Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Generic Trojan / LuxuryLink Popups and redirects

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Generic Trojan / LuxuryLink Popups and redirects

Unread postby Nichole » December 17th, 2009, 5:56 pm

Hi everyone,

My antivirus (AVG) is continually quarantining what appears to be the same trojan. The name of the trojan varies every few reboots, usually switching the number '7' to '15'. Currently, it looks like this:

"Infection";"Trojan horse PSW.Generic7.RAZ";"C:\Windows\System32\mscuncerp.dll";"";"17/12/2009, 5:32:59 PM"

I'm also receiving random redirects, usually to the 'LuxuryLink' network, and I've ran Spybot & AdAware with no success.

Here's the requested info:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:21 PM, on 17/12/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Users\Nichole\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Nichole\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Nichole\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ript - {91D9091B-2046-42f7-903E-1215A29E21EA} - C:\Program Files\Ript\mscoree.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Nichole\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [application] C:\Program Files\AKProg\AKProg.exe hs
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RegistryMonitor1] "C:\Windows\TEMP\mphr.tmp\svchost.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RegistryMonitor1] "C:\Windows\TEMP\mphr.tmp\svchost.exe" (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: trydvykmzywlpg - Sver - c:\windows\system32\APGNQC~1.EXE

--
End of file - 6510 bytes

Uninstall List:
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player
Apple Software Update
AudibleManager
AVG Free 9.0
Conexant HD Audio
Creative MediaSource 5
Creative MuVo V100
Creative System Information
CyberLink YouCam
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Suite
EPSON Scan
ESU for Microsoft Vista
FileZilla Client 3.3.0.1
Google Gmail Notifier
Google Talk Plugin
GTK+ Runtime 2.12.8 rev a (remove only)
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Doc Viewer
HP DVD Play 3.6
HP User Guides 0092
HP Wireless Assistant
HPNetworkAssistant
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) TV Wizard
Java(TM) 6 Update 2
Java(TM) 6 Update 4
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.16)
MSCU for Microsoft Vista
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
NetWaiting
OpenOffice.org 2.4
Picasa 3
QuickTime
RealPlayer
Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
SecureW2 EAP Suite 2.0.4 for Windows
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Skype™ 4.1
Spybot - Search & Destroy
TBS WMP Plug-in
Touch Pad Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WeatherBug Gadget
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger



Thanks in advance for helping out - I'm so glad I found this forum (although it was almost impossible to navigate to!)

Nichole
Nichole
Active Member
 
Posts: 6
Joined: December 17th, 2009, 5:47 pm
Advertisement
Register to Remove

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Axephilic » December 21st, 2009, 12:59 am

Hello and sorry about the delay,

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to expain or go more into depth for you. :)
  2. Please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replys in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within three days after my last instructions this topic will be closed. If you will not be able to reply within three days please tell me so the topic will not be closed.
  6. Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.

If you still need help, please do the following:

Windows Vista Intructions
Since you are running Windows Vista, please make sure that all of the tools that I ask you to run are run by right clicking and selecting Run as administrator. This will ensure the correct functionality of the tools with Windows Vista compatibility.

Disable TeaTimer
You need to disable teatimer while we clean your system. Teatimer will interfere with the tools we use and may prevent some fixes from working.
  • Start Spybot, click Mode and select Advanced Mode.
  • Select Tools (bottom left) and click the Resident button.
  • Now in the right window pane, uncheck Resident "TeaTimer".

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Upload a file to VirusTotal

Please visit Virustotal
  • Click the Browse.. button
  • Navigate to the file C:\Windows\TEMP\mphr.tmp\svchost.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results into a new reply in this thread please.

Did you purposely install a keylogger on your computer?

In your next reply, please include:
  1. ComboFix log
  2. VirusTotal results
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Nichole » December 21st, 2009, 6:48 am

Good morning, Adam!

I did not *personally* intentionally install a keylogger. That's not to say one was not manually installed, though.
Here's what I have.

ComboFix log {note: I received a blue screen and forced reboot the first time I ran this, as it was generating the log file.}

ComboFix 09-12-20.04 - Nichole 21/12/2009 6:03.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.2037.1018 [GMT -4:00]
Running from: c:\users\Nichole\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\run.log
c:\windows\system32\KBL.LOG
c:\windows\system32\msql32sys.dll
c:\windows\system32\qtplugin.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RDPWD
-------\Service_TDTCP


((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-21 10:14 . 2009-12-21 10:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-21 05:16 . 2009-12-21 05:16 118784 ----a-w- c:\windows\system32\mscuncerp.dll
2009-12-21 02:08 . 2009-12-21 02:08 -------- d-----w- c:\users\Nichole\AppData\Local\Adobe
2009-12-20 21:36 . 2009-12-20 21:36 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-20 21:36 . 2009-12-20 21:36 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-20 21:36 . 2009-12-20 21:36 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-20 21:36 . 2009-12-20 21:36 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-20 21:36 . 2009-12-20 21:36 370744 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-20 21:36 . 2009-12-20 21:36 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-20 21:35 . 2009-12-20 21:35 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-20 21:35 . 2009-12-20 21:35 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-20 21:35 . 2009-12-20 21:35 816272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-20 21:35 . 2009-12-20 21:35 822904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-20 21:35 . 2009-12-20 21:35 1643272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-20 21:35 . 2009-12-20 21:35 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-20 21:35 . 2009-12-20 21:35 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-18 13:51 . 2009-12-11 13:06 294680 ----a-w- c:\programdata\avg9\update\backup\avglngx.dll
2009-12-18 12:07 . 2009-12-18 12:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-18 12:07 . 2009-12-20 14:24 -------- d-----w- c:\users\Nichole\AppData\Roaming\SUPERAntiSpyware.com
2009-12-18 12:07 . 2009-12-20 14:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-17 21:18 . 2009-12-17 21:18 -------- d-----w- c:\users\Nichole\AppData\Roaming\Malwarebytes
2009-12-17 21:18 . 2009-12-03 20:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-17 21:18 . 2009-12-17 21:18 -------- d-----w- c:\programdata\Malwarebytes
2009-12-17 21:18 . 2009-12-17 21:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-17 21:18 . 2009-12-03 20:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 21:16 . 2008-11-06 06:03 -------- d-----w- C:\SDFix
2009-12-17 18:54 . 2009-12-21 04:05 0 ----a-w- c:\users\Nichole\AppData\Local\prvlcl.dat
2009-12-17 18:47 . 2009-12-17 18:47 -------- d-----w- C:\VundoFix Backups
2009-12-16 14:13 . 2009-12-16 14:13 -------- d-----w- c:\users\Nichole\AppData\Roaming\AVG9
2009-12-16 00:54 . 2009-12-16 00:57 -------- d-----w- c:\users\Nichole\AppData\Roaming\QuickScan
2009-12-16 00:54 . 2009-11-26 21:39 678912 ----a-w- c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-12-16 00:54 . 2009-11-26 21:37 768512 ----a-w- c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-12-15 15:57 . 2009-12-15 19:13 -------- d-----w- c:\users\Nichole\AppData\Roaming\FileZilla
2009-12-15 15:56 . 2009-12-15 15:56 -------- d-----w- c:\program files\FileZilla FTP Client
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-13 22:46 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-13 21:35 . 2009-12-13 21:35 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-13 21:35 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-13 21:34 . 2009-12-13 21:34 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-13 21:34 . 2009-12-07 14:10 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-13 21:33 . 2009-12-13 21:33 -------- d-----w- c:\program files\Lavasoft
2009-12-12 07:00 . 2009-11-09 13:34 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 07:00 . 2009-11-09 13:30 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-12 07:00 . 2009-11-09 11:17 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 06:46 . 2009-12-11 13:07 1082648 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2009-12-12 06:46 . 2009-12-11 13:07 1074456 ----a-w- c:\programdata\avg9\update\backup\avgcmgr.exe
