AntiVirus 2010

Question

neiljo 0 Newbie Poster

14 Years Ago

Ok, so i recently got one of the variants of AntiVirus 2010, I think it was called Vista Security 2010. I ran the exe fix and then MBAM and it found 2 files which were removed and i havnt had the fake anti virus pop up since, my only problem now is my browsers are still being redirected which means there is still something lurking on my machine and i was hoping someone could help me find it, usually google searches about how to fix the problem. AVG also picks up the occasional trojan attempt which are probably from these sites i'm being redirected too. Any help is much appreciated.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:57:25, on 25/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'Default user')
O4 - Global Startup: forteManager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9d4c33cae87c6) (gupdate1c9d4c33cae87c6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 3992 bytes

windows-virus

2 Contributors
19 Replies
118 Views
3 Days Discussion Span
Latest Post 13 Years Ago Latest Post by jholland1964

All 19 Replies

jholland1964 650 Posting Expert

14 Years Ago

ran the exe fix

What fix is that and where did you find it?

Post the MBA-M log so we can see what was removed. Your HJT log does show there are more infected files on there.

Also that version of HijackThis is not the most current version. Uninstall it. Use the newest version which is this one:
http://go.trendmicro.com/free-tools/hijackthis/HiJackThis.exe

Edited 14 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

14 Years Ago

That scan was run on February 21st. The logs are listed by date with the most recent one at the bottom.
If this was the last scan you ran then it really is immaterial. You will have to begin the process again because nearly two months has passed and it is obvious your computer is still grossly infected. You need to update MBA-M as it has an entirely new version now. Do the full system scan again, remove all items found, reboot and do a new HJT scan with the new version of that program, not the one you used earlier. Post that log also and then we will go from there.

jholland1964 650 Posting Expert

14 Years Ago

Yeah that wasnt the last scan i did, didnt check the dates just clicked top one and assumed wrong. Updated HJT & MB & will post the logs once they've finished, sorry about this.

Not a problem. Post the scan results and I will take a look.

jholland1964 650 Posting Expert

14 Years Ago

Now please do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot the computer and do another HJT scan. Post the ESET log and the new HJT log.

jholland1964 650 Posting Expert

14 Years Ago

Please go to this site and upload the file noted below for scanning. Report back with the results

http://virusscan.jotti.org/en

C:\Windows\TEMP\fyud.tmp\svchost.exe

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

neiljo 0 Newbie Poster · Answer 1 · 2010-04-26T00:47:12+00:00

Edit: I think it was called Rkill, meant to stop certain processes that are running before i ran MBAM. Dont actually know why i said exefix, think i read about that somewhere else.

Think this is the right one.

Malwarebytes' Anti-Malware 1.44
Database version: 3769
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

21/02/2010 14:31:38
mbam-log-2010-02-21 (14-31-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 249121
Time elapsed: 45 minute(s), 49 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Users\Neil\AppData\Local\av.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Neil\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Neil\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.

neiljo 0 Newbie Poster · Answer 2 · 2010-04-26T02:02:31+00:00

Yeah that wasnt the last scan i did, didnt check the dates just clicked top one and assumed wrong. Updated HJT & MB & will post the logs once they've finished, sorry about this.

neiljo 0 Newbie Poster · Answer 3 · 2010-04-26T03:05:36+00:00

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

25/04/2010 21:57:40
mbam-log-2010-04-25 (21-57-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 235026
Time elapsed: 58 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Neil\AppData\Local\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Neil\Downloads\Sony Vegas PRO 9.0 Build 562 32-64bit\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Users\Neil\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Neil\AppData\Local\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

and

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:05:26, on 25/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Neil\Downloads\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Windows\system32\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'Default user')
O4 - Global Startup: forteManager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9d4c33cae87c6) (gupdate1c9d4c33cae87c6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 3871 bytes

