TechSpot

Virus removal problem logs attached

By PottymouthNZ
Nov 16, 2010
  1. I have AVG and it flagged a Trojan Virus namely Cryptic.bgz virus, attempted to remove but still shows up.

    Ran through 8 step process.

    Log from Malwares

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5124

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    16/11/2010 10:19:48 p.m.
    mbam-log-2010-11-16 (22-19-48).txt

    Scan type: Quick scan
    Objects scanned: 198957
    Time elapsed: 7 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\U36VRSFLG6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINXP\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

    GMER Log
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-16 22:26:38
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3808110AS rev.3.ADH
    Running: i5koibu0.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\kwliypog.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----


    Then DDS logs

    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Peter at 22:40:23.01 on Tue 16/11/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.2038.1286 [GMT 13:00]

    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINXP\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINXP\System32\svchost.exe -k netsvcs
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINXP\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINXP\system32\spoolsv.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINXP\system32\crypserv.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINXP\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINXP\System32\svchost.exe -k HPZ12
    C:\WINXP\System32\svchost.exe -k HPZ12
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINXP\system32\svchost.exe -k imgsvc
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
    C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\WINXP\system32\wwSecure.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINXP\system32\msiexec.exe
    C:\WINXP\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINXP\system32\igfxpers.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINXP\MXOALDR.EXE
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes1\iTunesHelper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    Attach
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-10.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/06/2008 5:20:33 p.m.
    System Uptime: 16/11/2010 10:31:28 p.m. (0 hours ago)

    Motherboard: Dell Inc. | | 0PJ149
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 74 GiB total, 8.752 GiB free.
    D: is CDROM (CDFS)
    I: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia 6300
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia 6300
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd

    ==== System Restore Points ===================

    RP853: 29/08/2010 11:51:35 p.m. - System Checkpoint
    RP854: 30/08/2010 10:12:59 p.m. - Removed ESET NOD32 Antivirus
    RP855: 31/08/2010 10:30:46 p.m. - System Checkpoint
    RP856: 1/09/2010 10:44:41 p.m. - System Checkpoint
    RP857: 2/09/2010 11:32:00 p.m. - System Checkpoint
    RP858: 3/09/2010 11:44:40 p.m. - System Checkpoint
    RP859: 5/09/2010 12:44:40 a.m. - System Checkpoint
    RP860: 6/09/2010 1:44:43 a.m. - System Checkpoint
    RP861: 7/09/2010 2:44:42 a.m. - System Checkpoint
    RP862: 8/09/2010 5:16:13 a.m. - System Checkpoint
    RP863: 9/09/2010 5:44:41 a.m. - System Checkpoint
    RP864: 9/09/2010 8:02:35 a.m. - Avg8 Update
    RP865: 10/09/2010 9:11:33 a.m. - System Checkpoint
    RP866: 11/09/2010 9:44:41 a.m. - System Checkpoint
    RP867: 12/09/2010 10:44:41 a.m. - System Checkpoint
    RP868: 13/09/2010 11:17:10 a.m. - System Checkpoint
    RP869: 14/09/2010 1:06:57 p.m. - System Checkpoint
    RP870: 15/09/2010 9:38:17 p.m. - System Checkpoint
    RP871: 16/09/2010 10:21:53 p.m. - System Checkpoint
    RP872: 18/09/2010 12:33:51 p.m. - System Checkpoint
    RP873: 19/09/2010 2:48:11 p.m. - System Checkpoint
    RP874: 20/09/2010 3:30:09 p.m. - System Checkpoint
    RP875: 21/09/2010 3:55:09 p.m. - System Checkpoint
    RP876: 21/09/2010 11:56:17 p.m. - Software Distribution Service 3.0
    RP877: 22/09/2010 10:37:29 p.m. - Software Distribution Service 3.0
    RP878: 23/09/2010 10:52:53 p.m. - System Checkpoint
    RP879: 25/09/2010 8:30:08 a.m. - System Checkpoint
    RP880: 26/09/2010 8:59:09 a.m. - System Checkpoint
    RP881: 27/09/2010 10:34:58 a.m. - System Checkpoint
    RP882: 28/09/2010 11:18:38 a.m. - System Checkpoint
    RP883: 29/09/2010 12:18:40 p.m. - System Checkpoint
    RP884: 30/09/2010 1:18:39 p.m. - System Checkpoint
    RP885: 1/10/2010 3:22:47 p.m. - System Checkpoint
    RP886: 2/10/2010 4:20:33 p.m. - System Checkpoint
    RP887: 3/10/2010 5:20:33 p.m. - System Checkpoint
    RP888: 4/10/2010 10:24:20 p.m. - System Checkpoint
    RP889: 6/10/2010 9:29:09 p.m. - System Checkpoint
    RP890: 7/10/2010 8:12:11 a.m. - Avg8 Update
    RP891: 8/10/2010 8:28:55 a.m. - System Checkpoint
    RP892: 9/10/2010 10:20:03 a.m. - System Checkpoint
    RP893: 10/10/2010 11:03:47 a.m. - System Checkpoint
    RP894: 11/10/2010 12:58:31 p.m. - System Checkpoint
    RP895: 12/10/2010 1:32:45 p.m. - System Checkpoint
    RP896: 13/10/2010 2:48:19 p.m. - System Checkpoint
    RP897: 14/10/2010 4:08:33 p.m. - System Checkpoint
    RP898: 15/10/2010 4:57:05 p.m. - System Checkpoint
    RP899: 16/10/2010 5:17:36 p.m. - System Checkpoint
    RP900: 17/10/2010 6:17:36 p.m. - System Checkpoint
    RP901: 18/10/2010 6:17:45 p.m. - System Checkpoint
    RP902: 19/10/2010 7:00:39 p.m. - System Checkpoint
    RP903: 20/10/2010 8:05:10 p.m. - System Checkpoint
    RP904: 21/10/2010 10:03:33 p.m. - System Checkpoint
    RP905: 23/10/2010 11:44:40 a.m. - System Checkpoint
    RP906: 24/10/2010 10:45:43 p.m. - System Checkpoint
    RP907: 26/10/2010 12:59:37 p.m. - System Checkpoint
    RP908: 27/10/2010 9:47:37 a.m. - Avg8 Update
    RP909: 27/10/2010 9:49:16 a.m. - Avg8 Update
    RP910: 27/10/2010 9:55:01 p.m. - Software Distribution Service 3.0
    RP911: 28/10/2010 4:27:25 p.m. - Software Distribution Service 3.0
    RP912: 28/10/2010 4:28:41 p.m. - Installed Java(TM) 6 Update 22
    RP913: 29/10/2010 5:47:08 p.m. - System Checkpoint
    RP914: 30/10/2010 10:54:08 p.m. - System Checkpoint
    RP915: 1/11/2010 12:26:00 p.m. - System Checkpoint
    RP916: 2/11/2010 12:29:14 p.m. - System Checkpoint
    RP917: 3/11/2010 1:22:21 p.m. - System Checkpoint
    RP918: 4/11/2010 2:32:23 p.m. - System Checkpoint
    RP919: 5/11/2010 3:23:19 p.m. - System Checkpoint
    RP920: 6/11/2010 3:52:37 p.m. - System Checkpoint
    RP921: 7/11/2010 4:52:38 p.m. - System Checkpoint
    RP922: 9/11/2010 7:48:20 a.m. - System Checkpoint
    RP923: 10/11/2010 11:25:17 a.m. - System Checkpoint
    RP924: 11/11/2010 12:57:21 p.m. - System Checkpoint
    RP925: 12/11/2010 1:35:54 p.m. - System Checkpoint
    RP926: 13/11/2010 2:12:49 p.m. - System Checkpoint
    RP927: 14/11/2010 2:42:48 p.m. - System Checkpoint
    RP928: 14/11/2010 11:58:34 p.m. - Software Distribution Service 3.0
    RP929: 16/11/2010 4:24:49 a.m. - System Checkpoint
    RP930: 16/11/2010 9:45:00 p.m. - Spyware Terminator - restore point