2009-12-12 06:46 . 2009-12-11 13:06 1336600 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2009-12-12 06:46 . 2009-12-11 13:06 1494088 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2009-12-12 06:46 . 2009-12-11 13:06 744728 ----a-w- c:\programdata\avg9\update\backup\avgscanx.exe
2009-12-12 06:46 . 2009-12-11 13:06 562456 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2009-12-12 06:46 . 2009-12-11 13:06 361752 ----a-w- c:\programdata\avg9\update\backup\avgsrmax.exe
2009-12-12 06:46 . 2009-12-12 06:45 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2009-12-12 06:46 . 2009-12-11 13:07 1946392 ----a-w- c:\programdata\avg9\update\backup\avgapix.dll
2009-12-12 06:46 . 2009-12-11 13:07 615704 ----a-w- c:\programdata\avg9\update\backup\avgcertx.dll
2009-12-12 06:46 . 2009-12-11 13:07 502040 ----a-w- c:\programdata\avg9\update\backup\avgrsx.exe
2009-12-12 06:45 . 2009-12-11 13:07 798488 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2009-12-11 13:21 . 2009-12-11 13:20 3963160 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-11 13:21 . 2009-12-11 13:07 497944 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2009-12-11 13:20 . 2009-12-11 13:20 844056 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2009-12-11 13:20 . 2009-12-11 13:20 1658136 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2009-12-11 13:09 . 2009-12-11 13:12 -------- d-----w- C:\$AVG
2009-12-11 13:06 . 2009-12-20 22:09 -------- d-----w- c:\programdata\avg9
2009-12-11 12:18 . 2009-12-11 12:18 -------- d-----w- c:\programdata\e9e676d
2009-12-09 23:34 . 2009-10-07 12:47 232960 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 23:34 . 2009-10-07 12:47 274432 ----a-w- c:\windows\system32\raschap.dll
2009-12-04 14:03 . 2009-12-04 14:03 251376 ----a-w- c:\users\Nichole\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-12-04 06:08 . 2009-12-04 06:08 764168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-11-29 02:54 . 2009-12-20 09:42 439816 ----a-w- c:\users\Nichole\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-27 09:18 . 2009-10-29 07:59 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 13:10 . 2009-11-25 13:10 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-25 13:10 . 2009-11-25 13:10 286720 ------w- c:\windows\Setup1.exe
2009-11-25 08:14 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-11-25 08:14 . 2009-08-10 13:05 1406464 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 08:14 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-11-25 08:14 . 2009-08-10 13:05 1260032 ----a-w- c:\windows\system32\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 18:01 . 2008-06-26 21:21 1356 ----a-w- c:\users\Nichole\AppData\Local\d3d9caps.dat
2009-12-19 03:19 . 2009-07-19 04:06 -------- d-----w- c:\users\Nichole\AppData\Roaming\Skype
2009-12-18 20:04 . 2009-07-19 04:08 -------- d-----w- c:\users\Nichole\AppData\Roaming\skypePM
2009-12-18 11:04 . 2008-03-04 04:56 107336 ----a-w- c:\users\Nichole\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-18 04:37 . 2007-12-04 06:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 13:14 . 2008-02-14 00:02 308248 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-15 19:55 . 2008-10-21 11:17 -------- d-sh--w- c:\program files\AKProg
2009-12-15 19:21 . 2008-10-26 19:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-15 19:17 . 2008-10-26 19:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-13 21:33 . 2008-05-27 03:54 -------- d-----w- c:\programdata\Lavasoft
2009-12-11 13:09 . 2008-10-26 19:42 -------- d-----w- c:\programdata\avg8
2009-12-11 13:09 . 2009-04-01 02:02 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-11 13:09 . 2008-10-26 19:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-11 13:09 . 2008-10-26 19:42 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-11 13:09 . 2008-10-26 19:42 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-11 13:06 . 2008-10-26 19:42 -------- d-----w- c:\program files\AVG
2009-12-11 00:39 . 2008-03-28 15:53 -------- d-----w- c:\users\Nichole\AppData\Roaming\LimeWire
2009-12-10 07:04 . 2008-03-07 01:45 -------- d-----w- c:\programdata\Microsoft Help