neiljo 0 Newbie Poster · Answer 4 · 2010-04-26T06:03:44+00:00

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b764566dea43ee498ca86670b300a964
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-25 11:58:12
# local_time=2010-04-26 12:58:12 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 5543173 5543173 0 0
# compatibility_mode=5892 16776574 100 95 28776395 109767975 0 0
# compatibility_mode=8192 67108863 100 0 310 310 0 0
# scanned=140774
# found=1
# cleaned=1
# scan_time=4771
C:\Users\Neil\Incomplete\T-5113075-02 peter bjorn & john amsterdam.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

and

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:04:44, on 26/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Neil\Downloads\HiJackThis.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'Default user')
O4 - Global Startup: forteManager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9d4c33cae87c6) (gupdate1c9d4c33cae87c6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 3549 bytes

neiljo 0 Newbie Poster · Answer 5 · 2010-04-26T18:19:18+00:00

The file you told me to upload doesnt exist at that location. Searched for it manually and via search.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 6 · 2010-04-26T19:48:27+00:00

Good. Then do the following;
Run HiJackThis again and this time place check marks next to the following entries if they still show:
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'Default user')
After you have placed those check marks click the Fix Checked button and then Exit HJT.
Reboot the system and run one more HJT scan and post that new log back here.

neiljo 0 Newbie Poster · Answer 7 · 2010-04-26T20:50:18+00:00

I did what you said and rebooted and it appears they're back, Trojan Remover is a program someone recommended to try and get rid of the problem but didnt.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:48:41, on 26/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Users\Neil\Downloads\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\fyud.tmp\svchost.exe (User 'Default user')
O4 - Global Startup: forteManager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9d4c33cae87c6) (gupdate1c9d4c33cae87c6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 3533 bytes

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 8 · 2010-04-26T20:54:58+00:00

Ok, do the following:
Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

neiljo 0 Newbie Poster · Answer 9 · 2010-04-26T21:53:41+00:00

ComboFix 10-04-21.01 - Neil 26/04/2010 16:42:25.1.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.3582.2666 [GMT 1:00]
Running from: c:\users\Neil\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\users\Neil\AppData\Local\{2A7FF3AC-6B99-467B-B857-403D96EEB8DA}
c:\users\Neil\AppData\Local\{2A7FF3AC-6B99-467B-B857-403D96EEB8DA}\chrome\content\overlay.xul
c:\users\Neil\AppData\Local\{2A7FF3AC-6B99-467B-B857-403D96EEB8DA}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
.

