Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Another HiJackThis first-time user

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Another HiJackThis first-time user

Unread postby PGavistone » August 29th, 2007, 6:52 am

I'm guessing this is common, but I'm getting pop-ups often while using the browser. A friend of mine told me about HiJackThis. Here's the log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:45:30 AM, on 8/30/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\taskmgr.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Conquer 2.0\Conquer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Warcraft III\Maps\Download\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F3 - REG:win.ini: load=C:\WINDOWS\taskmgr.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: - {0fbb27f0-4b5a-41c3-850f-32270c157bdb} - C:\WINDOWS\System32\qgxfdw.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A284662E902BC9ED7286138F75F2F0C8D6E84A1EF604776CA6C1637F810FD97CB77
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\VIP\Application Data\WinTouch\WinTouch.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantispyware.com/download/ ... 34&affid=3
O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://69.59.149.193:82/enzf/TqUpdate_Release.CAB
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4738 bytes
PGavistone
Active Member
 
Posts: 6
Joined: August 29th, 2007, 6:47 am
Advertisement
Register to Remove

Unread postby Navigator » August 29th, 2007, 5:55 pm

Hello PGavistone...welcome to Malware Removal! You have quite a bit of malware on your system...I will try and help you to clean it.

Please do this:

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the ComboFix log and a new HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby PGavistone » August 29th, 2007, 11:41 pm

Dear Navigator,

I appreicate your assistance on my dilemma. I appologize if my responses aren't very quick, I work long hours and come home long enough to get some rest. As for your request, see below:

ComboFix 07-08-30.2 - "VIP" 2007-08-30 23:30:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.222 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\VIP\APPLIC~1\asks~1
C:\DOCUME~1\VIP\APPLIC~1\WinTouch
C:\DOCUME~1\VIP\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\VIP\STARTM~1\Programs\Startup\ta_start.lnk
C:\DOCUME~1\VIP\STARTM~1\Programs\Startup\think-adz.lnk
C:\Program Files\Common Files\ystem~1
C:\Temp\fse
C:\WINDOWS\b104.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\notedad.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dwdsrngt.exe
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pwinqmdt.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\taskmgr.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-30 23:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-30 07:28 <DIR> d-------- C:\Temp
2007-08-28 23:15 <DIR> d-------- C:\Program Files\Ventrilo
2007-08-28 23:15 <DIR> d-------- C:\DOCUME~1\VIP\APPLIC~1\Ventrilo
2007-08-28 00:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-28 00:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-28 00:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 23:55 126 --a------ C:\WINDOWS\system32\tpug.bat
2007-08-02 23:55 117 --a------ C:\WINDOWS\system32\znsgxuh.bat
2007-07-17 13:55 <DIR> d--hs---- C:\WINDOWS\VklQ
2007-07-17 13:55 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-07-11 22:55 <DIR> d-------- C:\Program Files\CDBurnerXP Pro 3
2007-07-08 15:59 <DIR> d-------- C:\Program Files\Winamp
2007-07-06 00:05 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-07-06 00:02 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-05 22:04 76,039 --a------ C:\WINDOWS\War3Unin.dat
2007-07-05 22:04 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-07-05 22:04 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-07-05 21:59 <DIR> d-------- C:\Program Files\Warcraft III
2007-07-04 17:42 <DIR> d-------- C:\DOCUME~1\VIP\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 06:18 --------- d-------- C:\Program Files\BroadJump
2007-08-28 00:29 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-28 00:29 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-16 20:58 --------- d-------- C:\Program Files\Conquer 2.0
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\VklQ\p45k.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0fbb27f0-4b5a-41c3-850f-32270c157bdb}]
C:\WINDOWS\System32\qgxfdw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50]
"nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 13:03 C:\WINDOWS\system32\P0620Pin.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-16 08:19]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 08:32]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-30 05:59]
"{98-80-01-1B-ZN}"="c:\windows\system32\dwdsrngt.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-03-29 02:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29]

R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 23:34:52
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 23:35:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-30 23:35

--- E O F ---

And the new HijackThis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:37:54 PM, on 8/30/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Warcraft III\Maps\Download\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: - {0fbb27f0-4b5a-41c3-850f-32270c157bdb} - C:\WINDOWS\System32\qgxfdw.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [{98-80-01-1B-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantispyware.com/download/ ... 34&affid=3
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://69.59.149.193:82/enzf/TqUpdate_Release.CAB
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4478 bytes
PGavistone
Active Member
 
Posts: 6
Joined: August 29th, 2007, 6:47 am

Unread postby Navigator » August 30th, 2007, 5:25 pm

You are welcome...

