1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Several Viruses, HJT incl., Any help appreciated.

Discussion in 'Virus & Other Malware Removal' started by Jaxum, Jan 26, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Jaxum

    Jaxum Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    30
    HJT log as follows:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:35:33 PM, on 1/26/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\nordsys.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Jason Pendleton\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Any help is appreciated.

    Thanks,
    Jaxum
     
  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Jaxum :)

    Welcome to TSG.

    Download ComboFix from Here or Here. to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  3. Jaxum

    Jaxum Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    30
    Both Logs:

    "Jason Pendleton" - 07-01-26 18:56:48 Service Pack 2
    ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Jason Pendleton\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\w.exe
    C:\WINDOWS\system32\w.exe.exe
    C:\WINDOWS\system32\google.png.exe
    C:\WINDOWS\system32\nordsys.exe
    C:\WINDOWS\system32\se.exe.exe
    C:\WINDOWS\system32\ss.exe.exe
    C:\WINDOWS\system32\svcp.csv
    C:\WINDOWS\system32\zlbw.dll


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-26 to 2007-01-26 ))))))))))))))))))))))))))))))))))


    2007-01-26 15:49 54,222 --a------ C:\WINDOWS\SYSTEM32\game.exe
    2007-01-26 15:28 54,016 --a------ C:\WINDOWS\SYSTEM32\wincom32.sys
    2007-01-26 15:28 35,790 --a------ C:\WINDOWS\SYSTEM32\game5p.exe.exe
    2007-01-26 15:27 6,094 --a------ C:\WINDOWS\SYSTEM32\pbrgbxnl.exe
    2007-01-23 21:08 <DIR> d-------- C:\DOCUME~1\COURTN~1\Application Data\InstallShield
    2007-01-23 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee
    2007-01-23 20:28 25,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbser.sys
    2007-01-23 20:28 <DIR> d-------- C:\Program Files\Avanquest update
    2007-01-23 20:27 <DIR> d-------- C:\Program Files\Motorola Phone Tools
    2007-01-23 20:26 25,600 --a------ C:\DOCUME~1\COURTN~1\usbsermptxp.sys
    2007-01-23 20:26 22,768 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbsermpt.sys
    2007-01-23 20:26 22,768 --a------ C:\DOCUME~1\COURTN~1\usbsermpt.sys
    2007-01-19 15:21 6,339 --a------ C:\WINDOWS\SYSTEM32\ijhxscbc.exe
    2007-01-16 17:57 <DIR> d-------- C:\DOCUME~1\JOEPEN~1\Application Data\Apple Computer
    2007-01-12 06:54 6,309 --a------ C:\WINDOWS\SYSTEM32\brvrehup.exe
    2007-01-04 07:51 54,222 --a------ C:\WINDOWS\SYSTEM32\game0.exe.exe
    2007-01-04 07:50 6,304 --a------ C:\WINDOWS\SYSTEM32\tvvcqyvo.exe
    2006-12-27 16:27 <DIR> d-------- C:\Program Files\iTunes
    2006-12-27 16:25 <DIR> d-------- C:\Program Files\Apple Software Update
    2006-12-27 11:19 6,239 --a------ C:\WINDOWS\SYSTEM32\txyrblwr.exe
    2006-12-27 11:19 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2006-12-27 11:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
    2006-12-27 11:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-23 20:28 -------- d--h----- C:\Program Files\installshield installation information
    2006-12-27 16:28 -------- d-------- C:\Program Files\ipod
    2006-12-27 16:27 -------- d-------- C:\Program Files\quicktime
    2006-12-10 16:32 6239 --a------ C:\WINDOWS\SYSTEM32\iavzmmbk.exe
    2006-12-10 16:28 -------- d-------- C:\Program Files\apte software
    2006-12-10 16:27 -------- d-------- C:\Program Files\mars
    2006-12-03 13:41 6199 --a------ C:\WINDOWS\SYSTEM32\mefgfmif.exe
    2006-11-26 13:04 6199 --a------ C:\WINDOWS\SYSTEM32\keemjqso.exe
    2006-11-08 00:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
    2006-11-04 14:14 1245696 --a------ C:\WINDOWS\SYSTEM32\msxml4.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "Sonic RecordNow!"=""
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
    "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
    "diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
    "MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mm_tray.exe"
    "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
    "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
    "MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
    "Dell AIO Printer A960"="\"C:\\Program Files\\Dell AIO Printer A960\\dlbfbmgr.exe\""
    "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
    "nwiz"="nwiz.exe /install"
    "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
    "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
    "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
    "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
    "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "taskdir"="C:\\WINDOWS\\system32\\taskdir.exe"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "taskdir"="C:\\WINDOWS\\system32\\taskdir.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    @=""
    "NoCDBurning"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\ISP signup reminder 1.job
    C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (DJMQBQ41-Courtney Pendleton).job
    C:\WINDOWS\tasks\MP Scheduled Scan.job