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 9.4.0
    Adobe Shockwave Player 11.5
    AIO_Scan
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG Free 8.5
    Bonjour
    CDDRV_Installer
    Chessmaster 10th Edition
    Compact Wireless-G USB Adapter
    Compatibility Pack for the 2007 Office system
    ConvertHelper 2.2
    Cordless DUALphone Suite
    Crawler Toolbar with Web Security Guard
    Diskeeper 2008 Pro Premier
    dj_aio_corporate
    DJ_AIO_ProductContext
    DJ_AIO_Software_min
    DVD Decrypter (Remove Only)
    DVD Region Killer
    EMBASSY Security Center
    ESET Online Scanner v3
    F4100_Help
    ffdshow [rev 1281] [2007-06-12]
    Google Earth
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Deskjet All-In-One Driver Software 9.0.A Corporate Edition
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 22
    JumpStart Typing
    KhalInstallWrapper
    Logitech Audio Echo Cancellation Component
    Logitech QuickCam
    Logitech SetPoint
    Logitech® Camera Driver
    Malwarebytes' Anti-Malware
    Maxtor OneTouch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.6.12)
    MSVC80_x86
    MSVC80_x86_v2
    MSVC90_x86
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Multimedia Card Reader
    MVision
    MYOB Accounting v16
    NavRules 2.2.4
    Nero Suite
    Nokia Connectivity Cable Driver
    Nokia Ovi Suite
    Nokia Ovi Suite Software Updater
    Nokia PC Suite
    NTRU Hybrid TSS v1.05
    OpenCPN version 1.3.6
    OpenSource Flash Video Splitter (remove only)
    Ovi Desktop Sync Engine
    OviMPlatform
    PC Connectivity Solution
    PrimoPDF
    PrimoPDF Redistribution Package
    QuickTime
    Radar Training Simulator Mk2
    Retrospect 6.0
    Safari
    Samsung PC Studio 1.0 PIM & File Manager
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sentinel System Driver
    Skype Toolbars
    Skype™ 4.2
    Spyware Terminator
    STMicroelectronics TPM Software Package
    Toolbox
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    USB Storage Adapter FX (MXO)
    WD Diagnostics
    WebFldrs XP
    WIDCOMM Bluetooth Software
    Window Washer
    Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
    Windows Driver Package - Nokia Modem (10/05/2009 4.2)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    XviD MPEG-4 Video Codec