Before we get started, you might want to print out the instructions below as I will have you go into safe mode, and this webpage will be unavailable to you. We also need to ensure your system is set to show 'hidden files' by doing this:

Reveal Hidden Files

  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Check Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.


1. First download AVG anti-spyware (previously Ewido) from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG anti-spyware, Do Not run a scan just yet, we will shortly.


    2. Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    Save it to your desktop, we will use it later.

    3. Please re-open HiJackThis and choose scan only. Check the boxes next to all the entries listed below.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
    O4 - HKLM\..\Run: [{98-80-01-1B-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantispyware.com/download/ ... 34&affid=3
    O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
    O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://69.59.149.193:82/enzf/TqUpdate_Release.CAB


    Now close all windows other than HiJackThis, then click Fix Checked.

    Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    4.Please delete these files using Windows Explorer(if present):
    • Click Start>>All Programs>>Accessories>>Windows Explorer
    • Navigate to the listed files, then right-click to select them and click delete:


    C:\WINDOWS\system32\P0620Pin.dll


    5. Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    6. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
    • Lauch AVG-anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • ewido will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close AVG and reboot your system back into Normal Mode .


7. Post back with the AVG report and a new HJT log for me to review, and let me know what problems you may be having with your system.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby PGavistone » August 31st, 2007, 6:34 am

Thank you for the clear cut instructions. I did everything you said, however I had a problem towards the end. You had mentioned generating a report with the AVG Anti-Spyware. Unfortunately, the option to "save report" was grayed out. I thought I could use a screenshot option to get the info you needed. The shots are below, and the HJT log is below them.

Image

And...

Image

And the HJT log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:19:33 AM, on 9/1/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Warcraft III\Maps\Download\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: - {0fbb27f0-4b5a-41c3-850f-32270c157bdb} - C:\WINDOWS\System32\qgxfdw.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3200 bytes
PGavistone
Active Member
 
Posts: 6
Joined: August 29th, 2007, 6:47 am

Unread postby Navigator » August 31st, 2007, 3:49 pm

PGavistone wrote:Thank you for the clear cut instructions. I did everything you said, however I had a problem towards the end. You had mentioned generating a report with the AVG Anti-Spyware. Unfortunately, the option to "save report" was grayed out. I thought I could use a screenshot option to get the info you needed. The shots are below, and the HJT log is below them.


Sorry about the greyed out box in AVG...a lot of people have said that since AVG changed....thanks for the screenshots. Most of what AVG found was either in quarantine from ComboFix or in system restore (which we'll clean out at the end).

The HJT log you posted was taken in safe mode...I really need to see the logs from normal mode.

Please do this:

1. Please re-open HiJackThis and choose scan only. Check the boxes next to all the entries listed below.

O2 - BHO: - {0fbb27f0-4b5a-41c3-850f-32270c157bdb} - C:\WINDOWS\System32\qgxfdw.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked.

Reboot your computer.

Let's do an online scan to see what it finds:

2. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


3. Post back with the Kaspersky scan results, a new HJT log taken in normal windows mode (not safe mode) and tell me how the computer is running. If you are having any particular problems, please let me know what they might be.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby PGavistone » September 2nd, 2007, 4:19 pm

Well the pop-ups have ceased from what I can see (just a few here and there, but it's decreased a great bit).
Please excuse the format that it comes out, since I'm still new to the copy/paste to forums and keeping format idea. The HJT report is after the scan.