    Completion time: 07-01-26 19:01:39


    *****************************************************************

    Logfile of HijackThis v1.99.1
    Scan saved at 19:02, on 07-01-26
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\sUBs\ComboFix.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Documents and Settings\Jason Pendleton\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  4. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Jaxum :)

    Please download the Suspicious File Packer from Here. Extract its contents to the desktop. Open the SFP folder on your desktop and run the SFP.EXE file.

    Copy and Paste the following bold locations into the Suspicious File Packer window:

    C:\WINDOWS\SYSTEM32\iavzmmbk.exe
    C:\WINDOWS\SYSTEM32\mefgfmif.exe
    C:\WINDOWS\SYSTEM32\keemjqso.exe
    C:\WINDOWS\SYSTEM32\pbrgbxnl.exe
    C:\WINDOWS\SYSTEM32\ijhxscbc.exe
    C:\WINDOWS\SYSTEM32\brvrehup.exe
    C:\WINDOWS\SYSTEM32\tvvcqyvo.exe
    C:\WINDOWS\SYSTEM32\txyrblwr.exe


    Click on Continue to allow SFP to pack the file. This will generate a CAB archive on your desktop.

    Click Here to upload the created CAB archive.
    • Click on "New Topic"
    • Put your name, e-mail address, and this as the title: "Suspicious File Packer"
    • Put a link to this thread in the description box.
    • Then next to the file box, at the bottom, click the browse button, then navigate to CAB archive that was been created on your desktop.
    • The cab file will be called requested-files(*).cab (the * stands for the date and hour).
      Then click the Send File button below.
    • Click Open.
    • Click Post.
    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\SYSTEM32\iavzmmbk.exe
      C:\WINDOWS\SYSTEM32\mefgfmif.exe
      C:\WINDOWS\SYSTEM32\keemjqso.exe
      C:\WINDOWS\SYSTEM32\pbrgbxnl.exe
      C:\WINDOWS\SYSTEM32\ijhxscbc.exe
      C:\WINDOWS\SYSTEM32\brvrehup.exe
      C:\WINDOWS\SYSTEM32\tvvcqyvo.exe
      C:\WINDOWS\SYSTEM32\txyrblwr.exe
      C:\WINDOWS\system32\taskdir.exe
      C:\WINDOWS\SYSTEM32\game.exe
      C:\WINDOWS\SYSTEM32\wincom32.sys
      C:\WINDOWS\SYSTEM32\game5p.exe.exe
      C:\WINDOWS\SYSTEM32\game0.exe.exe



    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 .
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
     
  5. Jaxum

    Jaxum Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    30
    Okay, All that stuff is done, didn't tell me that anything could not be removed. It all went smooth. Vundo found nothing. Here's a new HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 20:42, on 07-01-26
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\Jason Pendleton\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  6. Jaxum

    Jaxum Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    30
    So am I all set on this?
     
  7. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Jaxum :)

    Lets confirm those deletions. Download the enclosed folder and extract its contents to the desktop. It is a batch file. Once extracted, double click on the batch file and post the contents of the report it will create.
     

    Attached Files:

  8. Jaxum

    Jaxum Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    30
    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Courtney Pendleton(Administrator)
    was started @ Friday, August 04, 2006, 7:41 PM

    # 1 [Delete on Reboot]
    Path = C:\WINDOWS\system32\office_pnl.dll


    # 2 [Delete on Reboot]
    Path = C:\WINDOWS\system32\runsrv32.exe


    Killbox Closed(Exit) @ 7:43:09 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Jason Pendleton(Administrator)
    was started @ Sunday, October 01, 2006, 12:34 PM

    # 1 [Files to Delete]
    Path = C:\WINDOWS\system32\sumsw32.exe
    *File Was Deleted

    # 2 [Files to Delete]
    Path = C:\WINDOWS\system32\susp.exe
    *This file does not seem to exist

    # 3 [Files to Delete]
    Path = C:\WINDOWS\system32\runsrv32.exe
    *File Was Deleted

    # 4 [Files to Delete]
    Path = C:\WINDOWS\system32\taskdir.exe
    *This file does not seem to exist

    Killbox Closed(Exit) @ 12:37:01 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Jason Pendleton(Administrator)
    was started @ Friday, January 26, 2007, 8:07 PM