    ==== Event Viewer Messages From Past Week ========

    16/11/2010 9:46:37 p.m., error: Service Control Manager [7034] - The Spyware Terminator Realtime Shield Service service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:36 p.m., error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:35 p.m., error: Service Control Manager [7034] - The Washer Security Access service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:35 p.m., error: Service Control Manager [7034] - The NTRU Hybrid TSS v1.05 TCSD service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:35 p.m., error: Service Control Manager [7034] - The AVG8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:34 p.m., error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:34 p.m., error: Service Control Manager [7034] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:34 p.m., error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    16/11/2010 9:46:33 p.m., error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:33 p.m., error: Service Control Manager [7034] - The DataSvr service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:33 p.m., error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:33 p.m., error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    16/11/2010 9:46:33 p.m., error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    16/11/2010 9:46:33 p.m., error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    16/11/2010 2:56:54 a.m., error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.
    16/11/2010 10:32:31 p.m., error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    13/11/2010 7:39:20 p.m., error: Tcpip [4191] - IP could not open the registry key for adapter TCPIP\Parameters\Adapters\NDISWANIP. Interfaces on this adapter will not be initialized.

    ==== End Of File ===========================

    Hope this Helps

    Regards

    PottymouthNZ
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. FYI, AVG will continue to flag an entry even if it's in a location that isn't active. Let's see where it is:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  3. PottymouthNZ

    PottymouthNZ TS Rookie Topic Starter

    Bobbeye, many thanks for looking at this

    Eset scan done and log posted
    Said it found nothing. Does this mean computer not infected?

    I await your reply

    Thanks again

    PM


    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=e02aa3ec9ff35a4d9288895dcae498b3
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-15 05:11:11
    # local_time=2010-11-16 06:11:11 (+1200, New Zealand Daylight Time)
    # country="New Zealand"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777175 100 0 77036686 77036686 0 0
    # compatibility_mode=5121 16777214 0 3 76962522 76962522 0 0
    # compatibility_mode=5889 16764286 0 94 76260240 135391360 0 0
    # compatibility_mode=8192 67108863 100 0 1094 1094 0 0
    # scanned=142869
    # found=0
    # cleaned=0
    # scan_time=8779
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=e02aa3ec9ff35a4d9288895dcae498b3
    # end=stopped
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-18 06:50:49
    # local_time=2010-11-18 07:50:49 (+1200, New Zealand Daylight Time)
    # country="New Zealand"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777191 100 0 77267385 77267385 0 0
    # compatibility_mode=5121 16777214 0 3 77193221 77193221 0 0
    # compatibility_mode=5889 16764286 0 94 76490939 135622059 0 0
    # compatibility_mode=7937 16777213 100 100 0 619343 0 0
    # compatibility_mode=8192 67108863 100 0 231793 231793 0 0
    # scanned=6291
    # found=0
    # cleaned=0
    # scan_time=58
    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=e02aa3ec9ff35a4d9288895dcae498b3
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-18 07:48:55
    # local_time=2010-11-18 08:48:55 (+1200, New Zealand Daylight Time)
    # country="New Zealand"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777191 100 0 77267727 77267727 0 0
    # compatibility_mode=5121 16777214 0 3 77193563 77193563 0 0
    # compatibility_mode=5889 16764286 0 94 76491281 135622401 0 0
    # compatibility_mode=7937 16777213 100 100 0 619685 0 0
    # compatibility_mode=8192 67108863 100 0 232135 232135 0 0
    # scanned=132826
    # found=0
    # cleaned=0
    # scan_time=3202
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Unfortunately, a clean Eset scan does not mean the entire system is clean. It is mainly a virus scanner. There is a great deal of malware that is described differently. Sometimes a virus scanner can detect one it can't clean , other times, it gets missed entirely. Or it could be a false positive. But my guess is that this name sounds more like a Trojan rather than a virus- there is a difference.

    And as I told you "AVG will continue to flag an entry even if it's in a location that isn't active" such as if malware was in a restore point or quarantined by another program. Mbam removed several infections.

    I am concerned that you are not using the current version of AVG which is v9 or v10. I note several entries for AVG v8 and the installed list shows AVG v8.5. So I suggest you update to the most current version. If the update doesn't overwrite the older version, you should remove it in Add/Remove Programs in the Control Panel.
    =========================================
    Please run the following soI can check for any other bad entries:
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ============================================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  5. PottymouthNZ

    PottymouthNZ TS Rookie Topic Starter

    Next step completed

    I loaded AVG latest version which 110mb took ages only to find Combofix will not run with avg installed, even after disabling it! Real pain in th butt

    so Uninstalled AVG then ran combofix and hijackthis

    Combofix log

    ComboFix 10-11-19.01 - Peter 20/11/2010 12:58:18.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.2038.1562 [GMT 13:00]
    Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
    FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Peter\Recent\Evony-Free_Forever.url
    c:\documents and settings\Peter\Recent\Thumbs.db
    c:\winxp\jestertb.dll
    c:\winxp\system32\AutoRun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SSHNAS


    ((((((((((((((((((((((((( Files Created from 2010-10-20 to 2010-11-20 )))))))))))))))))))))))))))))))
    .

    2010-11-19 09:16 . 2010-11-19 09:16 -------- d-----w- c:\documents and settings\Peter\Application Data\AVG10
    2010-11-19 09:14 . 2010-11-19 09:14 -------- d--h--w- c:\documents and settings\All Users.WINXP\Application Data\Common Files
    2010-11-19 09:13 . 2010-11-19 23:39 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\AVG10
    2010-11-19 08:42 . 2010-11-19 09:02 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\MFAData
    2010-11-18 08:29 . 2010-11-18 08:29 -------- d-----w- c:\documents and settings\Peter\Application Data\opencpn
    2010-11-16 09:02 . 2010-11-16 09:02 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
    2010-11-16 09:01 . 2010-04-29 02:39 38224 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
    2010-11-16 09:01 . 2010-11-16 09:01 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
    2010-11-16 09:01 . 2010-11-16 09:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-16 09:01 . 2010-04-29 02:39 20952 ----a-w- c:\winxp\system32\drivers\mbam.sys
    2010-11-16 08:34 . 2010-11-16 08:34 142592 ----a-w- c:\winxp\system32\drivers\sp_rsdrv2.sys
    2010-11-16 08:34 . 2010-11-18 06:54 -------- d-----w- c:\documents and settings\Peter\Application Data\Spyware Terminator
    2010-11-16 08:34 . 2010-11-19 08:28 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Spyware Terminator
    2010-11-16 08:34 . 2010-11-18 06:54 -------- d-----w- c:\program files\Spyware Terminator
    2010-11-15 14:26 . 2010-11-15 14:26 -------- d-----w- c:\program files\ESET
    2010-11-05 22:37 . 2010-11-05 22:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-05 22:37 . 2010-11-05 22:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2010-10-28 03:27 . 2010-07-16 12:05 1288192 -c----w- c:\winxp\system32\dllcache\ole32.dll
    2010-10-26 20:20 . 2010-09-18 06:53 953856 -c----w- c:\winxp\system32\dllcache\mfc40u.dll
    2010-10-26 20:20 . 2010-09-18 06:53 974848 -c----w- c:\winxp\system32\dllcache\mfc42.dll
    2010-10-26 20:17 . 2010-08-23 16:12 617472 -c----w- c:\winxp\system32\dllcache\comctl32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\winxp\system32\mfc42.dll
    2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\winxp\system32\mfc40.dll
    2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\winxp\system32\mfc40u.dll
    2010-09-17 23:23 . 2006-02-28 12:00 974848 ----a-w- c:\winxp\system32\mfc42u.dll
    2010-09-14 15:50 . 2010-06-07 09:31 472808 ----a-w- c:\winxp\system32\deployJava1.dll
    2010-09-14 13:29 . 2010-03-31 21:14 73728 ----a-w- c:\winxp\system32\javacpl.cpl
    2010-09-07 22:17 . 2010-09-07 22:17 94208 ----a-w- c:\winxp\system32\QuickTimeVR.qtx
    2010-09-07 22:17 . 2010-09-07 22:17 69632 ----a-w- c:\winxp\system32\QuickTime.qts
    2010-09-01 11:51 . 2006-02-28 12:00 285824 ----a-w- c:\winxp\system32\atmfd.dll
    2010-08-31 13:42 . 2006-02-28 12:00 1852800 ----a-w- c:\winxp\system32\win32k.sys
    2010-08-27 08:02 . 2006-02-28 12:00 119808 ----a-w- c:\winxp\system32\t2embed.dll
    2010-08-27 05:57 . 2006-02-28 12:00 99840 ----a-w- c:\winxp\system32\srvsvc.dll
    2010-08-26 13:39 . 2006-02-28 12:00 357248 ----a-w- c:\winxp\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-16 04:39 5120 ----a-w- c:\winxp\system32\xpsp4res.dll
    2010-08-23 16:12 . 2006-02-28 12:00 617472 ----a-w- c:\winxp\system32\comctl32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-08-08 1109504]
    "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
    "SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-11-16 3037696]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "igfxtray"="c:\winxp\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="c:\winxp\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="c:\winxp\system32\igfxpers.exe" [2005-10-14 114688]
    "MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-12-21 823296]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
    "MXOBG"="c:\winxp\MXOALDR.EXE" [2006-10-28 94208]
    "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 185896]
    "RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-28 76304]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-13 248552]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-07 421888]
    "iTunesHelper"="c:\program files\iTunes1\iTunesHelper.exe" [2010-09-23 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\winxp\system32\CTFMON.EXE" [2008-04-13 15360]

    c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
    Cordless DUALphone Startup.lnk - c:\program files\Cordless USB Phone\Cordless DUALphone Suite.exe [2006-7-24 625000]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-17 805392]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2008-05-01 14:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\LightMaster\\Radar Training Simulator Mk2\\LMMessages.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
    "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
    "c:\\Program Files\\Participatory Culture Foundation\\Miro\\Miro_Downloader.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\iTunes1\\iTunes.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 stmtpm;STM TPM Service;c:\winxp\system32\drivers\stm_tpm.sys [8/06/2008 6:34 p.m. 21504]
    R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\winxp\system32\drivers\sp_rsdrv2.sys [16/11/2010 9:34 p.m. 142592]
    R2 sentemul;sentemul;c:\winxp\system32\drivers\SentEmul.sys [16/05/2010 3:56 p.m. 11812]
    R3 RegKill;RegKill;c:\winxp\system32\drivers\RegKill.sys [28/11/2002 10:46 a.m. 6400]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/07/2009 3:27 a.m. 133104]
    S3 ADM8511;%ADM8511.Service.DispName%;c:\winxp\system32\drivers\ADM8511.SYS [17/08/2001 1:11 p.m. 20160]
    S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\winxp\System32\Drivers\sunkfilt6.sys --> c:\winxp\System32\Drivers\sunkfilt6.sys [?]
    S3 SunkFilt62;Alcor Micro Corp - 6362;c:\winxp\system32\drivers\sunkfilt62.sys [23/07/2004 3:55 p.m. 46536]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-06 c:\winxp\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]

    2010-11-20 c:\winxp\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 14:27]

    2010-11-19 c:\winxp\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 14:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://news.google.co.nz/nwshp?ie=UTF-8&hl=en&tab=wn
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: {697C63E7-B68E-467B-8AD7-3F5C58A13340} = 202.27.158.40,202.27.156.72
    FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\4e134232.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://news.google.co.nz/nwshp?hl=en&tab=wn|http://metservice.com/marine/index|....nz/|https://mail.coastguard.org.nz/exchange/
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\iTunes1\Mozilla Plugins\npitunes.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-20 13:11
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(788)
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll

    - - - - - - - > 'explorer.exe'(7972)
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\program files\Logitech\SetPoint\GameHook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\winxp\system32\btmmhook.dll
    c:\winxp\system32\WPDShServiceObj.dll
    c:\winxp\system32\btncopy.dll
    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\winxp\system32\PortableDeviceTypes.dll
    c:\winxp\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\winxp\system32\crypserv.exe
    c:\program files\Wave Systems Corp\Common\DataServer.exe
    c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Spyware Terminator\sp_rsser.exe
    c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
    c:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    c:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    c:\winxp\system32\wwSecure.exe
    c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-20 13:14:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-20 00:14

    Pre-Run: 8,371,892,224 bytes free
    Post-Run: 8,268,337,152 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINXP
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINXP="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 44F8F4F8C45D4FEE2956784B7C60FC09

    Hijackthis log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:21:36 p.m., on 20/11/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINXP\system32\crypserv.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINXP\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINXP\system32\svchost.exe
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
    C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\WINXP\system32\wwSecure.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINXP\system32\hkcmd.exe
    C:\WINXP\system32\igfxpers.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINXP\MXOALDR.EXE
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes1\iTunesHelper.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINXP\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINXP\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINXP\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.co.nz/nwshp?ie=UTF-8&hl=en&tab=wn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINXP\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINXP\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINXP\system32\igfxpers.exe
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [MXOBG] C:\WINXP\MXOALDR.EXE
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes1\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{697C63E7-B68E-467B-8AD7-3F5C58A13340}: NameServer = 202.27.158.40,202.27.156.72
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINXP\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINXP\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINXP\SYSTEM32\crypserv.exe
    O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
    O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINXP\system32\wwSecure.exe

    --
    End of file - 9859 bytes
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For the next time: FYI: The part of AVG causing the problem is the Resident Shield. Here are the instructions to temporarily disable it:

    Please open the AVG Control Center
    • Double-click on the "AVG Resident Shield" component [​IMG])
    • Uncheck the "Turn on AVG Resident Shield" checkmark
    • Save the setting.
    Then re-enable when finished:
    • Open the AVG Control Center
    • Double-click on the "AVG Resident Shield" component
    • Check the "Turn on AVG Resident Shield" checkmark
    • Save the setting.
    ===================================
    Are you using a driver for SunkFilt62 from Alcor Micro Corp? Did you update it? There are 2 versions: SunkFilt6 and Sunkfilt62 and they are questioned in Combofix
    ==========================================
    Combofix removed >> c:\winxp\system32\AutoRun.inf. This Worm spreads through, Removable storage devices, Email attachments, Infected files and Chat programs. If you have been using a flash drive, we will need to disinfect that.