KASPERSKY ONLINE SCANNER REPORT
Monday, September 03, 2007 4:10:53 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 2/09/2007
Kaspersky Anti-Virus database records: 402615


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 24691
Number of viruses found 8
Number of infected objects 16
Number of suspicious objects 2
Duration of the scan process 00:21:32

Infected Object Name Virus Name Last Action
C:\5.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\5.tmp NSIS: infected - 1 skipped

C:\7.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\7.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\7.tmp NSIS: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\VIP\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Messenger\behis@hotmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Messenger\behis@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Messenger\behis@hotmail.com\SharingMetadata\Working\database_56B4_299C_B429_801B\dfsr.db Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Messenger\behis@hotmail.com\SharingMetadata\Working\database_56B4_299C_B429_801B\fsr.log Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Messenger\behis@hotmail.com\SharingMetadata\Working\database_56B4_299C_B429_801B\fsrtmp.log Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Messenger\behis@hotmail.com\SharingMetadata\Working\database_56B4_299C_B429_801B\tmp.edb Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Windows Live Contacts\behis@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Application Data\Microsoft\Windows Live Contacts\behis@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Temp\~DF2010.tmp Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Temp\~DF201B.tmp Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Temp\~DF2B49.tmp Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Temp\~DF2B54.tmp Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Temporary Internet Files\Content.IE5\AV6XA3E3\mymsn[1] Object is locked skipped

C:\Documents and Settings\VIP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\VIP\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\VIP\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Warcraft III\Maps\Download\backups\backup-20070901-003311-879 Suspicious: Exploit.HTML.Mht skipped

C:\Program Files\Warcraft III\Maps\Download\hijackthis2 Suspicious: Exploit.HTML.Mht skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsrngt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\pwinqmdt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP199\A0009992.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP204\A0010020.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP204\A0010021.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP204\A0010022.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP207\A0010192.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP207\A0010193.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP207\A0010201.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP232\A0013697.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP232\A0013704.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{FBFA1C0B-FAA5-44E0-BD8A-234D5454B4D0}\RP234\change.log Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

And the HJT report...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:13:52 PM, on 9/3/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Warcraft III\Maps\Download\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4092 bytes
PGavistone
Active Member
 
Posts: 6
Joined: August 29th, 2007, 6:47 am

Unread postby Navigator » September 2nd, 2007, 5:30 pm

Hello PGavistone....I'm glad the computer is running better....Before we get rid of some of the stuff Kaspersky found, I want to check a few files:

There are some files I'd like to get analyzed:


    C:\WINDOWS\system32\tpug.bat
    C:\WINDOWS\system32\znsgxuh.bat


Just to be safe, go to this site and have it scan them:
Jotti virus scan

Use the Browse button at Jotti, navigate to the file's location on your hard drive and submit them one at a time.

Let me know the results.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby PGavistone » September 2nd, 2007, 8:03 pm

As always, I appreciate the links. Here are the results:

For the tpug.bat file:
Service load: 0% 100%

File: tpug.bat
Status: OK
MD5: 9c7bf8a19d3e209f950d8af59e349ff7
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 02 Sep 2007 23:56:59 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

And for the znsgxuh.bat file:

Service load: 0% 100%

File: znsgxuh.bat
Status: OK
MD5: f17d025047e7a181b2d391ad92e7dc4e
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 03 Sep 2007 00:00:35 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
PGavistone
Active Member
 
Posts: 6
Joined: August 29th, 2007, 6:47 am

Unread postby Navigator » September 2nd, 2007, 9:52 pm

OK....now let's do this:

1. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\5.tmp
C:\7.tmp

Folder::
C:\WINDOWS\VklQ


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

If everything checks out and is OK, we can finish up...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby PGavistone » September 3rd, 2007, 10:45 am

Ok, here is the result from ComboFix:

ComboFix 07-08-30.2 - "VIP" 2007-09-04 10:39:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.260 [GMT -4:00]
Command switches used :: C:\Program Files\Warcraft III\Maps\Download\CFScript.txt
* Created a new restore point

FILE::
C:\5.tmp
C:\7.tmp


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\5.tmp
C:\7.tmp
C:\WINDOWS\VklQ


((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


2007-09-03 15:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-03 15:39 <DIR> d-------- C:\WINDOWS\LastGood
2007-09-03 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-01 00:15 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-30 23:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-30 07:28 <DIR> d-------- C:\Temp
2007-08-28 23:15 <DIR> d-------- C:\Program Files\Ventrilo
2007-08-28 23:15 <DIR> d-------- C:\DOCUME~1\VIP\APPLIC~1\Ventrilo
2007-08-28 00:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-28 00:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-28 00:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 02:27 --------- d-------- C:\Program Files\Warcraft III
2007-08-30 06:18 --------- d-------- C:\Program Files\BroadJump
2007-08-28 00:29 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-28 00:29 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-16 20:58 --------- d-------- C:\Program Files\Conquer 2.0
2007-08-02 23:55 126 --a------ C:\WINDOWS\system32\tpug.bat
2007-08-02 23:55 117 --a------ C:\WINDOWS\system32\znsgxuh.bat
2007-07-17 13:55 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-07-11 22:55 --------- d-------- C:\Program Files\CDBurnerXP Pro 3
2007-07-08 18:53 --------- d-------- C:\Program Files\Winamp
2007-07-06 00:05 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-06 00:02 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-05 23:57 2829 --a------ C:\WINDOWS\War3Unin.pif
2007-07-05 23:57 139264 --a------ C:\WINDOWS\War3Unin.exe
2007-07-04 17:42 --------- d-------- C:\DOCUME~1\VIP\APPLIC~1\AdobeUM


((((((((((((((((((((((((((((( snapshot_2007-08-30_233516.43 )))))))))))))))))))))))))))))))))))))))))

----a-w 39,992 2007-08-31 03:36:14 C:\WINDOWS\system32\perfc009.dat
----a-w 311,604 2007-08-31 03:36:14 C:\WINDOWS\system32\perfh009.dat
----a-w 213,048 2005-05-24 15:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-02-21 21:48:18 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-02-21 21:49:08 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

----a-w 39,992 2007-08-30 11:17:00 C:\WINDOWS\system32\perfc009.dat
----a-w 311,604 2007-08-30 11:17:00 C:\WINDOWS\system32\perfh009.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50]
"nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-16 08:19]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 08:32]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-30 05:59]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-03-29 02:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29]

R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 10:40:17
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 10:40:54
C:\ComboFix-quarantined-files.txt ... 2007-09-04 10:40
C:\ComboFix2.txt ... 2007-08-30 23:35

--- E O F ---


And the new HiJackThis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:44:51 AM, on 9/4/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Warcraft III\Maps\Download\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4009 bytes
PGavistone
Active Member
 
Posts: 6
Joined: August 29th, 2007, 6:47 am

Unread postby Navigator » September 3rd, 2007, 12:19 pm

Good job....that looks great! Are you having any particular problems with the system?

You can 'fix' this one HJT entry if you want, but it's not a big deal:

1. Please re-open HiJackThis and choose scan only. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Now close all windows other than HiJackThis, then click Fix Checked.

Reboot your computer.

Other than that, if you system is running well, I'd say you are 'clean'!

To finish up, there are a few important steps to do to reset system restore (emptying any infected restore points and establishing a 'clean' new one) and to remove the tools that I had you download and use...you can remove ComboFix from your system, and remove AVG Anti-spyware when the trial is over if you wish. ATF Temp FIle Cleaner is a good little program to keep around if you wish, or feel free to remove it too.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • THIS IS IMPORTANT! - If you are using Windows XP then you should reset system restore to make sure there are no infected files found in a restore point and that you have a clean restore point should you need one!

    Now let's reset your restore points.

    Click Start Menu >> All Programs >> Accessories >> System Tools >> SystemRestore

    Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'.

    Next go to Start Menu >> Run, then type:

    cleanmgr


    click OK, when Disk Cleanup opens go to the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd for Zoned Out - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner by Atribune. This program is for XP and Windows 2000 only. ATF is a new, freeware, temporary file cleaner for Windows, IE, Firefox and Opera with a simple, easy-to-use interface. The main screen allows the user to either clean all temporary files, or select files for cleaning. The program also knows if Firefox and or Opera is being used, and gives the option of cleaning the temporary files associated with those applications.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein. These are excellent reads too: I'm not pulling your leg and Malware: Preventing the Infection



Let me know if you have any questions or concerns... :D
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby askey127 » September 14th, 2007, 7:09 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
If you are the topic starter, you will need a valid, working link to the closed topic, along with the user name used.
The user name must match the one in the linked thread linked to avoid having the email deleted.

You can help support this site from this link :
Donations For Malware Removal
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware