[Active] Trojans somewhere!

[aindia]

Hi,

I got infected by a trojan or two recently -- thought I had it cleaned but apparently not. I'm getting a lot of pop ups by my AV saying that svchost.exe is trying to connect to a malicious website -- also get occasional websites popping up in a new tab when I am browsing.

I of course tried to fix this before I found your website and your 6 steps so I probably messed up something 0.o. Malwarebytes (or any of my AV's) aren't showing any infections but there is something there!

I am currently running the 6 steps -- tho had a problem with gmer which I had a question on that -- when I run it is it supposed to take like 12+hrs? lol I didn't get a warning or anything about scanning my whole system but it still took over 12hrs and then it locked up and didn't finish. Whole computer froze up

And if its any clue -- TFC cleaned out over 6billion bytes from temp folder on my administrator account...whew.. so something is there, I just can't find the darn thing.

Redoing malwarebytes quick scan now so I will post that shortly, but it's going to show no infections I'm sure. I can post the old log with the infections if you want as well, just let me know.

Thanks in advance for any assistance!

 

[aindia]

Malwarebytes log --


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4395

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/6/2010 9:08:50 AM
mbam-log-2010-08-06 (09-08-50).txt

Scan type: Quick scan
Objects scanned: 146546
Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[crunchie]

Hi. Please follow the steps here https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and post all of the requested logs.

 

[aindia]

Will happily do so.. I tried running gmer and it took over 12hrs and then froze and locked up my computer and never finished. Is that a normal scan time? If so I'll start it again lol..but if not I want to know what I did wrong 0.o.

 

[crunchie]

If you have problems with it again, try it in safe mode please.

 

[aindia]

Gmer log -- it crashed again so ran it in safe mode with no problems.

 

[aindia]

Next 2 logs..

 

[crunchie]

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[aindia]

Ok had problems with combofix -- ran it first time it sat there for an hour without doing anything. Rebooted -- ran it again this time no problem. So that is why it took so long, sorry

Posting the log

 

[crunchie]

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

DDS::
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
TB: WeatherBug Browser Bar - powered by MyWebSearch: {8eab99c9-f9ec-4b64-a4ba-d9bcae8779c2} - c:\program files\mywebsearchwb\bar\1.bin\W6BAR.DLL
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==============

Let me know how the pc is now.

 

[aindia]

Second Combofix log:

ComboFix 10-08-06.03 - HP_Administrator 08/07/2010 10:19:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1254 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-05 18:37 . 2010-08-05 18:37 -------- d-----w- c:\windows\Cache
2010-08-05 18:37 . 2010-08-05 18:37 -------- d-----w- c:\program files\Coupons
2010-08-04 17:15 . 2010-08-04 17:15 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-04 17:14 . 2010-08-05 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-03 15:50 . 2010-08-04 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)
2010-07-30 05:41 . 2010-08-04 17:08 -------- d-----w- c:\program files\Turbo Subs
2010-07-29 18:11 . 2010-07-29 18:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-07-29 18:11 . 2010-07-29 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-29 18:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 18:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 22:53 . 2010-08-04 17:08 -------- d-----w- c:\program files\Shopmania
2010-07-25 01:51 . 2010-07-25 01:51 -------- d-----w- c:\program files\Wedding Dash - Ready, Aim, Love
2010-07-25 01:12 . 2010-07-25 01:12 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Sunbelt Software
2010-07-25 01:10 . 2010-07-25 01:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-07-23 17:37 . 2010-08-06 19:45 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-16 22:33 . 2010-07-16 22:33 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Yahoo
2010-07-16 22:33 . 2010-07-16 22:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2010-07-16 13:08 . 2010-07-16 13:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 23:50 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 23:40 . 2010-07-15 23:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 21:32 . 2006-09-13 02:24 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 21:31 . 2006-09-13 02:24 -------- d-----w- c:\program files\Java
2010-08-05 18:39 . 2007-02-22 21:36 -------- d-----w- c:\program files\Lx_cats
2010-08-03 16:03 . 2007-01-15 14:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-03 16:02 . 2009-07-21 13:17 -------- d-----w- c:\program files\Megaplex Madness - Summer Blockbuster
2010-08-02 19:28 . 2009-07-21 13:28 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MegaplexMadnessSummerBlockbuster
2010-07-30 00:59 . 2009-08-19 16:27 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HpUpdate
2010-07-26 13:22 . 2006-09-13 02:59 -------- d-----w- c:\program files\DivX
2010-07-26 13:21 . 2008-04-09 05:25 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
2010-07-26 13:17 . 2007-01-11 02:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\IGN_DLM
2010-07-26 13:17 . 2007-01-11 02:52 -------- d-----w- c:\program files\IGN
2010-07-26 13:16 . 2006-09-13 02:58 -------- d-----w- c:\program files\muvee Technologies
2010-07-26 13:16 . 2006-09-13 02:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-26 13:12 . 2008-02-29 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-26 13:08 . 2009-05-09 00:45 -------- d-----w- c:\program files\PopCap Games
2010-07-26 13:06 . 2006-09-13 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-26 13:05 . 2009-08-29 20:24 -------- d-----w- c:\program files\Graboid
2010-07-26 13:03 . 2009-09-12 01:21 -------- d-----w- c:\program files\Turbine
2010-07-26 13:02 . 2009-07-29 22:36 -------- d-----w- c:\program files\City of Heroes
2010-07-26 13:02 . 2009-08-24 18:36 -------- d-----w- c:\program files\Cryptic Studios
2010-07-26 13:01 . 2010-03-02 15:46 -------- d-----w- c:\program files\Armadillo Run Demo
2010-07-25 01:12 . 2007-02-25 13:25 -------- d-----w- c:\program files\Google
2010-07-17 09:00 . 2010-04-30 13:30 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 14:58 . 2007-03-29 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-16 13:08 . 2009-09-09 13:28 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:07 . 2009-09-09 13:28 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-16 07:01 . 2009-09-19 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-12 08:55 . 2010-03-14 14:12 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2010-03-14 15:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-21 22:25 . 2010-06-21 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2010-06-21 22:24 . 2010-06-21 22:24 -------- d-----w- c:\program files\Miriel's Enchanted Mystery
2010-06-21 19:35 . 2010-06-21 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2010-06-16 12:44 . 2008-05-13 14:47 -------- d-----w- c:\program files\Airport Mania - First Flight
2010-06-11 23:36 . 2010-06-11 23:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Hotdog Hotshot
2010-06-09 10:34 . 2008-10-21 00:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-06-09 04:00 . 2008-10-21 00:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-06-03 13:44 . 2009-09-09 13:28 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2008-02-28 16:24 . 2008-02-28 16:24 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]
"Aim"="c:\program files\AIM\aim.exe" [2010-04-19 3972440]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
"lxccmon.exe"="c:\program files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 192512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"nwiz"="nwiz.exe" [2009-02-18 1657376]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-23 813584]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-12 36903]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-12 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-12 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 3300 Series\\LXCClpx.exe"=
"c:\\WINDOWS\\ehome\\ehshell.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Lexmark 3300 Series\\lxccaiox.exe"=
"c:\\Program Files\\Lexmark 3300 Series\\pheditor.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2010 10:12 AM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/9/2009 9:28 AM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/9/2009 9:28 AM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:08 AM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1352832]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/23/2009 6:19 PM 10384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/23/2010 10:46 AM 135664]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/12/2006 10:40 PM 82048]
S3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [7/18/2009 7:22 PM 36224]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 14:46]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 14:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0vc4w2xp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-07 10:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4592)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\lxcccoms.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\hp\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
**************************************************************************
.
Completion time: 2010-08-07 10:49:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-07 14:48
ComboFix2.txt 2010-08-07 13:53

Pre-Run: 152,833,208,320 bytes free
Post-Run: 152,822,906,880 bytes free

- - End Of File - - 0381D21BC6515439A627A245DCE4DC19

 

[aindia]

and what internet use I've had since combofix was run, it seems to be better. I've not noticed an redirects or had my ad-aware pop up with Svchost.exe problems. But it's only been a couple hours so far

Thank you for your help! I know we aren't done yet..but still want to say thanks!

 

[crunchie]

Thats good news .
Let's do an on-line scan to see if anything else turns up before we do a final clean-up.

Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on the Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[aindia]

erm.. do I have to turn my AVG completely off? And if so, I honestly have no clue how to do that other than just closing the files in task manager.

 

[crunchie]

You should be able to do it by right clicking on it's icon in the task bar and disabling it.

 

[aindia]

I can with the Ad-Aware, but not with AVG -- my choices are to open the interface (of which the only item I can turn off is the resident shield), scan, update or help. There is no disable thing that I can find

Ok well disabling the resident shield and gonna try that.. if it causes problems I'll just shut it down and try again heh

 

[aindia]

Ok.. Kaspersky report ---

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 8, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 07, 2010 20:45:05
Records in database: 4131200
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 262277
Threats found: 8
Infected objects found: 10
Suspicious objects found: 0
Scan duration: 06:01:58


File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Program Files\My Kingdom for the Princess\peacecraft.exe Infected: Trojan-Dropper.Win32.Agent.cgwk 1
C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
C:\Program Files\MyWebSearchWB\bar\1.bin\W6WBTEMP.DLL Infected: not-a-virus:AdWare.Win32.WeatherBug.f 1
C:\Qoobox\32788R22FWJFW\kbdclass.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sargdops.ini.vir Infected: Trojan.Win32.Small.ackh 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1208\A0129884.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1240\A0146633.ini Infected: Trojan.Win32.Small.ackh 1
C:\Trickster Online\GameGuard\GameMon.des Infected: Trojan.Win32.Refroso.bajm 1

Selected area has been scanned.

 

[crunchie]

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Folder::
C:\Program Files\MyWebSearchWB
File::
C:\Program Files\mIRC\mirc.exe
C:\Program Files\My Kingdom for the Princess\peacecraft.exe
C:\Trickster Online\GameGuard\GameMon.des

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[aindia]

Combofix report === running OTL in a sec.

 

[aindia]

OTL and EXTRA logs

 

[crunchie]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Files
  C:\Documents and Settings\All Users\Application Data\TEMP
  
  :Commands
  [emptyflash]
  [emptytemp]
  [resethosts]
  [CLEARALLRESTOREPOINTS]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top.
• Let the program run unhindered, reboot the PC when it is done.
• Post log from this run.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[aindia]

New OTL report -- Ermm looking back at this.. you asked for the OTL from the fix run too and I didn't post that one and not sure where to find it if it's still there This is the one from the quick scan after it rebooted.

 

[crunchie]

No worries. How does the pc seem now?

 

[aindia]

Seems to be running fine. No alerts about svchost and no redirects, also not getting the huge svchost.exe file in task manager either.. yay!

Thank you for your help so far!

 

[crunchie]

No worries .

Launch OTL and click on the Cleanup button. Follow the prompts.

That should do you.