    Other than that, the system is clean and no other changes need to be made.
     
  7. PottymouthNZ

    PottymouthNZ TS Rookie Topic Starter

    SunkFilt62 from Alcor Micro Corp no idea what this is.

    I do use a flash drive but havent used it for some time

    Many thanks for you assistance.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome- glad to help.

    Let's just remove the oldest of the 2: Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\winxp\System32\Drivers\sunkfilt6.sys
    Driver::
    SunkFilt6;Alcor Micro Corp - 6360;\??\ --> c:\winxp\System32\Drivers\sunkfilt6.sys [?]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any more questions.
     
  9. PottymouthNZ

    PottymouthNZ TS Rookie Topic Starter

    file removal Combofix log

    Bobbeye here is latest log file

    ComboFix 10-11-24.01 - Peter 25/11/2010 9:33.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.2038.1297 [GMT 13:00]
    Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Peter\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

    FILE ::
    "c:\winxp\System32\Drivers\sunkfilt6.sys"
    .

    ((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 )))))))))))))))))))))))))))))))
    .

    2010-11-20 01:14 . 2010-09-07 13:52 165584 ----a-w- c:\winxp\system32\drivers\aswSP.sys
    2010-11-20 01:14 . 2010-09-07 13:47 17744 ----a-w- c:\winxp\system32\drivers\aswFsBlk.sys
    2010-11-20 01:14 . 2010-09-07 13:47 23376 ----a-w- c:\winxp\system32\drivers\aswRdr.sys
    2010-11-20 01:14 . 2010-09-07 13:52 46672 ----a-w- c:\winxp\system32\drivers\aswTdi.sys
    2010-11-20 01:14 . 2010-09-07 13:47 100176 ----a-w- c:\winxp\system32\drivers\aswmon2.sys
    2010-11-20 01:14 . 2010-09-07 13:47 94544 ----a-w- c:\winxp\system32\drivers\aswmon.sys
    2010-11-20 01:14 . 2010-09-07 13:46 28880 ----a-w- c:\winxp\system32\drivers\aavmker4.sys
    2010-11-20 01:14 . 2010-09-07 14:12 38848 ----a-w- c:\winxp\avastSS.scr
    2010-11-20 01:14 . 2010-09-07 14:11 167592 ----a-w- c:\winxp\system32\aswBoot.exe
    2010-11-20 01:14 . 2010-11-20 01:14 -------- d-----w- c:\program files\Alwil Software
    2010-11-20 01:14 . 2010-11-20 01:14 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Alwil Software
    2010-11-20 00:20 . 2010-11-20 00:20 388096 ----a-r- c:\documents and settings\Peter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-20 00:20 . 2010-11-20 00:20 -------- d-----w- c:\program files\Trend Micro
    2010-11-19 09:16 . 2010-11-19 09:16 -------- d-----w- c:\documents and settings\Peter\Application Data\AVG10
    2010-11-19 09:14 . 2010-11-19 09:14 -------- d--h--w- c:\documents and settings\All Users.WINXP\Application Data\Common Files
    2010-11-19 09:13 . 2010-11-19 23:39 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\AVG10
    2010-11-19 08:42 . 2010-11-19 09:02 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\MFAData
    2010-11-18 08:29 . 2010-11-18 08:29 -------- d-----w- c:\documents and settings\Peter\Application Data\opencpn
    2010-11-16 09:02 . 2010-11-16 09:02 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
    2010-11-16 09:01 . 2010-04-29 02:39 38224 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
    2010-11-16 09:01 . 2010-11-16 09:01 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
    2010-11-16 09:01 . 2010-11-16 09:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-16 09:01 . 2010-04-29 02:39 20952 ----a-w- c:\winxp\system32\drivers\mbam.sys
    2010-11-16 08:34 . 2010-11-16 08:34 142592 ----a-w- c:\winxp\system32\drivers\sp_rsdrv2.sys
    2010-11-16 08:34 . 2010-11-24 08:13 -------- d-----w- c:\documents and settings\Peter\Application Data\Spyware Terminator
    2010-11-16 08:34 . 2010-11-24 12:52 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Spyware Terminator
    2010-11-16 08:34 . 2010-11-18 06:54 -------- d-----w- c:\program files\Spyware Terminator
    2010-11-15 14:26 . 2010-11-15 14:26 -------- d-----w- c:\program files\ESET
    2010-11-05 22:37 . 2010-11-05 22:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-05 22:37 . 2010-11-05 22:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2010-10-28 03:27 . 2010-07-16 12:05 1288192 -c----w- c:\winxp\system32\dllcache\ole32.dll
    2010-10-26 20:20 . 2010-09-18 06:53 953856 -c----w- c:\winxp\system32\dllcache\mfc40u.dll
    2010-10-26 20:20 . 2010-09-18 06:53 974848 -c----w- c:\winxp\system32\dllcache\mfc42.dll
    2010-10-26 20:17 . 2010-08-23 16:12 617472 -c----w- c:\winxp\system32\dllcache\comctl32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\winxp\system32\mfc42.dll
    2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\winxp\system32\mfc40.dll
    2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\winxp\system32\mfc40u.dll
    2010-09-17 23:23 . 2006-02-28 12:00 974848 ----a-w- c:\winxp\system32\mfc42u.dll
    2010-09-14 15:50 . 2010-06-07 09:31 472808 ----a-w- c:\winxp\system32\deployJava1.dll
    2010-09-14 13:29 . 2010-03-31 21:14 73728 ----a-w- c:\winxp\system32\javacpl.cpl
    2010-09-07 22:17 . 2010-09-07 22:17 94208 ----a-w- c:\winxp\system32\QuickTimeVR.qtx
    2010-09-07 22:17 . 2010-09-07 22:17 69632 ----a-w- c:\winxp\system32\QuickTime.qts
    2010-09-01 11:51 . 2006-02-28 12:00 285824 ----a-w- c:\winxp\system32\atmfd.dll
    2010-08-31 13:42 . 2006-02-28 12:00 1852800 ----a-w- c:\winxp\system32\win32k.sys
    2010-08-27 08:02 . 2006-02-28 12:00 119808 ----a-w- c:\winxp\system32\t2embed.dll
    2010-08-27 05:57 . 2006-02-28 12:00 99840 ----a-w- c:\winxp\system32\srvsvc.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-11-20_00.11.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-23 18:41 . 2010-11-23 18:41 16384 c:\winxp\Temp\Perflib_Perfdata_7ec.dat
    + 2010-11-23 18:41 . 2010-11-23 18:41 16384 c:\winxp\Temp\Perflib_Perfdata_4dc.dat
    + 2010-11-20 00:20 . 2010-11-20 00:20 1094656 c:\winxp\Installer\108ded.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-08-08 1109504]
    "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
    "SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-11-16 3037696]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "igfxtray"="c:\winxp\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="c:\winxp\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="c:\winxp\system32\igfxpers.exe" [2005-10-14 114688]
    "MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-12-21 823296]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
    "MXOBG"="c:\winxp\MXOALDR.EXE" [2006-10-28 94208]
    "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 185896]
    "RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-28 76304]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-13 248552]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-07 421888]
    "iTunesHelper"="c:\program files\iTunes1\iTunesHelper.exe" [2010-09-23 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\winxp\system32\CTFMON.EXE" [2008-04-13 15360]

    c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
    Cordless DUALphone Startup.lnk - c:\program files\Cordless USB Phone\Cordless DUALphone Suite.exe [2006-7-24 625000]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-17 805392]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2008-05-01 14:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\LightMaster\\Radar Training Simulator Mk2\\LMMessages.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
    "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
    "c:\\Program Files\\Participatory Culture Foundation\\Miro\\Miro_Downloader.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\iTunes1\\iTunes.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 stmtpm;STM TPM Service;c:\winxp\system32\drivers\stm_tpm.sys [8/06/2008 6:34 p.m. 21504]
    R1 aswSP;aswSP;c:\winxp\system32\drivers\aswSP.sys [20/11/2010 2:14 p.m. 165584]
    R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\winxp\system32\drivers\sp_rsdrv2.sys [16/11/2010 9:34 p.m. 142592]
    R2 aswFsBlk;aswFsBlk;c:\winxp\system32\drivers\aswFsBlk.sys [20/11/2010 2:14 p.m. 17744]
    R2 sentemul;sentemul;c:\winxp\system32\drivers\SentEmul.sys [16/05/2010 3:56 p.m. 11812]
    R3 RegKill;RegKill;c:\winxp\system32\drivers\RegKill.sys [28/11/2002 10:46 a.m. 6400]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/07/2009 3:27 a.m. 133104]
    S3 ADM8511;%ADM8511.Service.DispName%;c:\winxp\system32\drivers\ADM8511.SYS [17/08/2001 1:11 p.m. 20160]
    S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\winxp\System32\Drivers\sunkfilt6.sys --> c:\winxp\System32\Drivers\sunkfilt6.sys [?]
    S3 SunkFilt62;Alcor Micro Corp - 6362;c:\winxp\system32\drivers\sunkfilt62.sys [23/07/2004 3:55 p.m. 46536]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-06 c:\winxp\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]

    2010-11-24 c:\winxp\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 14:27]

    2010-11-24 c:\winxp\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 14:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://news.google.co.nz/nwshp?ie=UTF-8&hl=en&tab=wn
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: {697C63E7-B68E-467B-8AD7-3F5C58A13340} = 202.27.158.40,202.27.156.72
    FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\4e134232.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://news.google.co.nz/nwshp?hl=en&tab=wn|http://metservice.com/marine/index|....nz/|https://mail.coastguard.org.nz/exchange/
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\iTunes1\Mozilla Plugins\npitunes.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-25 09:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(792)
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll
    c:\winxp\system32\igfxdev.dll

    - - - - - - - > 'explorer.exe'(4128)
    c:\program files\Logitech\SetPoint\GameHook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\winxp\system32\btmmhook.dll
    c:\winxp\system32\WPDShServiceObj.dll
    c:\winxp\system32\PortableDeviceTypes.dll
    c:\winxp\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-11-25 09:40:03
    ComboFix-quarantined-files.txt 2010-11-24 20:40
    ComboFix2.txt 2010-11-20 00:14

    Pre-Run: 7,544,975,360 bytes free
    Post-Run: 7,606,915,072 bytes free

    - - End Of File - - 45D347D0D69240A056D582DCB0ED0B8E
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Before you do the following script, please resolve this:
    AV: avast! Antivirus
    FW: AVG Firewall


    You logs shows AVG 10 running. It also still shows 2010-11-20 c:\program files\Alwil Software and has data files for both programs. You can have one AV program and one Firewall. If these are the free versions, I don't think either of them has both an AV and a FW. Please remove one:

    Reboot the computer when through.

    Please tell me which one you removed or which you're keeping. I will add any remaining entries for the one removed to the script below: Don't run the script yet Wait until you tell me which or which goes.
    ==========================================
    Hold on script below

    Short Custom CFScrip;[b
    ]

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running ofComboFixx.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:[/b]
    Code:
    File::
    c:winxpp\System32\Driverssunkfiltt6syss
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersionn\Run]
    "Sunkist2k"=-
    [HKEY_LOCAL_MACHINE\softwaremicrosoftt\security center]
    AntiVirusOverridee"=-
    Driver::
    SunkFilt66
    
    Save this aCFScriptptxtxt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, draCFScriptpt intComboFixiexexe

    When finished, it will produce a log for you at CComboFixitxtxt . Please paste into to your next reply.
    ====================
     
  11. PottymouthNZ

    PottymouthNZ TS Rookie Topic Starter

    Hi there decided to keep AVG and ditch Avast
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you run the Avast Removal Tool? Please do that, then run a new Combofix scan. Right now, it is full of Avast entries. Then I will redo the script to add any left over entries.

    When done, Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  13. PottymouthNZ

    PottymouthNZ TS Rookie Topic Starter

    Avg !!

    I did run the Avast! removal tool, and I have re installed combofix for the scan problem is it will not run with AVG even with all settings disabled/stopped

    Message reads
    Combofix cannot run when AVG is installed.
    This is due to AVG's targeting of Combofix's files/processes. it would be dangerous to continue.

    Please uninstall AVG or use another tool

    Is there anything else we could use?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    AVG just isn't making any sense to me! You ran Combofix already! It really doesn't need to be run again. I've already ended this thread when I gave you the cleaning tools removal. Just between the two of us, I wish you have kept Avast instead of AVG!

    Please do the HijackThis scan. Don't attempt to rerun any of the other programs again please.
     
  15. PottymouthNZ

    PottymouthNZ TS Rookie Topic Starter

    Hijackthis Log

    Bobbeye
    I decided to keep AVG because it found the trojan, so I know it works well.

    Here is the log file

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:51:08 a.m., on 1/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\WINXP\system32\crypserv.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINXP\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINXP\system32\svchost.exe
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
    C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\WINXP\system32\wwSecure.exe
    C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINXP\system32\hkcmd.exe
    C:\WINXP\system32\igfxpers.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINXP\MXOALDR.EXE
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes1\iTunesHelper.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\avgam.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
    C:\Office 2003\OFFICE11\OUTLOOK.EXE
    C:\Office 2003\OFFICE11\WINWORD.EXE
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\DOCUME~1\Peter\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.co.nz/nwshp?ie=UTF-8&hl=en&tab=wn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINXP\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINXP\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINXP\system32\igfxpers.exe
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [MXOBG] C:\WINXP\MXOALDR.EXE
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes1\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{697C63E7-B68E-467B-8AD7-3F5C58A13340}: NameServer = 202.27.158.40,202.27.156.72
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINXP\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINXP\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgfws.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINXP\SYSTEM32\crypserv.exe
    O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
    O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINXP\system32\wwSecure.exe

    --
    End of file - 11612 bytes
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    [Ah but do you know what it might have missed?!
    QUOTE]I decided to keep AVG because it found the trojan, so I know it works well.[/QUOTE]

    I missed this earlier: You logs shows running processes like this:

    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe


    Running processes: They would normally display like this:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe

    Just a few examples.

    The only connection to the WINXP is in the Service for Webroot which has:
    O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINXP\system32\wwSecure.exe

    Another example:
    This > C:\WINXP\system32\wwSecure.exe would normally dosplay as C:\WINDOWS\system32\wwSecure.exe

    Do you have any idea why the Directory is WINXP and not WINDOWS?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Closed due to inactivity. If the problem persists and you need the thread reopened, please send me a PM. Threads are closd after 5 days of inactivity.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...