Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91804 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]áNeed help again, nasty attacks


  • This topic is locked This topic is locked
85 replies to this topic

#1 coastalbuck

coastalbuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 68 posts

Posted 05 October 2009 - 04:28 PM

I've gotten help here before and it's much appreciated. This time I can barely use the machine for all the attacks and browser starts. I have run Malwarebytes numerous times, it always finds some stuff and removes it but the attacks continue. AVG likewise finds Trojans and heur viruses and says it removes them but nothing stops. When using Firefox, several IE explorer windows will pop up and try to load ad sites. Sometimes, Firefox itself will try to load a new tab. The sites are betting, virus, google related. I always stop them asap but sometimes the machine just locks up. I'd appreciate any help. Thanks in advance. Hijack this log follows.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:04 PM, on 10/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo00067ded.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buckeyeplanet.com/forum/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F2120B6.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F2120B6.exe
O4 - HKCU\..\Run: [A00F1556A96.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F1556A96.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://wavenet.administrative.hgtc.edu
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165073630062
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\eapsvc32.dll
O20 - Winlogon Notify: 6c44b700684 - C:\WINDOWS\System32\eapsvc32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: __c0021B88 - C:\WINDOWS\system32\__c0021B88.dat
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    Advertisements

Register to Remove


#2 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 07 October 2009 - 03:28 PM

Due, in part, to the large numbers of HJT logs being posted, there are four things that you need to be aware of.

1) If you have already posted this log at another forum, you need to post here that you have done so and this topic will be closed.
Multiple posting not only ties up valuable resources, but could also result is some unpleasant side-effects for your system if you follow two sets of instructions at the same time.
If, during research, an identical log is identified at another forum, this thread will be closed.

2) If you don't post a meaningful reply to any of my posts within five days, this thread will be closed. Due to limited free time I can only have so many open threads at any one time and if yours isn't active, somebody else's will be.
If, by omission, the thread hasn't be closed after five days and you post, it will just serve as a reminder to me to close it.
Please note that "I just dropped in to say Hi!" isn't a meaningful reply!

3) Malware removal is a tricky business, and malware writers don't tend to worry about the damage their creations do, so it is advisable to back-up all important files BEFORE we start. Although most cases have a successful conclusion, on occasion things don't go according to plan and it is better to be prepared for the worst.

4) Back-ups can get lost or damaged, so make two if the files are that important to you!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pay a visit to the Kaspersky Online Scanner 7 - I.E. is preferred for this scan.
  • Read the Information panel and then click Accept.
  • Allow the ActiveX download if necessary.
  • Both the anti-virus engine and database will need to be downloaded, which may take a little time.
  • Once this has been completed, select My Computer from the Scan section on the left hand side.
  • Put the kettle on!
  • Although it is recommended by Kaspersky that you should disable your anti-virus scanner before starting this scan, it should work OK with it still active - it does on my PC.
    Although you may find the scan speed increases if you carry out this step, I never like to disable my resident scanner while online, so I don't.
  • When the scan has completed, click View scan report at the bottom.
  • Click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save and pick a location for the file - the Desktop is always handy.
Copy and paste the report into your next reply along with a fresh HJT log, run in Normal Mode, and a description of how your PC is behaving.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Sec-Info2.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a file in it - double click Sec-info2.vbs to run it.
Once you have been informed that the script has completed, a text file called Sec-Info.txt should be created in the same folder - you may need to wait a couple of seconds for it to appear..
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download RootRepeal from one of the locations below and save it to your Desktop:
Location 1
Location 2
Location 3
  • Double click RootRepeal.exe to fire up the tool and OK any Windows confirmation if necessary.
  • Ensure that the Report Tab is selected at the bottom.
  • Click the Scan button, check ALL the boxes in the window that appears and then click OK.
  • Check the box next to your main hard drive - usually C: and click OK
  • Put the kettle on and perhaps open a packet of biscuits - the scan will take some time.
  • Once the scan has completed a Notepad window will open with the results in.
  • These results will also be saved to the root of your main drive as \RootRepeal report date time.txt
Let me have a copy of the contents in your next reply.
Death to the salad eaters!

#3 coastalbuck

coastalbuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 68 posts

Posted 11 October 2009 - 06:58 AM

After trying all week I cannot get IE to run the Kaspersky scan. If I follow the link provided, it says the key is expired and will not do the download. If I try to go to Kaspersky's site it won't even let me open the page, it redirects, opens new windows, or just says cannot connect after trying to restore the tabs a few times. How should I proceed? I was able to put the other toos on my desktop by downloading them to a flash drive on another computer and putting them on this one. Sorry it's taken so long, its been a struggle. I removed 41 items with Malwarebytes yesterday morning just to get this far.

#4 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 11 October 2009 - 12:24 PM

Ignore that part and replace it with the following:

Pay a visit to the ESET Online Scanner - IE is preferred for this.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
Don't forget to post the rest of the information I asked for too. Also, i'd like the MBAM log that lists what was deleted:
Run MBAM and select the Logs Tab.
Each log has the time and date attached to it - let me have the one that identified what ever it was that you are refering to.
Death to the salad eaters!

#5 coastalbuck

coastalbuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 68 posts

Posted 12 October 2009 - 02:47 PM

OK, I've been able to do everything except the root repeal. It will not run, just gets stuck initializing, i've downloaded it twice from different locations and still cannot run it. Everything else follows, let me know what else I can do. Thanks. Uninstall list from HJT. ACDSee for PENTAX Ace Utilities Adobe AIR Adobe Flash Player 10 Plugin Adobe Media Player Adobe Media Player Adobe Reader 8.1.6 Adobe Shockwave Player 11.5 AGEIA PhysX v2.4.4 Apple Software Update AVG 8.5 Blackhawk Striker from Hewlett-Packard Desktops (remove only) Blasterball 2 from Hewlett-Packard Desktops (remove only) Blasterball 2 Remix from Hewlett-Packard Desktops (remove only) Bounce from Hewlett-Packard Desktops (remove only) Cannonballs from Hewlett-Packard Desktops (remove only) Championship Bass Critical Update for Windows Media Player 11 (KB959772) Crystal Maze from Hewlett-Packard Desktops (remove only) DivX DivX Content Uploader DivX Player DivX Web Player D-Link DMP-110 2.01.004 EA Network Play System Enhanced Multimedia Keyboard Solution ESET Online Scanner v3 Excavation from Hewlett-Packard Desktops (remove only) Five Card Frenzy from Hewlett-Packard Desktops (remove only) GdiplusUpgrade GemMaster 3 from Hewlett-Packard Desktops (remove only) GoldWave v4.26 Google Earth Google Gmail Notifier Google Video Player GSpot Codec Information Appliance HijackThis 2.0.2 Honeycombs from Hewlett-Packard Desktops (remove only) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) HP Deskjet Preloaded Printer Drivers hp instant support HP Organize HP Photo & Imaging 3.0 HP Photo and Imaging 2.0 - All-in-One HP Photo and Imaging 2.0 - All-in-One Drivers HP Photo and Imaging 2.0 - hp psc 1200 series HP Photo and Imaging 2.0 - hp psc 2200 series HP Photo and Imaging 2.0 - Photosmart Cameras hp psc 1200 series hp psc 2200 series HP Update HPImageZone Impossible Golf Indeo« software InfraRecorder Intel® Extreme Graphics Driver IntelliMover Data Transfer Demo Java DB 10.3.1.4 Java™ 6 Update 14 Java™ 6 Update 6 Java™ 6 Update 7 Java™ SE Development Kit 6 Update 6 JFK Reloaded 1.1 LimeWire 5.1.2 Liv Tyler LiveReg (Symantec Corporation) LiveUpdate 1.80 (Symantec Corporation) Malwarebytes' Anti-Malware Mars Rover from Hewlett-Packard Desktops (remove only) Marx Brothers Screen Saver Media Manager for WALKMAN 1.2 Memories Disc Creator 2.0 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Money 2003 Microsoft Money 2003 System Pack Microsoft National Language Support Downlevel APIs Microsoft Office 2000 SR-1 Premium Microsoft Plus! Digital Media Edition Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual J# .NET Redistributable Package 1.1 Microsoft Works 7.0 Monty Python Screen Saver Mozilla Firefox (3.5.3) MSN Music Assistant MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Multimedia Card Reader MyDSC NASCAR Racing 1999 Edition NVIDIA Gart Driver NVIDIA Windows 2000/XP Display Drivers OmniPass OptiPix Pro Orbital from Hewlett-Packard Desktops (remove only) osu-fiesta-screensaver Otto from Hewlett-Packard Desktops (remove only) PC-Doctor for Windows Phoenix Assault from Hewlett-Packard Desktops (remove only) Photosmart 140,240,7200,7600,7700,7900 Series Pinball Master Polar Bowler from Hewlett-Packard Desktops (remove only) PS2 Python 2.2 combined Win32 extensions Python 2.2.1 Quicken 2003 New User Edition QuickTime RecordNow! S3Display S3Gamma2 S3Info2 S3Overlay Sarah Michelle Gellar Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Sierra Utilities Slyder from Hewlett-Packard Desktops (remove only) SMG 01 SopCast 1.1.2 STX from Hewlett-Packard Desktops (remove only) Super Granny from Hewlett-Packard Desktops (remove only) TaxCut Deluxe 2005 toolkit TurboTax Deluxe 2004 Unity Web Player Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB971180) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) Updates from HP Virtual Warfare from Hewlett-Packard Desktops (remove only) VLC media player 1.0.1 Weblink WexTech AnswerWorks WildTangent GameChannel (remove only) WildTangent Web Driver Windows Genuine Advantage v1.3.0254.0 Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows Media Player Firefox Plugin Windows XP Service Pack 3 WinRAR archiver XviD MPEG-4 Video Codec Sec-info txt. ~~~~~~~~~~~~~~~~~~~~~~~~ Company Name: AVG Technologies AV Name: AVG Anti-Virus Free Version Number: 8.5 On-Access Scanning Enabled: Yes Product up-to-date: Yes ~~~~~~~~~~~~~~~~~~~~~~~~ The Windows Firewall is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~ The Security Center Anti-Virus Alerts are enabled. The Security Center Firewall Alerts are enabled. ~~~~~~~~~~~~~~~~~~~~~~~~ Number of Restore Points found: 54 ESET info C:\Documents and Settings\Owner\Desktop\good songs\bruce hornsby levitate live.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan C:\Documents and Settings\Owner\Local Settings\Temp\10.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\11.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\12.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\16.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\19.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\1B.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\1C.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\2.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\20.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\23.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\24.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\3.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\4.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\5.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\6.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\8.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\83.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\94.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\A.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\B.tmp a variant of Win32/Kryptik.AJU trojan C:\Documents and Settings\Owner\Local Settings\Temp\E.tmp a variant of Win32/Kryptik.AJU trojan C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent trojan C:\WINDOWS\system32\D4kKj.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\EyycGY2.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\goSaKxXdr3iqsLw.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\H8LFhA0.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\HH9IqE9Wd6SlR.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\JtZk9.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\kMDyFhc1ZoUeo.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\KOBZThQin5PQzJO.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\kRg4Frs.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\OTXs0EKjfs8pa22.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\qcBh4u4BVKBA8oV.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\QlfWtvfcd6rAA.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\QNM0Q.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\RGgg6EA.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\rXM46.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\vMaIVQ0P9FoOa.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\zt3Gsgyb7nef9Wz.vbs VBS/Disabler.NAB trojan C:\WINDOWS\system32\__c009DCD2.dat a variant of Win32/Kryptik.AKJ trojan C:\WINDOWS\system32\__c00B77DC.dat a variant of Win32/Kryptik.AKJ trojan C:\WINDOWS\system32\LocalService\317.music.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan C:\WINDOWS\system32\LocalService\318.music2.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan C:\WINDOWS\system32\LocalService\319.music3.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan C:\WINDOWS\system32\LocalService\320.music4.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan Mbam log 10-10 Malwarebytes' Anti-Malware 1.38 Database version: 2318 Windows 5.1.2600 Service Pack 3 10/10/2009 7:36:07 AM mbam-log-2009-10-10 (07-36-07).txt Scan type: Quick Scan Objects scanned: 93379 Time elapsed: 23 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 3 Registry Values Infected: 11 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 25 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\__c0021B88.dat (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\__c0079CB2.dat (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03dc87ec-20c4-4b2d-a172-c5db8d522792} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{03dc87ec-20c4-4b2d-a172-c5db8d522792} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0021b88 (Trojan.Vundo) -> Delete on reboot. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fb267e.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fbc02d.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1556a96.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1733e64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f10a23b6.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f2120b6.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1bab11.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1ac9d9.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fb7bed1.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fb2275c.exe (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f15f94e.exe (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ekfpixguid32.dll (Trojan.BHO.H) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\14.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\16.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\18.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\1E.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\E.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\F.tmp (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\_A00FBC02D.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\_A00F15F94E.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\_A00F1AC9D9.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\_A00FB2275C.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\Owner\local settings\Temp\_A00FB7BED1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dmocx32.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dsound32.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c0021B88.dat (Trojan.Vundo) -> Delete on reboot. c:\WINDOWS\system32\__c0018D09.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\__c002C642.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\__c0035DE8.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\__c003B79C.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\__c0041E38.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\__c005EDF0.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\__c0079CB2.dat (Trojan.Agent) -> Delete on reboot. c:\WINDOWS\system32\__c00EAFB1.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\__c00F1E86.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\__c00F42C2.dat (Trojan.Agent) -> Quarantined and deleted successfully. Thanks again

#6 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 12 October 2009 - 03:38 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingc...to-use-combofix *
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!
Death to the salad eaters!

#7 coastalbuck

coastalbuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 68 posts

Posted 14 October 2009 - 05:16 PM

OK. Finished the Combofix. Machine is still loggy and slow. AVG after I reactivated it is still catching things while online with firefox. No redirects as yet and no startups of IE like before. The Combofix log and a new HJT follow.

ComboFix 09-10-13.04 - Owner 10/14/2009 12:28.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.248.93 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\02000000b552e132684C.manifest
c:\documents and settings\Owner\Application Data\02000000b552e132684O.manifest
c:\documents and settings\Owner\Application Data\02000000b552e132684P.manifest
c:\documents and settings\Owner\Application Data\02000000b552e132684S.manifest
c:\windows\GnuHashes.ini
c:\windows\inf\dm.inf
c:\windows\inf\dm.PNF
c:\windows\Installer\115bc5.msi
c:\windows\Installer\128cb.msi
c:\windows\Installer\1dde406.msp
c:\windows\Installer\325d5f.msp
c:\windows\Installer\42acfe.msi
c:\windows\Installer\a1952c.msi
c:\windows\system32\__c009DCD2.dat
c:\windows\system32\__c00A0EF2.dat
c:\windows\system32\__c00B2AF6.dat
c:\windows\system32\__c00B77DC.dat
c:\windows\system32\__c00BB252.dat
c:\windows\system32\D4kKj.vbs
c:\windows\system32\DSPRPRES32.DLL
c:\windows\system32\EyycGY2.vbs
c:\windows\system32\goSaKxXdr3iqsLw.vbs
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\H8LFhA0.vbs
c:\windows\system32\HH9IqE9Wd6SlR.vbs
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\JtZk9.vbs
c:\windows\system32\kMDyFhc1ZoUeo.vbs
c:\windows\system32\KOBZThQin5PQzJO.vbs
c:\windows\system32\kRg4Frs.vbs
c:\windows\system32\LocalService\313.crack.zip
c:\windows\system32\LocalService\313.crack.zip.kwd
c:\windows\system32\LocalService\314.keygen.zip
c:\windows\system32\LocalService\314.keygen.zip.kwd
c:\windows\system32\LocalService\315.serial.zip
c:\windows\system32\LocalService\315.serial.zip.kwd
c:\windows\system32\LocalService\316.setup.zip
c:\windows\system32\LocalService\316.setup.zip.kwd
c:\windows\system32\LocalService\317.music.au
c:\windows\system32\LocalService\317.music.au.kwd
c:\windows\system32\LocalService\318.music2.au
c:\windows\system32\LocalService\318.music2.au.kwd
c:\windows\system32\LocalService\319.music3.au
c:\windows\system32\LocalService\319.music3.au.kwd
c:\windows\system32\LocalService\320.music4.au
c:\windows\system32\LocalService\320.music4.au.kwd
c:\windows\system32\M2BIUTZ.vbs
c:\windows\system32\OTXs0EKjfs8pa22.vbs
c:\windows\system32\pOKMR.vbs
c:\windows\system32\ps2.bat
c:\windows\system32\qcBh4u4BVKBA8oV.vbs
c:\windows\system32\qdUVJ7TY1wBRzcv.vbs
c:\windows\system32\QlfWtvfcd6rAA.vbs
c:\windows\system32\QNM0Q.vbs
c:\windows\system32\RGgg6EA.vbs
c:\windows\system32\rXM46.vbs
c:\windows\system32\uninstall.exe
c:\windows\system32\vMaIVQ0P9FoOa.vbs
c:\windows\system32\zt3Gsgyb7nef9Wz.vbs
c:\windows\viassary-hp.reg
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-13 20:06 . 2009-10-13 20:06 116736 ----a-w- c:\windows\system32\dmcompos32.dll
2009-10-12 20:33 . 2009-10-12 20:33 116736 ----a-w- c:\windows\system32\csrsrv32.dll
2009-10-11 19:14 . 2009-10-11 19:14 -------- d-----w- c:\program files\ESET
2009-10-11 12:22 . 2009-10-11 12:22 116736 ----a-w- c:\windows\system32\d3dxof32.dll
2009-10-10 11:51 . 2009-10-10 11:51 116736 ----a-w- c:\windows\system32\extmgr32.dll
2009-10-09 23:45 . 2009-10-09 23:45 116736 ----a-w- c:\windows\system32\EXSEC3232.dll
2009-10-07 16:09 . 2009-10-14 16:47 -------- d-sh--w- c:\windows\system32\LocalService
2009-10-03 10:09 . 2009-10-03 10:09 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 15:41 . 2009-04-18 11:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-08 20:52 . 2009-07-01 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-04 23:09 . 2009-08-30 13:21 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-09-10 14:20 . 2009-03-21 02:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 13:52 . 2009-04-18 11:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 13:52 . 2009-04-18 11:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-23 13:52 . 2009-04-18 11:17 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-22 10:31 . 2003-08-23 14:12 33512 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 00:33 . 2009-08-22 00:33 -------- d-----w- c:\program files\MSBuild
2009-08-22 00:33 . 2009-08-22 00:33 -------- d-----w- c:\program files\Reference Assemblies
2009-08-06 23:24 . 2004-08-16 22:46 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-16 22:46 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-16 22:46 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2003-08-08 15:35 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2003-08-08 16:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-16 22:46 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-12-03 11:58 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2005-05-26 09:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2003-08-08 15:35 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 14:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-08-08 16:18 58880 ----a-w- c:\windows\system32\atl.dll
2006-05-06 16:42 . 2006-10-21 11:59 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2004-02-15 18:11 . 2004-02-15 18:11 0 -csha-w- c:\windows\SMINST\HPCD.sys
2004-02-07 15:11 . 2004-02-07 15:03 56 --sh--r- c:\windows\system32\7616F2B6AF.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03DC87EC-20C4-4B2D-A172-C5DB8D522792}]
2009-10-13 20:06 116736 ----a-w- c:\windows\system32\dmcompos32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-22 24576]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2003-05-03 835654]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"AutoTKit"="c:\hp\bin\AUTOTKIT.EXE" [2003-06-19 53248]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 139264]
"WT GameChannel"="c:\program files\WildTangent\Apps\GameChannel.exe" [2003-04-30 184784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-05-03 323584]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2003-6-13 233472]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-2 147456]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-12-2 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-8-23 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 13:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wjview.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/18/2009 7:17 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/18/2009 7:17 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/18/2009 7:16 AM 297752]
S2 BULKUSB;D-Link DMP-110 NtJCMp3.Sys MP3 USB driver;c:\windows\system32\drivers\NtJCMp3.sys [11/9/2003 11:44 AM 16848]
S2 mrtRate;mrtRate; [x]
S3 papycpu;papycpu; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2004-06-17 c:\windows\Tasks\FRU Task 2002-12-03 04:38ewlett-Packard2002-12-03 04:38p psc 1200 series84887B468ABA3F57D76752217D5938688025EB21067084607.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 00:38]

2003-10-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-29 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.buckeyeplanet.com/forum/
uDefault_Search_URL = hxxp://ie.search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://us9.hpwis.com/
uInternet Settings,ProxyOverride = localhost
Trusted Zone: hgtc.edu\wavenet.administrative
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fptymhg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.buckeyeplanet.com/forum/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fptymhg.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Notify-6c44b700684 - c:\windows\System32\eapsvc32.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-HP Photo & Imaging - c:\program files\HP\Digital Imaging\uninstall\hpzscr01.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 12:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4288398171-590725597-836796748-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'explorer.exe'(2552)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
c:\docume~1\Owner\LOCALS~1\Temp\bwgo0007149f.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-10-14 13:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 17:11

Pre-Run: 18,412,363,776 bytes free
Post-Run: 18,714,972,160 bytes free

278 --- E O F --- 2009-10-01 23:35

and the HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:39 PM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0007149f.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buckeyeplanet.com/forum/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {03DC87EC-20C4-4B2D-A172-C5DB8D522792} - C:\WINDOWS\System32\dmcompos32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://wavenet.administrative.hgtc.edu
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165073630062
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8231 bytes

As always, thanks for the assistance.

#8 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 15 October 2009 - 02:10 PM

AVG after I reactivated it is still catching things while online with firefox.

Can you tell me exactly what is being detected.
Death to the salad eaters!

#9 coastalbuck

coastalbuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 68 posts

Posted 15 October 2009 - 05:29 PM

No I can't, unless it creates a logfile I don't know where to find. Hasn't happened today though, and the machine has been online for a couple of hours. I'll try to keep it online some more tomorrow and see if anything pops up, I think I could copy and paste them if they do.

#10 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 16 October 2009 - 01:40 PM

It's possible that AVG is just picking up the detritus that accumulates form surfing the internet. Let me know tomorrow whether it picks anything up and what, and also how the PC is generally behaving and we'll take it from there.
Death to the salad eaters!

    Advertisements

Register to Remove


#11 coastalbuck

coastalbuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 68 posts

Posted 17 October 2009 - 04:26 AM

Will do and thanks. It's Sat. so I can leave the machine up and online most of the day to see what shakes out, that can't be done during the week. I was able to determine what AVG is picking up on over and over again. Something called "Packed.DelfCrypt" and it's usually located in C:\WINDOWS\System32\eapsvc32.dll but not always. AVG has rung it up to the vault 60 plus times since Tuesday. One other thing I just discovered that you might find interesting. When doing a normal search on Google in the firefox toolbar everything seems normal even the little green AVG icon after most sites that says they're safe. However, when you click on a link, it redirects to something off the wall. For example, I just searched for "Liberty ski slope" and received a list of results, one of which was the snowflex center in which I was interested in. When I clicked it, it sent me to a site talking about insomnia????? I repeated the search with the same parameters on the AVG toolbar in Yahoo, mostly same results and upon clicking, was sent to my intended target location with no problems. AVG resident came up with nothing during this process. Go figure....

Edited by coastalbuck, 17 October 2009 - 05:15 AM.


#12 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 18 October 2009 - 12:47 PM

Okey dokey. Navigate to C:\WINDOWS\System32\eapsvc32.dll, right click it and select Properties from the context menu - what information can you find out about the file that might point to what it is and who originally created it?
Death to the salad eaters!

#13 coastalbuck

coastalbuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 68 posts

Posted 18 October 2009 - 03:26 PM

Looks like a Microsoft thing from 2008.

#14 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 18 October 2009 - 04:04 PM

I'd say it's a false-positive, but we'll take a peek anyway. Please go to Jotti's and click on the Browse... button at the top and navigate to the following file and then click on Submit:

C:\WINDOWS\System32\eapsvc32.dll

When all the scans have been completed, please copy and paste the results into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.
Death to the salad eaters!

#15 coastalbuck

coastalbuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 68 posts

Posted 18 October 2009 - 04:31 PM

Here's the scan for eapsvc.dll [ArcaVir] 2009-10-18 Found nothing [G DATA] 2009-10-18 Found nothing [A-Squared] 2009-10-19 Found nothing [Ikarus] 2009-10-18 Found nothing [Avast! antivirus] 2009-10-18 Found nothing [Kaspersky Anti-Virus] 2009-10-18 Found nothing [Grisoft AVG Anti-Virus] 2009-10-18 Found nothing [ESET NOD32] 2009-10-18 Found nothing [Avira AntiVir] 2009-10-18 Found nothing [Norman Virus Control] 2009-10-17 Found nothing [Softwin BitDefender] 2009-10-18 Found nothing [Panda Antivirus] 2009-10-18 Found nothing [ClamAV] 2009-10-17 Found nothing [Quick Heal] 2009-10-16 Found nothing [CPsecure] 2009-10-18 Found nothing [Sophos] 2009-10-18 Found nothing [Dr.Web] 2009-10-18 Found nothing [VirusBlokAda VBA32] 2009-10-18 Found nothing [Frisk F-Prot Antivirus] 2009-10-18 Found nothing [VirusBuster] 2009-10-18 Found nothing [F-Secure Anti-Virus] 2009-10-18 Found nothing I could not locate a eapsvc32.dll.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users