    # 1 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\iavzmmbk.exe


    # 2 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\mefgfmif.exe


    # 3 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\keemjqso.exe


    # 4 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\pbrgbxnl.exe


    # 5 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\ijhxscbc.exe


    # 6 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\brvrehup.exe


    # 7 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\tvvcqyvo.exe


    # 8 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\txyrblwr.exe


    # 9 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\game.exe


    # 10 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\wincom32.sys


    # 11 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\game5p.exe.exe


    # 12 [Delete on Reboot]
    Path = C:\WINDOWS\SYSTEM32\game0.exe.exe


    I Rebooted @ 8:09:56 PM
    Killbox Closed(Exit) @ 8:09:56 PM
    __________________________________________________

    Volume in drive C has no label.
    Volume Serial Number is E45D-C4BE

    Directory of C:\!Killbox

    07-01-26 20:09 <DIR> .
    07-01-26 20:09 <DIR> ..
    07-01-12 06:54 6,309 brvrehup.exe
    07-01-26 18:10 54,222 game.exe
    07-01-26 15:28 54,222 game0.exe.exe
    07-01-26 15:28 35,790 game5p.exe.exe
    06-12-10 16:32 6,239 iavzmmbk.exe
    07-01-19 15:21 6,339 ijhxscbc.exe
    06-11-26 13:04 6,199 keemjqso.exe
    06-08-04 18:41 <DIR> Logs
    06-12-03 13:41 6,199 mefgfmif.exe
    07-01-26 15:27 6,094 pbrgbxnl.exe
    06-08-04 17:46 25,344 runsrv32.exe
    06-10-01 11:31 32,768 runsrv32.exe( 1)
    07-01-04 07:50 6,304 tvvcqyvo.exe
    06-12-27 11:19 6,239 txyrblwr.exe
    07-01-26 15:28 54,016 wincom32.sys
    14 File(s) 306,284 bytes
    3 Dir(s) 56,498,331,648 bytes free
     
  9. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Jaxum. :)

    [​IMG]Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    [​IMG]Download AVG Anti-Spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

    Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

    Boot into Safe Mode:

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Perform the following steps in safe mode:

    1. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
    2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select "Apply all actions"
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    8. Close AVG Anti-Spyware .
    Restart back into Windows normally now.

    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post a fresh Hijackthis log along with the AVG Anti-spyware and ActiveScan reports.
     
  10. Jaxum

    Jaxum Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    30
    Logfile of HijackThis v1.99.1
    Scan saved at 19:30, on 07-01-28
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\Jason Pendleton\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    *****************************************************

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 18:30 07-01-28

    + Scan result:



    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP962\A0087956.exe -> Adware.Comet : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).
    HKU\S-1-5-21-2473631437-3951369382-2378048371-1009\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1073\A0093342.exe -> Downloader.Agent.bet : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1049\A0092880.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1058\A0093028.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1073\A0096324.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP968\A0087996.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1006\A0090110.exe -> Downloader.Tibs.ir : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP976\A0088974.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0088981.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0088983.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0088984.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP986\A0089090.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP986\A0089092.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP986\A0089093.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined).
    C:\WINDOWS\SYSTEM32\my_update.exe -> Downloader.VB.aeq : Cleaned with backup (quarantined).
    C:\!KillBox\wincom32.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
    C:\Documents and Settings\Jason Pendleton\Cookies\jason [email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Jason Pendleton\Cookies\jason [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Jason Pendleton\Cookies\jason [email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
    C:\WINDOWS\SYSTEM32\hnkkaibf.iox -> Trojan.Agent.qe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1046\A0090934.exe -> Trojan.VB.atw : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1054\A0092961.exe -> Trojan.VB.atw : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0088982.exe -> Worm.Glowa.n : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP986\A0089091.exe -> Worm.Glowa.n : Cleaned with backup (quarantined).


    ::Report end

    *****************************************************


    Incident Status Location

    Virus:trj/abwiz.a Disinfected Operating system
    Adware:adware/thespyguard Not disinfected c:\windows\yod.htm
    Adware:adware/savenow Not disinfected Windows Registry
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jason Pendleton\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
    Adware:Adware/SecurityError Not disinfected C:\WINDOWS\SYSTEM32\intr32.dll
     
  11. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Jaxum :)

    Run Killbox.exe. Paste the following locations into Killbox one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click no...and proceed with the next file. Once you get to the last one click YES and it will reboot.

    C:\WINDOWS\SYSTEM32\intr32.dll
    c:\windows\yod.htm


    If your computer does not restart automatically, please restart it manually.

    The rest of the log looks clear. How is the computer doing?
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538658

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice