Sign in to follow this  
smichaels8

trojan agnet2.gjl

Recommended Posts

Every time AdAware gets rid of this trojan iot tells me to reboot. Then it finds it again and the whole process starts over. Can anyone help me?

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:17:21 PM, on 4/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\WINDOWS\system32\ezSP_Px.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.1;<local>

O2 - BHO: (no name) - MRI_DISABLED - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [A00F7084080.exe] D:\DOCUME~1\LOCALS~1\Temp\_A00F7084080.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan

O4 - Global Startup: MRI_DISABLED

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.main/tba...pointsSetup.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193285051484

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O20 - Winlogon Notify: __c0046542 - C:\WINDOWS\system32\__c0046542.dat (file missing)

O20 - Winlogon Notify: __c00980D9 - C:\WINDOWS\

O20 - Winlogon Notify: __c00B5524 - C:\WINDOWS\system32\__c00B5524.dat (file missing)

O20 - Winlogon Notify: __c00FBE44 - C:\WINDOWS\system32\__c00FBE44.dat (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NeatWorks Database Controller (NeatWorksDatabaseController) - The Neat Company - C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

 

--

End of file - 7696 bytes

Share this post


Link to post
Share on other sites

Here isa the scan log from ad-aware

 

Logfile created: 4/11/2009 17:31:23

Lavasoft Ad-Aware version: 8.0.3

Extended engine version: 8.1

User performing scan: Stacey

 

*********************** Definitions database information ***********************

Lavasoft definition file: 148.8

Extended engine definition file: 8.1

 

******************************** Scan results: *********************************

Scan profile name: Smart Scan (ID: smart)

Objects scanned: 28554

Objects detected: 3

 

 

Type Detected

==========================

Processes.......: 0

Registry entries: 1

Hostfile entries: 0

Files...........: 2

Folders.........: 0

LSPs............: 0

Cookies.........: 0

Browser hijacks.: 0

MRU objects.....: 0

 

 

 

Skipped items:

Description: HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00B8264: Family Name: unknown Clean status: Success Item ID: 1 Family ID: 0

 

Quarantined items:

Description: c:\windows\system32\__c00b8264.dat Family Name: TR/Agent2.gjl Clean status: Reboot required Item ID: 0 Family ID: 0

Description: C:\WINDOWS\system32\__c00B8264.dat Family Name: TR/Agent2.gjl Clean status: Reboot required Item ID: 0 Family ID: 0

 

Scan and cleaning complete: Finished correctly after 174 seconds

 

*********************************** Settings ***********************************

 

Scan profile:

ID: smart, enabled:1, value: Smart Scan

ID: scancriticalareas, enabled:1, value: true

ID: scanrunningapps, enabled:1, value: true

ID: scanregistry, enabled:1, value: true

ID: scanlsp, enabled:1, value: true

ID: scanads, enabled:1, value: false

ID: scanhostsfile, enabled:1, value: false

ID: scanmru, enabled:1, value: false

ID: scanbrowserhijacks, enabled:1, value: true

ID: scantrackingcookies, enabled:1, value: true

ID: closebrowsers, enabled:1, value: false

ID: folderstoscan, enabled:1, value:

ID: scanrootkits, enabled:1, value: true

ID: usespywareheuristics, enabled:1, value: true

ID: extendedengine, enabled:1, value: true

ID: useheuristics, enabled:1, value: true

ID: heuristicslevel, enabled:1, value: mild, domain: medium,mild,strict

ID: filescanningoptions, enabled:1

ID: archives, enabled:1, value: false

ID: onlyexecutables, enabled:1, value: true

ID: skiplargerthan, enabled:1, value: 20480

 

Scan global:

ID: global, enabled:1

ID: addtocontextmenu, enabled:1, value: true

ID: playsoundoninfection, enabled:1, value: false

ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

 

Scheduled scan settings:

<Empty>

 

Update settings:

ID: updates, enabled:1

ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently

ID: displaystatus, enabled:1, value: false

ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: autodetectproxy, enabled:1, value: false

ID: useautoconfigscript, enabled:1, value: false

ID: autoconfigurl, enabled:0, value:

ID: useproxy, enabled:1, value: false

ID: proxyserver, enabled:0, value:

ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: schedules, enabled:1, value: true

ID: updatedaily, enabled:1, value: Daily

ID: time, enabled:1, value: Sat Apr 11 14:19:00 2009

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updateweekly, enabled:1, value: Weekly

ID: time, enabled:1, value: Sat Apr 11 14:19:00 2009

ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: true

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: true

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

 

Appearance settings:

ID: appearance, enabled:1

ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource

ID: showtrayicon, enabled:1, value: true

ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

 

Realtime protection settings:

ID: realtime, enabled:1

ID: processprotection, enabled:1, value: true

ID: registryprotection, enabled:1, value: true

ID: networkprotection, enabled:1, value: true

ID: loadatstartup, enabled:1, value: true

ID: usespywareheuristics, enabled:1, value: true

ID: extendedengine, enabled:1, value: true

ID: useheuristics, enabled:1, value: true

ID: heuristicslevel, enabled:1, value: strict, domain: medium,mild,strict

ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant

 

 

****************************** System information ******************************

Computer name: VALUED-3253602F

Processor name: Intel® Pentium® 4 CPU 2.66GHz

Processor identifier: x86 Family 15 Model 2 Stepping 9

Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 521, number of processors 1

Physical memory available: 1652928512 bytes

Physical memory total: 2138591232 bytes

Virtual memory available: 1972293632 bytes

Virtual memory total: 2147352576 bytes

Memory load: 22%

Microsoft Windows XP Professional Service Pack 3 (build 2600)

Windows startup mode:

 

Running processes:

PID: 592 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 660 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 684 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY

PID: 728 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY

PID: 740 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY

PID: 900 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 976 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 1072 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1116 name: C:\WINDOWS\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 1160 name: C:\WINDOWS\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1348 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1448 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1560 name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1608 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1636 name: C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1812 name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1836 name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1880 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1996 name: C:\WINDOWS\system32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY

PID: 656 name: C:\WINDOWS\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1192 name: C:\WINDOWS\Explorer.EXE owner: Stacey domain: VALUED-3253602F

PID: 1236 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1332 name: C:\WINDOWS\System32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1060 name: C:\WINDOWS\System32\hkcmd.exe owner: Stacey domain: VALUED-3253602F

PID: 616 name: C:\WINDOWS\AGRSMMSG.exe owner: Stacey domain: VALUED-3253602F

PID: 1132 name: C:\Program Files\Microsoft IntelliType Pro\itype.exe owner: Stacey domain: VALUED-3253602F

PID: 1260 name: C:\WINDOWS\system32\ezSP_Px.exe owner: Stacey domain: VALUED-3253602F

PID: 644 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Stacey domain: VALUED-3253602F

PID: 1708 name: C:\WINDOWS\system32\ctfmon.exe owner: Stacey domain: VALUED-3253602F

PID: 384 name: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe owner: Stacey domain: VALUED-3253602F

PID: 1900 name: C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe owner: Stacey domain: VALUED-3253602F

PID: 776 name: C:\Program Files\Windows Desktop Search\WindowsSearch.exe owner: Stacey domain: VALUED-3253602F

PID: 2876 name: C:\WINDOWS\ie7\iexplore.exe owner: Stacey domain: VALUED-3253602F

PID: 2744 name: C:\WINDOWS\system32\NOTEPAD.EXE owner: Stacey domain: VALUED-3253602F

PID: 876 name: C:\WINDOWS\system32\SearchProtocolHost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 168 name: C:\WINDOWS\system32\SearchFilterHost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 2864 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe owner: Stacey domain: VALUED-3253602F

 

Startup items:

Name: NvCplDaemon

imagepath: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

Name: nwiz

imagepath: nwiz.exe /installquiet

Name: ATIModeChange

imagepath: Ati2mdxx.exe

Name: ATIPTA

imagepath: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

Name: IgfxTray

imagepath: C:\WINDOWS\System32\igfxtray.exe

Name: HotKeysCmds

imagepath: C:\WINDOWS\System32\hkcmd.exe

Name: AGRSMMSG

imagepath: AGRSMMSG.exe

Name: itype

imagepath: "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

Name: VAIO Recovery

imagepath: C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

Name: ezShieldProtector for Px

imagepath: C:\WINDOWS\system32\ezSP_Px.exe

Name: Ad-Watch

imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

Name: PostBootReminder

imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}

Name: CDBurn

imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}

Name: WebCheck

imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Name: SysTray

imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}

Name: WPDShServiceObj

imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}

Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}

imagepath: Browseui preloader

Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}

imagepath: Component Categories cache daemon

Name:

imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Name:

location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED\Adobe Reader Speed Launch.lnk

imagepath: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Name:

location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

imagepath: C:\Program Files\Windows Desktop Search\WindowsSearch.exe

 

Bootexecute items:

Name:

imagepath: autocheck autochk *

Name:

imagepath: lsdelete

 

Running services:

Name: ALG

displayname: Application Layer Gateway Service

Name: Apple Mobile Device

displayname: Apple Mobile Device

Name: AudioSrv

displayname: Windows Audio

Name: CryptSvc

displayname: Cryptographic Services

Name: DcomLaunch

displayname: DCOM Server Process Launcher

Name: Dhcp

displayname: DHCP Client

Name: Dnscache

displayname: DNS Client

Name: ERSvc

displayname: Error Reporting Service

Name: Eventlog

displayname: Event Log

Name: EventSystem

displayname: COM+ Event System

Name: helpsvc

displayname: Help and Support

Name: HidServ

displayname: HID Input Service

Name: JavaQuickStarterService

displayname: Java Quick Starter

Name: lanmanserver

displayname: Server

Name: lanmanworkstation

displayname: Workstation

Name: Lavasoft Ad-Aware Service

displayname: Lavasoft Ad-Aware Service

Name: LmHosts

displayname: TCP/IP NetBIOS Helper

Name: NeatWorksDatabaseController

displayname: NeatWorks Database Controller

Name: Netman

displayname: Network Connections

Name: Nla

displayname: Network Location Awareness (NLA)

Name: PlugPlay

displayname: Plug and Play

Name: PolicyAgent

displayname: IPSEC Services

Name: ProtectedStorage

displayname: Protected Storage

Name: RasMan

displayname: Remote Access Connection Manager

Name: RpcSs

displayname: Remote Procedure Call (RPC)

Name: SamSs

displayname: Security Accounts Manager

Name: Schedule

displayname: Task Scheduler

Name: seclogon

displayname: Secondary Logon

Name: SENS

displayname: System Event Notification

Name: SharedAccess

displayname: Windows Firewall/Internet Connection Sharing (ICS)

Name: ShellHWDetection

displayname: Shell Hardware Detection

Name: Spooler

displayname: Print Spooler

Name: SQLBrowser

displayname: SQL Server Browser

Name: SQLWriter

displayname: SQL Server VSS Writer

Name: srservice

displayname: System Restore Service

Name: stisvc

displayname: Windows Image Acquisition (WIA)

Name: TapiSrv

displayname: Telephony

Name: TermService

displayname: Terminal Services

Name: Themes

displayname: Themes

Name: TrkWks

displayname: Distributed Link Tracking Client

Name: W32Time

displayname: Windows Time

Name: WebClient

displayname: WebClient

Name: winmgmt

displayname: Windows Management Instrumentation

Name: wscsvc

displayname: Security Center

Name: WSearch

displayname: Windows Search

Name: wuauserv

displayname: Automatic Updates

Name: WZCSVC

displayname: Wireless Zero Configuration

Share this post


Link to post
Share on other sites

Hi there,

 

 

Disable Ad-Watch

 

 

Please visit this webpage for download links, and instructions for running ComboFix tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
     
     
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review, and so we may continue cleansing the system:

 

C:\ComboFix.txt

New HijackThis log.

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Share this post


Link to post
Share on other sites

ComboFix 09-04-13.A2 - Stacey 2009-04-13 16:45.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2040.1660 [GMT -5:00]

Running from: c:\documents and settings\Stacey\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\system32\__c0071916.dat

c:\windows\system32\__c007A24C.exe

c:\windows\system32\__c0093121.exe

c:\windows\system32\__c00E7F0D.exe

 

.

((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))

.

 

2009-04-11 19:16 . 2009-04-13 21:42 -------- dc----w c:\program files\Lavasoft

2009-04-10 01:50 . 2009-04-10 01:50 -------- dc----w C:\Temp

2009-03-25 23:01 . 2009-03-25 23:01 -------- dc----w c:\program files\Trend Micro

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-13 21:28 . 2009-04-11 21:31 4999 -c--a-w C:\aaw7boot.log

2009-04-11 21:57 . 2008-02-08 14:24 -------- dc----w c:\program files\Google

2009-04-11 21:47 . 2007-10-21 04:27 -------- dc----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-03-24 00:01 . 2009-03-01 17:39 16675 -c--a-w C:\spi.scanning.log

2009-03-08 15:44 . 2003-08-14 21:50 -------- dc-h--w c:\program files\InstallShield Installation Information

2009-03-05 05:46 . 2009-02-14 21:19 -------- dc----w c:\program files\Microsoft Silverlight

2009-03-01 17:40 . 2009-01-17 21:06 -------- dc----w c:\documents and settings\All Users\Application Data\The Neat Company

2009-03-01 15:47 . 2009-03-01 15:47 -------- dc----w c:\documents and settings\Stacey\Application Data\Windows Search

2009-02-26 03:07 . 2009-02-26 03:07 -------- dc----w c:\documents and settings\All Users\Application Data\Trymedia

2009-02-22 08:15 . 2009-01-17 21:06 -------- dc----w c:\program files\Common Files\NeatReceipts

2009-02-22 08:15 . 2009-01-18 03:56 -------- dc----w c:\program files\NeatWorks

2009-02-22 08:13 . 2003-08-15 19:30 -------- dc----w c:\program files\Common Files\Intuit

2009-02-15 16:57 . 2007-10-21 06:42 55736 -c--a-w c:\documents and settings\Stacey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-02-15 14:29 . 2009-02-15 14:29 -------- dc----w c:\documents and settings\All Users\Application Data\GARMIN

2009-02-15 04:51 . 2008-09-09 04:16 -------- dc----w c:\documents and settings\Stacey\Application Data\Download Manager

2009-02-14 21:48 . 2009-02-14 21:48 -------- dc----w c:\program files\MSBuild

2009-02-14 21:48 . 2009-02-14 21:48 -------- dc----w c:\program files\Reference Assemblies

2009-02-14 21:24 . 2009-01-17 21:02 -------- d-----w c:\program files\Microsoft SQL Server

2009-02-14 21:19 . 2008-06-11 23:46 -------- dc----w c:\program files\Microsoft

2009-02-14 21:19 . 2009-02-14 21:19 -------- dc----w c:\documents and settings\Stacey\Application Data\Windows Desktop Search

2009-02-14 21:18 . 2009-02-14 21:18 -------- dc----w c:\program files\Windows Desktop Search

2009-02-14 21:16 . 2009-02-14 21:16 -------- dc----w c:\program files\Windows Media Connect 2

2009-02-14 20:38 . 2008-09-14 05:22 -------- dc----w c:\program files\mypoints

2009-02-14 15:26 . 2008-11-18 13:47 -------- dc----w c:\program files\Common Files\Research In Motion

2009-02-14 15:22 . 2008-09-09 04:06 -------- dc----w c:\documents and settings\Stacey\Application Data\GARMIN

2009-02-14 06:02 . 2009-02-14 06:02 -------- dc----w c:\program files\Garmin GPS Plugin

2009-02-14 06:02 . 2009-02-14 06:02 -------- dc----w c:\program files\DIFX

2009-02-14 06:02 . 2009-02-14 06:02 -------- dc----w c:\program files\Garmin

2009-02-09 11:13 . 2003-08-14 02:58 1846784 -c--a-w c:\windows\system32\win32k.sys

2009-01-17 22:22 . 2008-10-17 01:21 26966 -c--a-w C:\logfile

2008-09-11 13:19 . 2008-09-11 13:19 61224 -c--a-w c:\documents and settings\Stacey\GoToAssistDownloadHelper.exe

2008-05-16 23:50 . 2007-10-28 15:53 0 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT

2007-11-05 03:13 . 2007-10-28 15:56 20 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-03-25 396288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-16 4743168]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]

"nwiz"="nwiz.exe" [2003-07-16 c:\windows\system32\nwiz.exe]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 c:\windows\AGRSMMSG.exe]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a--c--- 2008-11-07 15:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2008-12-20 11:38 136600 c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

R3 FXDRV;FXDRV; [x]

R3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]

S2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe [2009-01-27 351376]

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebed0481-c569-11dc-9f56-000c6eb5db4b}]

\Shell\AutoRun\command - G:\setupSNK.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Neat ADF Scanner 2008]

reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f

.

Contents of the 'Scheduled Tasks' folder

 

2009-04-11 c:\windows\Tasks\Ad-Aware Update (Daily).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

 

2008-08-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 14:13]

.

- - - - ORPHANS REMOVED - - - -

 

WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)

HKCU-Run-msnmsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

Notify-__c0046542 - c:\windows\system32\__c0046542.dat

Notify-__c0048F5A - c:\windows\system32\__c0048F5A.dat

Notify-__c0071916 - c:\windows\system32\__c0071916.dat

Notify-__c00B5524 - c:\windows\system32\__c00B5524.dat

Notify-__c00B8264 - c:\windows\system32\__c00B8264.dat

Notify-__c00BB7DE - c:\windows\system32\__c00BB7DE.dat

Notify-__c00FBE44 - c:\windows\system32\__c00FBE44.dat

Notify-__c00980D9 - (no file)

 

 

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyServer = http=192.168.0.1:87

uInternet Settings,ProxyOverride = 192.168.0.1;<local>

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

 

**************************************************************************

 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-13 16:47

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(3880)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-04-13 16:49

ComboFix-quarantined-files.txt 2009-04-13 21:49

 

Pre-Run: 86,349,271,040 bytes free

Post-Run: 86,340,542,464 bytes free

 

150 --- E O F --- 2009-03-13 04:10

Share this post


Link to post
Share on other sites

Hi again,

 

What kind of problems you have with Ad-Aware? Does it give any error message?

 

 

Start hjt, do a system scan, check (if found):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.1;<local>

O2 - BHO: (no name) - MRI_DISABLED - (no file)

O4 - Global Startup: MRI_DISABLED

Close browsers and fix checked.

 

 

 

Open notepad and copy/paste the text in the quotebox below into it:

 

Folder::
c:\documents and settings\All Users\Application Data\Trymedia

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

 

 

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

 

 

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

 

 

Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!

 

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

 

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
     
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.

 

 

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

 

Double-click ATF Cleaner.exe to open it

 

Under Main choose:

Windows Temp

Current User Temp

All Users Temp

Cookies

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*

Then click the Empty Selected button.

 

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

Click Exit on the Main menu to close the program.

 

 

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.

 

 

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Share this post


Link to post
Share on other sites

Ad aware just won't open on occassion. If I restart the computer it generally does eventually open. Attached is my combofix log...I'm still working on the other stuff. Thanks again for your help!

 

 

 

ComboFix 09-04-15.08 - Stacey 04/15/2009 17:37.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2040.1601 [GMT -5:00]

Running from: c:\documents and settings\Stacey\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Stacey\Desktop\CFScript.txt

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated)

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\Trymedia

c:\documents and settings\All Users\Application Data\Trymedia\data\{0CBDF1B9-E636-D80F-24ED-6C4FCBE5611A}

c:\documents and settings\All Users\Application Data\Trymedia\data\{18D77EEA-2E4C-8A72-4B51-8BA4B2CE0118}

c:\documents and settings\All Users\Application Data\Trymedia\data\{267E3769-BAE8-9B5F-4A74-9742B3430DD4}

c:\documents and settings\All Users\Application Data\Trymedia\data\{63B33F42-013C-2442-96D8-BB04A8D9F27B}

c:\documents and settings\All Users\Application Data\Trymedia\data\{6C8FEA85-CFD3-4A98-EC68-A028A2C06852}

c:\documents and settings\All Users\Application Data\Trymedia\data\{7C7AF8E9-0EDC-9C3A-E0DE-4972DA5A6591}

c:\documents and settings\All Users\Application Data\Trymedia\data\{D39C2048-18AD-3300-D309-11AB9C56E2DD}

c:\documents and settings\All Users\Application Data\Trymedia\data\{E04840B3-C32C-A754-4FC7-4EED30BA6915}

 

.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))

.

 

2009-04-14 02:28 . 2009-04-14 02:28 -------- dc----w c:\program files\Seagate

2009-04-14 02:28 . 2009-04-14 02:28 -------- dc----w c:\documents and settings\All Users\Application Data\Seagate

2009-04-14 02:27 . 2009-04-14 02:27 -------- dc----w c:\windows\Downloaded Installations

2009-04-14 02:27 . 2009-04-14 02:27 -------- dcsh--w c:\windows\ftpcache

2009-04-14 01:31 . 2009-03-09 19:06 15688 -c--a-w c:\windows\system32\lsdelete.exe

2009-04-13 22:26 . 2009-03-09 19:06 64160 -c--a-w c:\windows\system32\drivers\Lbd.sys

2009-04-13 22:07 . 2009-04-13 22:07 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-04-11 19:16 . 2009-04-13 22:07 -------- dc----w c:\program files\Lavasoft

2009-04-10 01:50 . 2009-04-10 01:50 -------- dc----w C:\Temp

2009-03-25 23:01 . 2009-03-25 23:01 -------- dc----w c:\program files\Trend Micro

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-15 22:16 . 2009-04-11 21:31 5833 -c--a-w C:\aaw7boot.log

2009-04-14 02:28 . 2003-08-14 21:50 -------- dc-h--w c:\program files\InstallShield Installation Information

2009-04-13 22:07 . 2008-09-20 14:41 -------- dc----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-04-11 21:57 . 2008-02-08 14:24 -------- dc----w c:\program files\Google

2009-04-11 21:47 . 2007-10-21 04:27 -------- dc----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-03-24 00:01 . 2009-03-01 17:39 16675 -c--a-w C:\spi.scanning.log

2009-03-05 05:46 . 2009-02-14 21:19 -------- dc----w c:\program files\Microsoft Silverlight

2009-03-01 17:40 . 2009-01-17 21:06 -------- dc----w c:\documents and settings\All Users\Application Data\The Neat Company

2009-03-01 15:47 . 2009-03-01 15:47 -------- dc----w c:\documents and settings\Stacey\Application Data\Windows Search

2009-02-22 08:15 . 2009-01-17 21:06 -------- dc----w c:\program files\Common Files\NeatReceipts

2009-02-22 08:15 . 2009-01-18 03:56 -------- dc----w c:\program files\NeatWorks

2009-02-22 08:13 . 2003-08-15 19:30 -------- dc----w c:\program files\Common Files\Intuit

2009-02-15 16:57 . 2007-10-21 06:42 55736 -c--a-w c:\documents and settings\Stacey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-02-15 14:29 . 2009-02-15 14:29 -------- dc----w c:\documents and settings\All Users\Application Data\GARMIN

2009-02-15 04:51 . 2008-09-09 04:16 -------- dc----w c:\documents and settings\Stacey\Application Data\Download Manager

2009-02-09 11:13 . 2003-08-14 02:58 1846784 -c--a-w c:\windows\system32\win32k.sys

2009-01-17 22:22 . 2008-10-17 01:21 26966 -c--a-w C:\logfile

2008-09-11 13:19 . 2008-09-11 13:19 61224 -c--a-w c:\documents and settings\Stacey\GoToAssistDownloadHelper.exe

2008-05-16 23:50 . 2007-10-28 15:53 0 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT

2007-11-05 03:13 . 2007-10-28 15:56 20 -c-h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT

.

 

((((((((((((((((((((((((((((( SnapShot[email protected]_16.48.15.98 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-04-14 01:31 . 2009-03-09 19:06 15688 c:\windows\system32\lsdelete.exe

+ 2009-04-13 22:26 . 2009-03-09 19:06 64160 c:\windows\system32\DRVSTORE\lbd_1D149FE61E2CD0936E43877117FE3EF0674B9944\Lbd.sys

+ 2009-04-13 22:26 . 2009-03-09 19:06 64160 c:\windows\system32\drivers\Lbd.sys

+ 2009-04-14 02:28 . 2009-04-14 02:28 81920 c:\windows\Installer\{71883667-71F2-48A1-AB72-28D518D8AC4A}\NewShortcut3_3AA20A2C6BEF43A6A3B4F09C5D78D1D4.exe

+ 2009-04-14 02:28 . 2009-04-14 02:28 81920 c:\windows\Installer\{71883667-71F2-48A1-AB72-28D518D8AC4A}\NewShortcut2_B7AA0888E8864144BA725EAA61DC15D5.exe

+ 2009-04-14 02:28 . 2009-04-14 02:28 45056 c:\windows\Installer\{71883667-71F2-48A1-AB72-28D518D8AC4A}\NewShortcut1_68F918D3F91F411B8936985CC2BD4192.exe

+ 2009-04-14 02:28 . 2009-04-14 02:28 81920 c:\windows\Installer\{71883667-71F2-48A1-AB72-28D518D8AC4A}\ARPPRODUCTICON.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-03-25 396288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-16 4743168]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-07-16 323584]

"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2008-11-07 20:16 111936 -c--a-w c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-12-20 16:38 136600 -c--a-w c:\program files\Java\jre6\bin\jusched.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

 

R3 FXDRV;FXDRV; [x]

R3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

S2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe [2009-01-28 351376]

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{635d8de6-289a-11de-b56e-000c6eb5db4b}]

\Shell\AutoRun\command - G:\InstallSeagateManager.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebed0481-c569-11dc-9f56-000c6eb5db4b}]

\Shell\AutoRun\command - G:\setupSNK.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Neat ADF Scanner 2008]

reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f

.

Contents of the 'Scheduled Tasks' folder

 

2009-04-15 c:\windows\Tasks\Ad-Aware Scan (Daily).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

 

2009-04-14 c:\windows\Tasks\Ad-Aware Scan (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

 

2009-04-15 c:\windows\Tasks\Ad-Aware Update (Daily).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

 

2008-08-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13]

.

.

------- Supplementary Scan -------

.

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

 

**************************************************************************

 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-15 17:39

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2009-04-15 17:41

ComboFix-quarantined-files.txt 2009-04-15 22:41

ComboFix2.txt 2009-04-13 21:50

 

Pre-Run: 86,131,650,560 bytes free

Post-Run: 86,122,795,008 bytes free

 

148 --- E O F --- 2009-03-13 04:10

Share this post


Link to post
Share on other sites

Well I can't get through the Kaspersky Step. I keep getting the attached error message.

 

I have also posted my lastest HJT log

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:09:49 PM, on 4/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\WINDOWS\system32\ezSP_Px.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

H:\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\ie7\iexplore.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "H:\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.main/tba...pointsSetup.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193285051484

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NeatWorks Database Controller (NeatWorksDatabaseController) - The Neat Company - C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

 

--

End of file - 7685 bytes

Share this post


Link to post
Share on other sites
Well I can't get through the Kaspersky Step. I keep getting the attached error message.

Hi

 

Did you forget attach the message? I can't see any.

Share this post


Link to post
Share on other sites

It was an illegal type of file to upload.. Sorry!

 

It says The update has failed. Program has failed t start. Close the kaspersky program and restart. OPen it again top reinstall the prgram. (Which I did a few times) ERROR: Invalid file signature

 

I'm trying to run it one more time.

Share this post


Link to post
Share on other sites

Hi

 

Let's see if ESET online scanner works better :)

 

 

* Go here to run an online scanner (beta) from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Copy and paste log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems.

Share this post


Link to post
Share on other sites

Hi

 

Both are quarantined objects and will be cleaned in final phase :) Does the system still have issues?

Share this post


Link to post
Share on other sites

Hi

 

When did this issue appear? Could you make a screenshot of it and post here?

Share this post


Link to post
Share on other sites

Hi

 

Instead of pasting a screenshot in Word, could you paste the screenshot to picture editor like MS Paint (the one that comes with Windows XP) for example? Then attach picture file here :)

Share this post


Link to post
Share on other sites
I also ran another Kaspersky and the rootkits are still showing up.

Yes, those are showing up cos I didn't give you instructions to get rid of quarantined items yet. As I said, that will be done in final cleaning phase :)

 

 

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic. Also, I'd like to know when this IE window issue first showed up. Was it after some of these cleaning steps or was it there before them?

Share this post


Link to post
Share on other sites

Hi

 

In the screenshot that you provided earlier it looks like IE6 user interface there. Still in your logs it's stated that you have IE 7, and in the latest one IE 8, installed. When you did IE installations were there any issues there or did the install process go smoothly?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this