2009-12-05 01:33 . 2008-06-21 01:54 1 ----a-w- c:\users\Nichole\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-05 01:33 . 2008-06-21 01:53 -------- d-----w- c:\users\Nichole\AppData\Roaming\OpenOffice.org2
2009-12-01 20:39 . 2009-08-08 01:14 -------- d-----w- c:\program files\Google
2009-11-10 04:29 . 2009-11-10 04:29 -------- d-----w- c:\program files\Microsoft
2009-11-03 00:42 . 2009-10-04 13:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 02:53 . 2008-12-22 17:54 -------- d-----w- c:\program files\Audible
2009-11-01 15:46 . 2008-03-04 04:48 -------- d-----w- c:\program files\Microsoft Works
2009-10-27 15:05 . 2009-12-09 23:35 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 15:01 . 2009-12-09 23:35 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-10-27 15:01 . 2009-12-09 23:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 15:01 . 2009-12-09 23:35 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-10-27 14:59 . 2009-12-09 23:35 72704 ----a-w- c:\windows\system32\admparse.dll
2009-10-27 12:27 . 2009-12-09 23:35 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-27 10:56 . 2009-12-09 23:35 48128 ----a-w- c:\windows\system32\mshtmler.dll
2007-08-25 02:52 . 2008-03-20 10:16 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Nichole\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-23 133104]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-02 185896]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Nichole^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Get 2 FREE Audiobooks.lnk]
path=c:\users\Nichole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Get 2 FREE Audiobooks.lnk
backup=c:\windows\pss\Get 2 FREE Audiobooks.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Nichole^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\Nichole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 08:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2006-11-02 12:35 125440 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-23 23:13 133104 ----atw- c:\users\Nichole\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\Nichole\AppData\Roaming\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-01-02 21:06 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-01-02 21:07 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-02-20 17:22 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-01-02 21:07 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 03:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-03-05 11:46 1232896 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 07:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-02 23:53 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2007-12-04 07:15 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 12:36 201728 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-02-20 17:22 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [13/12/2009 5:35 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [26/10/2008 3:42 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [31/03/2009 10:02 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/12/2009 9:07 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/12/2009 9:06 AM 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 9:19 AM 1181328]
R2 trydvykmzywlpg;trydvykmzywlpg;c:\windows\System32\APGNQC~1.EXE [16/03/2007 5:01 PM 82006]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [17/12/2009 5:18 PM 38224]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Nichole\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\Nichole\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-application - c:\program files\AKProg\AKProg.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DSS - c:\windows\BBSTORE\DSS\DSSAGENT.EXE
MSConfigStartUp-Free Key Logger - c:\program files\Math Help\FreeKeyLogger.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
MSConfigStartUp-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
MSConfigStartUp-isCfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-sys32dll - c:\program files\Active Key Logger\Active Key Logger.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 06:14
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\mscuncerp.dll 118784 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4828)
c:\windows\System32\mscuncerp.dll
.
Completion time: 2009-12-21 06:17:47
ComboFix-quarantined-files.txt 2009-12-21 10:17

Pre-Run: 166,115,102,720 bytes free
Post-Run: 166,063,497,216 bytes free

- - End Of File - - D22D466EDF86E3F58003842839E95F34

re: VirusTotal: I have two files in my C:\Windows\temp folder right now, neither of which are executables that match what you requested:
lpksetup-20091221-063556-0.log
and
lpksetup-20091221-063621-0.log

New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:19 AM, on 21/12/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Users\Nichole\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Nichole\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Nichole\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: trydvykmzywlpg - Sver - c:\windows\system32\APGNQC~1.EXE

--
End of file - 4895 bytes

Guess what? The browser redirect problem *seems* to have been fixed. AVG keeps closing itself, though. Hmmm.
Thanks so much, Adam!

Nichole
Nichole
Active Member
 
Posts: 6
Joined: December 17th, 2009, 5:47 pm

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Axephilic » December 21st, 2009, 1:27 pm

Hello,

Run ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\System32\APGNQC~1.EXE
Driver::
trydvykmzywlpg


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. ComboFix log
  2. Kaspersky report
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Nichole » December 21st, 2009, 3:44 pm

Hi Adam,

Once again, I received a blue screen followed by a reboot while ComboFix was generating the log report. I want to check with you: should I re-run again from scratch? And if so, should I be dragging the txt file onto the executable to launch the program this time as well?

Thanks so much for your prompt responses - I can't begin to tell you how much it is appreciated! :)

Nichole
Nichole
Active Member
 
Posts: 6
Joined: December 17th, 2009, 5:47 pm

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Axephilic » December 21st, 2009, 5:10 pm

Please just try to follow the instructions again with dragging the text file over to the executable.
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Nichole » December 23rd, 2009, 2:13 pm

Hi Adam!

Here is the new information.

ComboFix log:

ComboFix 09-12-22.06 - Nichole 23/12/2009 9:23.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.2037.1136 [GMT -4:00]
Running from: c:\users\Nichole\Desktop\ComboFix.exe
Command switches used :: c:\users\Nichole\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\System32\APGNQC~1.EXE"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\System32\APGNQC~1.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_trydvykmzywlpg


((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-23 13:31 . 2009-12-23 13:32 -------- d-----w- c:\users\Nichole\AppData\Local\temp
2009-12-23 13:31 . 2009-12-23 13:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-23 13:31 . 2009-12-23 13:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-22 16:07 . 2009-12-12 06:46 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2009-12-22 16:07 . 2009-12-12 06:45 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2009-12-22 16:07 . 2009-12-11 13:06 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2009-12-21 02:08 . 2009-12-21 02:08 -------- d-----w- c:\users\Nichole\AppData\Local\Adobe
2009-12-20 21:36 . 2009-12-20 21:36 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-20 21:36 . 2009-12-20 21:36 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-20 21:36 . 2009-12-20 21:36 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-20 21:36 . 2009-12-20 21:36 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-20 21:36 . 2009-12-20 21:36 370744 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-20 21:36 . 2009-12-20 21:36 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-20 21:35 . 2009-12-20 21:35 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-20 21:35 . 2009-12-20 21:35 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-20 21:35 . 2009-12-20 21:35 816272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-20 21:35 . 2009-12-20 21:35 822904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-20 21:35 . 2009-12-20 21:35 1643272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-20 21:35 . 2009-12-20 21:35 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-20 21:35 . 2009-12-20 21:35 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-18 13:51 . 2009-12-18 13:51 294656 ----a-w- c:\programdata\avg9\update\backup\avglngx.dll
2009-12-18 12:07 . 2009-12-18 12:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-18 12:07 . 2009-12-20 14:24 -------- d-----w- c:\users\Nichole\AppData\Roaming\SUPERAntiSpyware.com
2009-12-18 12:07 . 2009-12-20 14:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-17 21:18 . 2009-12-17 21:18 -------- d-----w- c:\users\Nichole\AppData\Roaming\Malwarebytes
2009-12-17 21:18 . 2009-12-03 20:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-17 21:18 . 2009-12-17 21:18 -------- d-----w- c:\programdata\Malwarebytes
2009-12-17 21:18 . 2009-12-17 21:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-17 21:18 . 2009-12-03 20:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 21:16 . 2008-11-06 06:03 -------- d-----w- C:\SDFix
2009-12-17 18:54 . 2009-12-23 13:05 0 ----a-w- c:\users\Nichole\AppData\Local\prvlcl.dat
2009-12-17 18:47 . 2009-12-17 18:47 -------- d-----w- C:\VundoFix Backups
2009-12-16 14:13 . 2009-12-16 14:13 -------- d-----w- c:\users\Nichole\AppData\Roaming\AVG9
2009-12-16 00:54 . 2009-12-22 15:56 -------- d-----w- c:\users\Nichole\AppData\Roaming\QuickScan
2009-12-16 00:54 . 2009-11-26 21:39 678912 ----a-w- c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-12-16 00:54 . 2009-11-26 21:37 768512 ----a-w- c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-12-15 15:57 . 2009-12-15 19:13 -------- d-----w- c:\users\Nichole\AppData\Roaming\FileZilla
2009-12-15 15:56 . 2009-12-15 15:56 -------- d-----w- c:\program files\FileZilla FTP Client
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-13 22:46 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-13 21:35 . 2009-12-13 21:35 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-13 21:35 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-13 21:34 . 2009-12-13 21:34 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-13 21:34 . 2009-12-07 14:10 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-13 21:33 . 2009-12-13 21:33 -------- d-----w- c:\program files\Lavasoft
2009-12-12 07:00 . 2009-11-09 13:34 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 07:00 . 2009-11-09 13:30 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-12 07:00 . 2009-11-09 11:17 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 06:46 . 2009-12-11 13:07 1082648 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2009-12-12 06:46 . 2009-12-11 13:07 1074456 ----a-w- c:\programdata\avg9\update\backup\avgcmgr.exe
2009-12-12 06:46 . 2009-12-11 13:06 1336600 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2009-12-12 06:46 . 2009-12-11 13:06 1494088 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2009-12-12 06:46 . 2009-12-11 13:06 744728 ----a-w- c:\programdata\avg9\update\backup\avgscanx.exe
2009-12-12 06:46 . 2009-12-11 13:06 562456 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2009-12-12 06:46 . 2009-12-11 13:06 361752 ----a-w- c:\programdata\avg9\update\backup\avgsrmax.exe
2009-12-12 06:46 . 2009-12-12 06:45 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2009-12-12 06:46 . 2009-12-11 13:07 1946392 ----a-w- c:\programdata\avg9\update\backup\avgapix.dll
2009-12-12 06:46 . 2009-12-11 13:07 615704 ----a-w- c:\programdata\avg9\update\backup\avgcertx.dll
2009-12-12 06:46 . 2009-12-11 13:07 502040 ----a-w- c:\programdata\avg9\update\backup\avgrsx.exe
2009-12-12 06:45 . 2009-12-11 13:07 798488 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2009-12-11 13:21 . 2009-12-12 06:45 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-11 13:21 . 2009-12-11 13:07 497944 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2009-12-11 13:20 . 2009-12-11 13:20 844056 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2009-12-11 13:20 . 2009-12-11 13:20 1658136 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2009-12-11 13:09 . 2009-12-11 13:12 -------- d-----w- C:\$AVG
2009-12-11 13:06 . 2009-12-21 17:36 -------- d-----w- c:\programdata\avg9
2009-12-11 12:18 . 2009-12-11 12:18 -------- d-----w- c:\programdata\e9e676d
2009-12-09 23:34 . 2009-10-07 12:47 232960 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 23:34 . 2009-10-07 12:47 274432 ----a-w- c:\windows\system32\raschap.dll
2009-12-04 14:03 . 2009-12-04 14:03 251376 ----a-w- c:\users\Nichole\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-12-04 06:08 . 2009-12-04 06:08 764168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-11-29 02:54 . 2009-12-20 09:42 439816 ----a-w- c:\users\Nichole\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-27 09:18 . 2009-10-29 07:59 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 13:10 . 2009-11-25 13:10 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-25 13:10 . 2009-11-25 13:10 286720 ------w- c:\windows\Setup1.exe