2010-04-26 15:49 . 2010-04-26 15:49 -------- d-----w- c:\users\Neil\AppData\Local\temp
2010-04-26 15:49 . 2010-04-26 15:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-25 22:33 . 2010-04-25 22:33 -------- d-----w- c:\program files\ESET
2010-04-25 15:03 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-25 15:03 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-25 15:03 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-25 15:03 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-25 15:03 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-25 15:03 . 2010-04-25 15:03 -------- d-----w- c:\program files\Trojan Remover
2010-04-25 15:03 . 2010-04-25 15:03 -------- d-----w- c:\users\Neil\AppData\Roaming\Simply Super Software
2010-04-25 15:03 . 2010-04-25 15:03 -------- d-----w- c:\programdata\Simply Super Software
2010-04-24 05:55 . 2010-04-24 05:55 -------- d-----w- C:\$AVG
2010-04-23 10:42 . 2010-04-23 10:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-23 10:42 . 2010-04-23 10:42 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-23 10:42 . 2010-04-23 10:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-23 10:42 . 2010-04-26 12:16 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-23 10:42 . 2010-04-23 10:42 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-23 10:40 . 2010-04-24 06:13 -------- d-----w- c:\programdata\avg9
2010-04-23 01:28 . 2010-04-23 01:28 -------- d-----w- c:\users\Neil\AppData\Local\Apple
2010-04-22 23:48 . 2010-04-22 23:48 -------- d-----w- c:\users\Neil\AppData\Local\Apple Computer
2010-04-22 00:33 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-22 00:22 . 2010-04-22 00:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-16 19:07 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 19:07 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 19:07 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 19:04 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-16 19:04 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 19:04 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 19:03 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-16 19:03 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-16 19:03 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-16 18:59 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-16 18:59 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-06 17:59 . 2010-04-22 00:55 -------- d-----w- c:\users\Neil\AppData\Roaming\DivX
2010-04-06 17:56 . 2010-04-06 17:57 986904 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-06 17:56 . 2010-04-25 22:20 -------- d-----w- c:\program files\DivX
2010-04-06 17:55 . 2010-04-22 00:21 -------- d-----w- c:\programdata\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 15:40 . 2009-08-19 16:21 32784 ----a-w- c:\programdata\nvModes.dat
2010-04-26 15:40 . 2009-04-16 17:09 -------- d-----w- c:\programdata\NVIDIA
2010-04-26 15:00 . 2010-02-15 19:09 -------- d-----w- c:\users\Neil\AppData\Roaming\Skype
2010-04-26 15:00 . 2010-02-15 19:12 -------- d-----w- c:\users\Neil\AppData\Roaming\skypePM
2010-04-25 22:20 . 2009-07-18 07:44 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-25 19:53 . 2010-02-21 13:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 19:50 . 2010-02-21 13:44 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-25 14:05 . 2009-05-03 20:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-24 06:12 . 2010-02-26 02:33 -------- d-----w- c:\program files\iTunes
2010-04-24 06:03 . 2009-12-26 19:03 -------- d-----w- c:\program files\QuickTime
2010-04-24 05:54 . 2010-04-23 14:12 112 ----a-w- c:\programdata\LS33v0k.dat
2010-04-23 14:36 . 2009-05-03 20:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-23 01:32 . 2009-04-17 12:30 -------- d-----w- c:\program files\Java
2010-04-23 01:32 . 2009-04-17 12:30 -------- d-----w- c:\program files\Common Files\Java
2010-04-22 00:41 . 2009-04-21 02:08 -------- d-----w- c:\program files\CCleaner
2010-04-21 14:52 . 2009-04-29 01:06 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-19 15:52 . 2010-02-20 19:07 -------- d-----w- c:\program files\Steam
2010-04-18 13:24 . 2009-04-16 17:03 -------- d-----w- c:\users\Neil\AppData\Roaming\uTorrent
2010-04-17 10:08 . 2009-05-14 18:37 -------- d-----w- c:\program files\Google
2010-04-12 19:13 . 2009-04-16 20:39 -------- d-----w- c:\program files\World of Warcraft
2010-03-29 23:46 . 2010-02-21 13:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2010-02-21 13:43 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 20:03 . 2010-03-17 20:03 -------- d-----w- c:\program files\Alcohol Soft
2010-03-17 20:02 . 2009-04-16 17:03 -------- d-----w- c:\program files\uTorrent
2010-03-17 19:59 . 2010-03-17 19:59 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-02 13:47 . 2010-03-02 13:47 667648 ----a-w- c:\users\Neil\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306a-1002180-0-main.dll
2010-03-02 13:47 . 2010-03-02 13:47 319488 ----a-w- c:\users\Neil\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2010-02-26 02:33 . 2010-02-26 02:33 -------- d-----w- c:\program files\iPod
2010-02-26 02:33 . 2009-12-26 18:57 -------- d-----w- c:\program files\Common Files\Apple
2010-02-26 02:30 . 2010-02-26 02:30 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-26 02:03 . 2010-02-26 02:03 -------- d-----w- c:\program files\TrendMicro
2010-02-23 06:39 . 2010-04-05 15:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-05 15:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-05 15:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-05 15:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-15 21:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-15 21:35 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-15 21:35 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-20 20:33 . 2010-02-20 20:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-20 17:30 . 2010-02-18 15:21 120 ----a-w- c:\users\Neil\AppData\Local\Cjalapupikep.dat
2010-02-20 17:30 . 2010-02-18 15:21 0 ----a-w- c:\users\Neil\AppData\Local\Ehenifukinemerok.bin
2010-02-12 10:32 . 2010-02-25 22:35 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-03 13:24 . 2010-01-09 19:21 71960 ----a-w- c:\users\Neil\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-02-02 14:26 . 2010-02-02 14:26 10134 ----a-r- c:\users\Neil\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
.

<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\QTTask  .exe
c:\program files\Skype\Phone\Skype .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2009-04-16 4317184]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-27 1165192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2009-4-17 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-04-17 11:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 05:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
c:\program files\RFA\rfagent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):42,8f,74,33,93,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-647166565-5568214-3769490637-1000]
"EnableNotificationsRef"=dword:00000001

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-17 691696]
R2 gupdate1c9d4c33cae87c6;Google Update Service (gupdate1c9d4c33cae87c6);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 133104]
R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [2008-08-08 14336]
R3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [2008-08-08 17408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-23 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-23 242896]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-04-23 916760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-23 308064]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [2007-04-13 1307136]
S3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\DRIVERS\hidusbf.sys [2006-11-08 4544]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 16:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 09:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:38]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:38]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\users\Neil\AppData\Roaming\Mozilla\Firefox\Profiles\685bqdqy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2304157&SearchSource=3&q={searchTerms}
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox 3.5 Beta 4\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npdeployJava1.dll
FF - plugin: c:\users\Neil\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 16:49
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-26 16:51:18
ComboFix-quarantined-files.txt 2010-04-26 15:51

Pre-Run: 282,982,494,208 bytes free
Post-Run: 283,029,876,736 bytes free

- - End Of File - - A03234892BDFE4DD4AA0B660D9AB79FB

and

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:53:22, on 26/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Users\Neil\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: forteManager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9d4c33cae87c6) (gupdate1c9d4c33cae87c6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 3433 bytes

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 10 · 2010-04-27T00:02:44+00:00

Several things I notice are, 1st of all you are using an old version of Firefox and a Beta (test) version at that. The current version of Firefox is version 3.6.3. You need to update to this newest version and most definitely get rid of that old test version.
2nd. You obviously are using P2P on the computer since uTorrent shows in the log. This may very well be WHY you have been infected and have continued to become infected, and this will likely continue to be the case. 3rd. You are using AVG which of late has not gotten very good rankings. I would recommend removing that and using either Avira or Avast. I myself use Avira Free and have had very good success with it. It consistently ranks higher than AVG.
Are you still getting the re-directs?

neiljo 0 Newbie Poster · Answer 11 · 2010-04-27T12:27:54+00:00

I think it's just the Folder that's called the older version, i checked firefox and it says it's 3.6.3 and i'll get Avira now.

I havnt had the redirect problem for a while so looking good, i'll post back later on to confirm.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 12 · 2010-04-27T19:38:54+00:00

Sounds good. I will wait for you next post however to give you the final steps to complete the cleanup in case another step is needed.

neiljo 0 Newbie Poster · Answer 13 · 2010-04-28T14:19:13+00:00

I havn't been redirected or had any symptoms at all since my last post, hope this is the end of my problem. Your help has been much appreciated.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 14 · 2010-04-28T20:09:47+00:00

Great. First of all you need to Uninstall Combofix. It is a ONE time only program and should you be TOLD to use it again you would be given a link for the latest version. It must removed in this very specific way:
You also should remove HiJackThis, you don't need it any more.

To remove Combofix please do the following:
* Click START then RUN
* Now type ComboFix /Uninstall in the runbox and click OK. The space between the combofix and the /uninstall, it must be there.
When shown the disclaimer, Select "2"

I strongly recommend that you do go with a different anti-virus program. AVG obviously didn't work on this system. As I said before I recommend Avira but the choice is yours.
Also please read our policy stated here concerning the use of P2P.
It most definitely the most likely reason for your infections. Continue to use these programs and you will be infected again.
You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.
If you have no other questions or concerns you can mark this one solved.

AntiVirus 2010

Recommended Answers Collapse Answers

All 19 Replies

Recommended Answers