04-14 00:45 60,800 --a--c--- c:\windows\system32\dllcache\sysaudio.sys
    2009-03-04 17:46 . 2008-04-14 00:09 7,552 --a------ c:\windows\system32\drivers\MSKSSRV.sys
    2009-03-04 17:46 . 2008-04-14 00:09 7,552 --a--c--- c:\windows\system32\dllcache\mskssrv.sys
    2009-03-04 17:46 . 2008-04-14 00:09 5,376 --a------ c:\windows\system32\drivers\MSPCLOCK.sys
    2009-03-04 17:46 . 2008-04-14 00:09 5,376 --a--c--- c:\windows\system32\dllcache\mspclock.sys
    2009-03-04 17:46 . 2008-04-14 00:09 4,992 --a------ c:\windows\system32\drivers\MSPQM.sys
    2009-03-04 17:46 . 2008-04-14 00:09 4,992 --a--c--- c:\windows\system32\dllcache\mspqm.sys
    2009-03-04 17:46 . 2008-04-14 00:15 2,944 --a------ c:\windows\system32\drivers\drmkaud.sys
    2009-03-04 17:46 . 2008-04-14 00:15 2,944 --a--c--- c:\windows\system32\dllcache\drmkaud.sys
    2009-03-04 17:45 . 2006-09-27 00:00 2,732,032 --a------ c:\windows\system32\NETw3r32.dll
    2009-03-04 17:45 . 2006-09-27 00:00 1,709,696 --a------ c:\windows\system32\drivers\NETw3x32.sys
    2009-03-04 17:45 . 2006-01-09 00:00 561,664 --a------ c:\windows\system32\drivers\CHDAud.sys
    2009-03-04 17:45 . 2006-09-27 00:00 561,152 --a------ c:\windows\system32\NETw3c32.dll
    2009-03-04 17:45 . 2006-01-09 00:00 61,952 --a------ c:\windows\system32\CHDAudPropShortcut.exe
    2009-03-04 17:45 . 2006-01-09 00:00 24,064 --a------ c:\windows\system32\CHdAudprop.dll
    2009-03-04 17:45 . 2006-01-09 00:00 5,120 --a------ c:\windows\system32\CHdAudPropres.dll
    2009-03-04 17:44 . 2009-03-04 17:44 <DIR> d-------- c:\program files\CONEXANT
    2009-03-04 17:43 . 2006-01-11 00:00 935,424 --a------ c:\windows\system32\drivers\HSX_DPV.sys
    2009-03-04 17:43 . 2006-01-11 00:00 671,232 --a------ c:\windows\system32\drivers\HSX_CNXT.sys
    2009-03-04 17:43 . 2006-01-11 00:00 194,048 --a------ c:\windows\system32\drivers\HSXHWAZL.sys
    2009-03-04 17:43 . 2006-01-11 00:00 140,731 --a------ c:\windows\system32\drivers\HSFProf.cty
    2009-03-04 17:43 . 2006-01-09 00:00 114,688 --a------ c:\windows\system32\UCI32103.dll
    2009-03-04 17:39 . 2006-02-07 09:03 956,029 --a------ c:\windows\system32\ialmdd5.dll
    2009-03-04 17:39 . 2006-02-07 08:55 232,733 --a------ c:\windows\system32\ialmdev5.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-04 14:19 --------- d-----w c:\program files\microsoft frontpage
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-13 761946]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-05 1932568]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-01-09 c:\windows\system32\CHDAudPropShortcut.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Kalus\Start Menu\Programs\Startup\
    Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2005-03-25 118784]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\Mozilla Firefox
    Mozilla Firefox (Safe Mode).lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-03-05 307704]
    Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-03-05 307704]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-03-05 12:01 10520 c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 325640]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-05 107912]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-05 908056]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-05 298264]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2009-03-04 20160]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\Kalus\Application Data\Mozilla\Firefox\Profiles\hhq1yrl8.default\
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-20 07:33:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    c:\program files\AVG\AVG8\avgcsrvx.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-20 7:35:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-20 07:35:42
    ComboFix2.txt 2009-03-20 07:19:58
    ComboFix3.txt 2009-03-19 02:05:09

    Pre-Run: 1,745,850,368 bytes free
    Post-Run: 1,731,776,512 bytes free

    230 --- E O F --- 2009-03-11 16:30:20


    HJT log


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:41:28, on 20/03/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Global Startup: Mozilla Firefox
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

    --
    End of file - 3826 bytes


    Thank you for the help !!!
     
  7. km2357

    km2357 Malware Specialist

    Joined:
    Aug 9, 2007
    Messages:
    686
    That's ok about the Recovery Console Log, your latest ComboFix Log no longer says you don't have Recovery Console installed, meaning you successfully installed it. :)


    Step # 1: Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Step # 2 Download and Run Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
    • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location.
    • You can also access the log by doing the following:
    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.


    In your next post/reply, I need to see the following:

    1. MalwareBytes' Log
    2. A fresh HiJackThis Log
     
  8. klaustrophobia

    klaustrophobia Thread Starter

    Joined:
    Mar 1, 2009
    Messages:
    12
    Hello KM

    Thanks again

    Looks like things are working out !!

    I am attaching mbam-log and HJT log

    mbam-log

    Malwarebytes' Anti-Malware 1.34
    Database version: 1878
    Windows 5.1.2600 Service Pack 3

    20/03/2009 21:06:41
    mbam-log-2009-03-20 (21-06-41).txt

    Scan type: Quick Scan
    Objects scanned: 58996
    Time elapsed: 2 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:07:49, on 20/03/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

    --
    End of file - 3913 bytes


    Thank you

    Klaus :)
     
  9. km2357

    km2357 Malware Specialist

    Joined:
    Aug 9, 2007
    Messages:
    686
    Step # 1: Run Kaspersky Online Scan

    Please make sure that all programs are closed when installing Java.

    1. Click here to visit Java's website.
    2. Scroll down to Java Runtime Environment (JRE) 6 Update 12. Click on Download.
    3. Select Windows from the drop-down list for Platform.
    4. Select Multi-language from the drop-down list for Language.
    5. Check (tick) I agree to the Java SE Runtime Environment 12 License Agreement box and click on Continue.
    6. Click on jre-6u12-windows-i586-p.exe link to download it and save this to a convenient location.
    7. Double click on jre-6u12-windows-i586-p.exe to install Java.
    8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
    9. Read through the requirements and privacy statement and click on Accept button.
    10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    11. When the downloads have finished, click on Settings.
    12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    13. Click on My Computer under Scan.
    14. Once the scan is complete, it will display the results. Click on View Scan Report.
    15. You will see a list of infected items there. Click on Save Report As....
    16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    17. Please post this log in your next reply.


    In your next post/reply, I need to see the following:

    1.Kaspersky Log
    2. A fresh HiJackThis Log
    3. How is your computer doing, any problems?
     
  10. km2357

    km2357 Malware Specialist

    Joined:
    Aug 9, 2007
    Messages:
    686
    klaustrophobia? How are things coming along?
     
  11. klaustrophobia

    klaustrophobia Thread Starter

    Joined:
    Mar 1, 2009
    Messages:
    12
    Dear Km


    I will be going away for the next 11 days without acccess to the internet.

    I carried out both scans, kapersky detected no threats.

    Does this mean I´m all clean?

    Computer is running well.

    Won´t be looking at thread for next 11 days so Thank you very much for your help. it was most appreciated. I think you are doing a great job :)

    All the best

    Klaus

    Kapersky

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Tuesday, March 24, 2009
    Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Monday, March 23, 2009 22:13:13
    Records in database: 1958593
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    G:\

    Scan statistics:
    Files scanned: 36513
    Threat name: 0
    Infected objects: 0
    Suspicious objects: 0
    Duration of the scan: 01:34:16

    No malware has been detected. The scan area is clean.

    The selected area was scanned.
     
  12. km2357

    km2357 Malware Specialist

    Joined:
    Aug 9, 2007
    Messages:
    686
    Both Kaspersky and your latest HJT log both look good. :)

    Since you'll be away for 11 days, I'll wait till you get back before I post my "All-Clean" speech to you and then we'll be done. :)

    Let me know when you get back.
     
  13. klaustrophobia

    klaustrophobia Thread Starter

    Joined:
    Mar 1, 2009
    Messages:
    12
    Hey KM

    I´m ready for the all clean speach ...

    :)
     
  14. km2357

    km2357 Malware Specialist

    Joined:
    Aug 9, 2007
    Messages:
    686
    Welcome back. :)

    To remove ComboFix, do the following:

    Go to Start > Run - type in ComboFix /u & click OK


    Please take the time to read my All Clean Post.

    Please follow these simple steps in order to keep your computer clean and secure:

    This is a good time to clear your existing system restore points and establish a new clean restore point

    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    • This will remove all restore points except the new one you just created.
    .

    Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


    Make your Internet Explorer more secure This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it asks you if you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
    Set correct settings for files that should be hidden in Windows XP
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please checkHide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK
    • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
    • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
      Computer Safety on line Anti Malware
    • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
      • Click the start button on the task bar at the bottom of your screen
      • Click run
      • In the dialog box, type services.msc
      • hit enter, then locate dns client
      • Highlight it, then doubleclick it.
      • On the dropdown box, change the setting from automatic to manual.
      • Click ok..
    • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    • Please read Tony Klein's excellent article: How I got Infected in the First Place
    • Please read Understanding Spyware, Browser Hijackers, and Dialers
    • Please read Simple and easy ways to keep your computer safe and secure on the Internet
    • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
      Opera.
      If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
    • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
    Follow these steps and your potential for being infected again will reduce dramatically.

    Here's a good website to read about Malware prevention:

    http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

    If your computer is running slow, click here for instructions on how to help speed up your computer.

    Good luck!


    Please reply one last time so that I know you have read my post and this thread can be closed.
     
  15. klaustrophobia

    klaustrophobia Thread Starter

    Joined:
    Mar 1, 2009
    Messages:
    12
    Thanks KM

    Have recieved and read your post

    Will start working through the list of things to do

    Thank you very much

    >>Klaus :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/810160