2009-11-25 08:14 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-11-25 08:14 . 2009-08-10 13:05 1406464 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 08:14 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-11-25 08:14 . 2009-08-10 13:05 1260032 ----a-w- c:\windows\system32\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 11:41 . 2008-06-26 21:21 1356 ----a-w- c:\users\Nichole\AppData\Local\d3d9caps.dat
2009-12-19 03:19 . 2009-07-19 04:06 -------- d-----w- c:\users\Nichole\AppData\Roaming\Skype
2009-12-18 20:04 . 2009-07-19 04:08 -------- d-----w- c:\users\Nichole\AppData\Roaming\skypePM
2009-12-18 11:04 . 2008-03-04 04:56 107336 ----a-w- c:\users\Nichole\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-18 04:37 . 2007-12-04 06:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 13:14 . 2008-02-14 00:02 308248 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-15 19:55 . 2008-10-21 11:17 -------- d-sh--w- c:\program files\AKProg
2009-12-15 19:21 . 2008-10-26 19:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-15 19:17 . 2008-10-26 19:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-13 21:33 . 2008-05-27 03:54 -------- d-----w- c:\programdata\Lavasoft
2009-12-11 13:09 . 2008-10-26 19:42 -------- d-----w- c:\programdata\avg8
2009-12-11 13:09 . 2009-04-01 02:02 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-11 13:09 . 2008-10-26 19:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-11 13:09 . 2008-10-26 19:42 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-11 13:09 . 2008-10-26 19:42 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-11 13:06 . 2008-10-26 19:42 -------- d-----w- c:\program files\AVG
2009-12-11 00:39 . 2008-03-28 15:53 -------- d-----w- c:\users\Nichole\AppData\Roaming\LimeWire
2009-12-10 07:04 . 2008-03-07 01:45 -------- d-----w- c:\programdata\Microsoft Help
2009-12-05 01:33 . 2008-06-21 01:54 1 ----a-w- c:\users\Nichole\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-05 01:33 . 2008-06-21 01:53 -------- d-----w- c:\users\Nichole\AppData\Roaming\OpenOffice.org2
2009-12-01 20:39 . 2009-08-08 01:14 -------- d-----w- c:\program files\Google
2009-11-10 04:29 . 2009-11-10 04:29 -------- d-----w- c:\program files\Microsoft
2009-11-03 00:42 . 2009-10-04 13:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 02:53 . 2008-12-22 17:54 -------- d-----w- c:\program files\Audible
2009-11-01 15:46 . 2008-03-04 04:48 -------- d-----w- c:\program files\Microsoft Works
2009-10-27 15:05 . 2009-12-09 23:35 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 15:01 . 2009-12-09 23:35 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-10-27 15:01 . 2009-12-09 23:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 15:01 . 2009-12-09 23:35 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-10-27 14:59 . 2009-12-09 23:35 72704 ----a-w- c:\windows\system32\admparse.dll
2009-10-27 12:27 . 2009-12-09 23:35 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-27 10:56 . 2009-12-09 23:35 48128 ----a-w- c:\windows\system32\mshtmler.dll
2007-08-25 02:52 . 2008-03-20 10:16 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-12-21_18.20.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-26 04:02 . 2009-12-15 20:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-26 04:02 . 2009-12-22 15:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-26 04:02 . 2009-12-15 20:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-26 04:02 . 2009-12-22 15:00 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-26 04:02 . 2009-12-15 20:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-26 04:02 . 2009-12-22 15:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-21 17:39 . 2009-12-21 17:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-23 08:25 . 2009-12-23 08:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-23 08:25 . 2009-12-23 08:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-12-21 17:39 . 2009-12-21 17:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Nichole^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Get 2 FREE Audiobooks.lnk]
path=c:\users\Nichole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Get 2 FREE Audiobooks.lnk
backup=c:\windows\pss\Get 2 FREE Audiobooks.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Nichole^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\Nichole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 08:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2009-12-12 06:45 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2006-11-02 12:35 125440 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-23 23:13 133104 ----atw- c:\users\Nichole\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\Nichole\AppData\Roaming\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-01-02 21:06 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-01-02 21:07 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-02-20 17:22 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-01-02 21:07 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 03:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-03-05 11:46 1232896 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 07:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-02 23:53 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2007-12-04 07:15 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 12:36 201728 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-02-20 17:22 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [13/12/2009 5:35 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [26/10/2008 3:42 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [31/03/2009 10:02 PM 360584]
S3 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/12/2009 9:07 AM 906520]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [17/12/2009 5:18 PM 38224]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/12/2009 9:06 AM 285392]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 9:19 AM 1181328]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - LAVASOFT_AD-AWARE_SERVICE
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Nichole\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Nichole\AppData\Roaming\Mozilla\Firefox\Profiles\37flfpuk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\Nichole\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 09:32
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-23 09:35:45
ComboFix-quarantined-files.txt 2009-12-23 13:35
ComboFix2.txt 2009-12-21 18:22
ComboFix3.txt 2009-12-21 10:17

