Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] A nasty one.............


  • This topic is locked This topic is locked
5 replies to this topic

#1 jreamy4

jreamy4

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 20 December 2007 - 09:56 AM

hey everyone

this is driving me crazy....any help would be be appreciated.....at least one of the problems is the bho divx entry, but i can't kill it or delete it.


Logfile of HijackThis v1.99.1
Scan saved at 10:20:28 AM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {6D7E614A-74B3-4FF0-9E8E-3711F38BAEF2} - c:\windows\system32\divx_xx0ci.dll
O2 - BHO: (no name) - {8C4482B3-B67C-43B8-99D4-42A2A2406EAE} - C:\WINDOWS\system32\acledith.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\sprt_ads.dll" DllStart
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.xdrive.co...stall/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics....com/serval.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O20 - Winlogon Notify: jaokgihg - C:\WINDOWS\SYSTEM32\divx_xx0ci.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Advertisements

Register to Remove


#2 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 21 December 2007 - 04:34 PM

Hi jreamy4 and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#3 jreamy4

jreamy4

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 22 December 2007 - 10:54 AM

Hi,, Thanks for your help:

Combo fix Log:

ComboFix 07-12-21.4 - Administrator 2007-12-22 11:35:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.313 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\acledith.dll
C:\WINDOWS\system32\divx_xx0ci.dll
C:\WINDOWS\system32\drivers\qgktgafk.dat
C:\WINDOWS\system32\nsh1F3.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\sprt_ads.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MRXICCRP
-------\LEGACY_POOF
-------\LEGACY_ZPQZSVPY
-------\mrxiccrp
-------\zpqzsvpy


((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-22 10:14 . 2007-12-22 11:24 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-12-22 09:48 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-12-22 09:48 . 2007-03-07 22:19 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-22 09:48 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-22 09:48 . 2007-03-07 22:19 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-12-22 09:48 . 2007-03-07 22:19 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-22 09:48 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-22 09:47 . 2007-12-22 09:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 09:47 . 2007-12-22 09:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-12-20 15:58 . 2007-12-20 16:02 <DIR> d-------- C:\Program Files\Trojan Guarder
2007-12-20 12:57 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-20 11:31 . 2007-12-20 11:31 <DIR> d-------- C:\Program Files\Opera
2007-12-18 09:54 . 2007-12-18 09:54 319,488 --a------ C:\WINDOWS\system32\dcads_sidebar.dll
2007-12-15 10:04 . 2007-12-20 10:49 77,360 --a------ C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2007-12-15 10:03 . 2007-12-17 21:39 80,097 --a------ C:\WINDOWS\system32\dcads-remove.exe
2007-12-15 10:03 . 2007-12-20 09:40 40,734 --a------ C:\WINDOWS\system32\superiorads-uninst.exe
2007-12-11 12:04 . 2007-12-11 12:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-11 12:04 . 2007-12-11 12:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2007-12-11 12:04 . 2007-12-11 12:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Grisoft
2007-12-11 12:04 . 2007-12-11 12:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Grisoft
2007-12-11 12:04 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-08 14:01 . 2007-12-08 14:01 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-08 14:01 . 2007-12-08 14:01 741,632 --a------ C:\WINDOWS\system32\aqtjlfli.dat
2007-12-08 14:01 . 2007-12-08 14:01 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-08 14:01 . 2007-12-18 14:42 42,240 --a------ C:\WINDOWS\system32\aadavihm.dat
2007-12-08 14:01 . 2007-12-14 14:32 36,096 --a------ C:\WINDOWS\system32\tmblslmp.dat
2007-12-08 14:01 . 2007-12-08 14:01 35,072 --a------ C:\WINDOWS\system32\pvsmzwhx.dat
2007-12-07 13:56 . 2007-12-21 14:51 120,576 --a------ C:\WINDOWS\system32\agevybov.dat
2007-12-07 13:49 . 2007-12-07 15:44 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-12-07 13:49 . 2007-12-12 14:21 83,968 --a------ C:\WINDOWS\system32\dxtzyg.bak
2007-12-07 13:48 . 2007-12-07 13:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 13:48 . 2007-12-07 13:48 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 12:32 . 2007-12-03 15:35 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-27 10:03 . 2007-12-15 10:03 <DIR> d-------- C:\Incomplete
2007-11-27 10:03 . 2007-12-20 11:20 <DIR> d-------- C:\download
2007-11-27 10:02 . 2007-11-27 10:02 <DIR> d-------- C:\Program Files\LimeWire
2007-11-27 10:02 . 2007-11-27 10:02 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2007-11-27 10:02 . 2007-12-15 09:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-11-27 10:02 . 2007-12-15 09:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\LimeWire
2007-11-27 10:02 . 2007-12-15 09:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\LimeWire
2007-11-26 11:59 . 2007-11-26 11:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Kazaa Lite
2007-11-26 11:59 . 2007-11-26 11:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Kazaa Lite
2007-11-26 11:59 . 2007-11-26 11:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Kazaa Lite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 14:41 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-12-22 14:37 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-12-20 17:57 --------- d-----w C:\Program Files\Java
2007-12-18 17:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\eFax Messenger
2007-12-18 17:27 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\eFax Messenger
2007-12-18 17:27 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\eFax Messenger
2007-12-04 15:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\UseNeXT
2007-12-04 15:05 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\UseNeXT
2007-12-04 15:05 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\UseNeXT
2007-11-27 14:50 --------- d-----w C:\Program Files\Lx_cats
2007-11-27 14:49 --------- d-----w C:\Program Files\Morpheus
2007-11-15 19:21 --------- d-----w C:\Program Files\The Logo Creator v4
2007-11-02 05:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2007-11-02 05:51 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\BitTorrent
2007-11-02 05:51 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\BitTorrent
2007-10-29 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 16:43 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-10-29 16:00 --------- d-----w C:\Program Files\The Logo Creator v5
2007-09-13 19:42 16,752 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-09-13 19:42 16,752 ----a-w C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-09-13 19:42 16,752 ----a-w C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-08-23 13:59 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-08-23 13:59 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-08-23 13:59 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-08-23 13:59 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-08-23 13:59 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-08-23 13:59 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-08-23 13:59 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-08-23 13:59 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-08-23 13:59 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2006-03-28 14:54 826 --sh--r C:\WINDOWS\system32\Wnccdhlp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 14:56 C:\WINDOWS\system32\rundll32.exe]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 14:56]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-09-21 16:36]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 00:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 14:56 C:\WINDOWS\system32\rundll32.exe]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 10:49]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [2006-04-19 09:57]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 17:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-16 15:23]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-03-07 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11]
"addon_ql"="C:\WINDOWS\system32\dgfix.exe" [2005-12-07 18:36]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 14:56 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 12:59]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Trojan Guarder.lnk - C:\Program Files\Trojan Guarder\Trojan Guarder.exe [2007-12-01 19:12:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\America Online 9.0\AOL.EXE -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 08:40 34904 -ra------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarzTray]
C:\Program Files\Vongo\VongoTray.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" -b
"TaskSwitchXP"=C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"SoundMan"=SOUNDMAN.EXE
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
"DataLayer"=C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
"AnyDVD"=C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs []
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2005-06-14 07:22]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2005-06-14 07:22]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2005-06-14 07:22]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8bb23ea-d3b5-11da-a29f-00038a000015}]
\Shell\AutoRun\command - H:\JDSecure\Windows\JDSecure31.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 11:49:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 2038189 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log 30649 bytes
C:\WINDOWS\wmp11.log 19859 bytes
C:\WINDOWS\wmsetup.log 29679 bytes
C:\WINDOWS\wmsetup10.log 2545 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\Wudf01000Inst.log 8882 bytes
C:\WINDOWS\xpsp1hfm.log 542 bytes
C:\WINDOWS\yacs.log 19230 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes

scan completed successfully
hidden files: 17

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2649]
-> C:\WINDOWS\system32\AppCert\prx93f.dll
.
Completion time: 2007-12-22 11:51:02 - machine was rebooted [Administrator]

Logfile of HijackThis v1.99.1
Scan saved at 11:53, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.xdrive.co...stall/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics....com/serval.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


New Hijackthis log:

#4 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 22 December 2007 - 12:13 PM

Looking better, how's it running?

Use Windows Explorer to delete these files if present:

C:\WINDOWS\system32\dcads_sidebar.dll
C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\superiorads-uninst.exe

Time for some scans I think. One thing I want to note is these infections appear to have come right after you started using some P2P/Torrent software. This is the #1 cause of Malware infections from what I see in these forums and you may want to reconsider using it.

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now
    change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Do not automatically generate reports.
  • Under What to scan? - Select Scan every file.
Close all open windows.



Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine,
amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Run AVG


  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button This must done before saving the report
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
      Posted Image
  • Right-click the AVG Tray Icon and select Exit.
  • Now copy the report back to this topic.


Restart into normal mode and post the AVG Log and a new HJT Log. Also how are things now
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#5 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 28 December 2007 - 03:42 PM

Hi, Do you still need help here? Please let us know. Thanks, Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#6 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 03 January 2008 - 08:15 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users