Pre-Run: 165,957,074,944 bytes free
Post-Run: 165,935,640,576 bytes free

- - End Of File - - 612E6D9D0B72C7E54B46B4FF543D4588

Kapersky Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 23, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 23, 2009 11:16:14
Records in database: 3402569
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 150714
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 03:40:40


File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Qoobox\Quarantine\C\Windows\System32\drivers\iaStor.sys.vir Infected: Rootkit.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\Windows\System32\qtplugin.exe.vir Infected: Trojan-Downloader.Win32.Piker.sx 1

Selected area has been scanned.

New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:25 PM, on 23/12/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Nichole\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Nichole\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Nichole\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

--
End of file - 3802 bytes

Thanks again for all of your help, especially considering the holiday that is upon us. I understand if you can't dedicate much time to this right now - I have an uninfected PC that runs on Linux, so it's certainly not an inconvenience to me.

Nichole
Nichole
Active Member
 
Posts: 6
Joined: December 17th, 2009, 5:47 pm

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Axephilic » December 23rd, 2009, 3:17 pm

Hi, I'm online everyday no matter what holiday it is. ;)

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Run JavaRa

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 17 following the instructions below:
  • Go to Java Runtime Environment (JRE) 6 Update 17 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u17-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Update your Adobe Reader
Your version of Adobe Reader is old and may contain security leaks. Please first uninstall the older version, then download and install the newest version from here.

Please post a new HijackThis log.

My antivirus (AVG) is continually quarantining what appears to be the same trojan. The name of the trojan varies every few reboots, usually switching the number '7' to '15'. Currently, it looks like this:

"Infection";"Trojan horse PSW.Generic7.RAZ";"C:\Windows\System32\mscuncerp.dll";"";"17/12/2009, 5:32:59 PM"

I'm also receiving random redirects, usually to the 'LuxuryLink' network, and I've ran Spybot & AdAware with no success.


Is any of that still happening?

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Nichole » December 23rd, 2009, 4:42 pm

Here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:35 PM, on 23/12/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\Windows\system32\DllHost.exe
C:\Users\Nichole\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

--
End of file - 3569 bytes


Did you need me to post the JavaRa log, too? I'll wait until you advise.

AVG is not detecting anything at all, and the browser redirects seem to be eliminated, too - I can even search 'antispyware' without being redirected to a spoof site, so that seems like a good indicator. :)

Nichole
Nichole
Active Member
 
Posts: 6
Joined: December 17th, 2009, 5:47 pm

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby Axephilic » December 24th, 2009, 12:14 pm

Did you need me to post the JavaRa log, too? I'll wait until you advise.

No, that's alright. I can see you installed the latest java from your HJT log.

Congratulations, you are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them. If after 48 hours you have not responded to this, then I will assume you have no questions and have the topic closed.

First, lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click Ok

You may now also delete any logs or tools I had you download.

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

Microsoft Update

I also recommend, if it's not already on, to enable Automatic updates. It will notify you whenever there are new updates available. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Surf safely

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Generic Trojan / LuxuryLink Popups and redirects

Unread postby NonSuch » December 27th, 2009, 10:40 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 201 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware