boss's Computer

The Icrontic Spyware & Virus Removal forum is PERMANENTLY CLOSED.

Here's an explanation and our final word on spyware removal.

A hearty THANK YOU to everyone who helped here over the years. Cheers!

Reply to Discussion

Options

Bob39

Icrontic Technician

79 Posts

7 Oct 2008, 3:57pm

Hi again. Im sorry for bothering you so fast, but it seems as if my boss's computer has a virus. He has asked me to post the problem to you guys, and so here I am. He has important information on his computer, so its important that he deletes the virus ASAP. I already ran a scan with AVG, and it found 2 infections, and a bunch of tracking cookies. I've posted the AVG scan, and the Hijack this scan below.

AVG Scan

Scan "Scan whole computer" was finished.Infections found:;"2"Infected objects removed or healed:;"0"Not removed or healed:;"2"Spyware found:;"0"Spyware removed:;"0"Not removed:;"0"Warnings count:;"93"Information count:;"0"Scan started:;"Wednesday, October 08, 2008, 11:25:50 AM"Scan finished:;"Wednesday, October 08, 2008, 11:43:48 AM (17 minute(s) 57 second(s))"Total object scanned:;"912025"User who launched the scan:;"CGNA"InfectionsFile;"Infection";"Result"D:\CGNA-PC\Backup Set 2008-05-09 133007\Backup Files 2008-07-25 082847\Backup files 1.zip;"Trojan horse Generic_c.OYJ";"Infected"D:\CGNA-PC\Backup Set 2008-05-09 133007\Backup Files 2008-07-25 082847\Backup files 1.zip:\C\Users\CGNA\AppData\Local\VirtualStore\Windows\System32\phccucj0ecdj.bmp;"Trojan horse Generic_c.OYJ";"Infected"WarningsFile;"Infection";"Result"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@2o7[2].txt;"Found Tracking cookie.2o7";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@2o7[2].txt:\2o7.net.92b4d8ae;"Found Tracking cookie.2o7";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@ad.yieldmanager[1].txt;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b68f2b7b;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@ad.yieldmanager[1].txt:\ad.yieldmanager.com.e762f029;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@adbrite[1].txt;"Found Tracking cookie.Adbrite";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@adbrite[1].txt:\adbrite.com.44f92a69;"Found Tracking cookie.Adbrite";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@adbrite[1].txt:\adbrite.com.557c9f74;"Found Tracking cookie.Adbrite";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@adbrite[1].txt:\adbrite.com.71beeff9;"Found Tracking cookie.Adbrite";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@adbrite[1].txt:\adbrite.com.d5e309c2;"Found Tracking cookie.Adbrite";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@advertising[2].txt;"Found Tracking cookie.Advertising";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@advertising[2].txt:\advertising.com.525a5fb9;"Found Tracking cookie.Advertising";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@atdmt[2].txt;"Found Tracking cookie.Atdmt";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@atdmt[2].txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@bluestreak[1].txt;"Found Tracking cookie.Bluestreak";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@bluestreak[1].txt:\bluestreak.com.bf396750;"Found Tracking cookie.Bluestreak";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@casalemedia[2].txt;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@casalemedia[2].txt:\casalemedia.com.1773afc;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@casalemedia[2].txt:\casalemedia.com.5e43734d;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@casalemedia[2].txt:\casalemedia.com.6a12b080;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@casalemedia[2].txt:\casalemedia.com.80ad4799;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@casalemedia[2].txt:\casalemedia.com.837115b5;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@casalemedia[2].txt:\casalemedia.com.987e6b46;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@hotlog[1].txt;"Found Tracking cookie.Hotlog";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@hotlog[1].txt:\hotlog.ru.11d3633a;"Found Tracking cookie.Hotlog";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@mediaplex[1].txt;"Found Tracking cookie.Mediaplex";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@mediaplex[1].txt:\mediaplex.com.f652b123;"Found Tracking cookie.Mediaplex";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@msnportal.112.2o7[1].txt;"Found Tracking cookie.2o7";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f;"Found Tracking cookie.2o7";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@realmedia[1].txt;"Found Tracking cookie.Realmedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@realmedia[1].txt:\realmedia.com.68087763;"Found Tracking cookie.Realmedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@revsci[1].txt;"Found Tracking cookie.Revsci";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@revsci[1].txt:\revsci.net.2df99d79;"Found Tracking cookie.Revsci";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@revsci[1].txt:\revsci.net.44927ec;"Found Tracking cookie.Revsci";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@revsci[1].txt:\revsci.net.e9dbeb91;"Found Tracking cookie.Revsci";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@statcounter[1].txt;"Found Tracking cookie.Statcounter";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@statcounter[1].txt:\statcounter.com.42c75926;"Found Tracking cookie.Statcounter";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@trafficmp[1].txt;"Found Tracking cookie.Trafficmp";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@trafficmp[1].txt:\trafficmp.com.a00e30b4;"Found Tracking cookie.Trafficmp";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@zedo[1].txt;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@zedo[1].txt:\zedo.com.14a38114;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@zedo[1].txt:\zedo.com.71246a0b;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@zedo[1].txt:\zedo.com.775ee79c;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@zedo[1].txt:\zedo.com.a5b6a132;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@zedo[1].txt:\zedo.com.c1dd09f2;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@zedo[1].txt:\zedo.com.cef1c7af;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\cgna@zedo[1].txt:\zedo.com.dd15d628;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@ad.yieldmanager[2].txt;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@247realmedia[1].txt;"Found Tracking cookie.247realmedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@247realmedia[1].txt:\247realmedia.com.855b46d;"Found Tracking cookie.247realmedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@adrevolver[2].txt;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@adrevolver[2].txt:\adrevolver.com.9b9d670a;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@adrevolver[2].txt:\adrevolver.com.f6cfcad4;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@advertising[1].txt;"Found Tracking cookie.Advertising";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@advertising[1].txt:\advertising.com.1820df7a;"Found Tracking cookie.Advertising";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@advertising[1].txt:\advertising.com.203aa218;"Found Tracking cookie.Advertising";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@advertising[1].txt:\advertising.com.525a5fb9;"Found Tracking cookie.Advertising";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@advertising[1].txt:\advertising.com.b624fa46;"Found Tracking cookie.Advertising";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@advertising[1].txt:\advertising.com.f62113d5;"Found Tracking cookie.Advertising";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@atdmt[1].txt;"Found Tracking cookie.Atdmt";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@atdmt[1].txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@burstnet[2].txt;"Found Tracking cookie.Burstnet";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@burstnet[2].txt:\burstnet.com.a3218a37;"Found Tracking cookie.Burstnet";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@casalemedia[2].txt;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@fastclick[2].txt:\fastclick.net.9b41aa53;"Found Tracking cookie.Fastclick";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@casalemedia[2].txt:\casalemedia.com.1773afc;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@casalemedia[2].txt:\casalemedia.com.80ad4799;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@casalemedia[2].txt:\casalemedia.com.837115b5;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@casalemedia[2].txt:\casalemedia.com.987e6b46;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@fastclick[2].txt;"Found Tracking cookie.Fastclick";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@fastclick[2].txt:\fastclick.net.bb8bcae;"Found Tracking cookie.Fastclick";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@m.webtrends[1].txt;"Found Tracking cookie.Webtrends";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@m.webtrends[1].txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@media.adrevolver[1].txt;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@media.adrevolver[1].txt:\media.adrevolver.com.5fed601d;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@msnportal.112.2o7[1].txt;"Found Tracking cookie.2o7";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f;"Found Tracking cookie.2o7";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@realmedia[1].txt;"Found Tracking cookie.Realmedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@realmedia[1].txt:\realmedia.com.125a868c;"Found Tracking cookie.Realmedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@realmedia[1].txt:\realmedia.com.68087763;"Found Tracking cookie.Realmedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@realmedia[1].txt:\realmedia.com.ef906bac;"Found Tracking cookie.Realmedia";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@tacoda[2].txt;"Found Tracking cookie.Tacoda";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@tacoda[2].txt:\tacoda.net.a3218a37;"Found Tracking cookie.Tacoda";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@tacoda[2].txt:\tacoda.net.c4fe2ebb;"Found Tracking cookie.Tacoda";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@tribalfusion[1].txt;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@tribalfusion[1].txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@zedo[2].txt;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@zedo[2].txt:\zedo.com.775ee79c;"Found Tracking cookie.Zedo";"Potentially dangerous object"C:\Users\CGNA\AppData\Roaming\Microsoft\Windows\Cookies\Low\cgna@zedo[2].txt:\zedo.com.ff8ec9c0;"Found Tracking cookie.Zedo";"Potentially dangerous object"

Hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:03 AM, on 10/8/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Business-in-a-Box\BIBLauncher.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\wilcom\es2006\bin\es.exe
C:\PROGRA~1\Brother\Brmfl04g\FAXRX.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe
O4 - HKCU\..\Run: [userinit] C:\Users\CGNA\AppData\Roaming\oembios.exe
O4 - HKCU\..\Run: [braviax] C:\Windows\system32\braviax.exe
O4 - HKCU\..\Run: [lphccucj0ecdj] C:\Windows\system32\lphccucj0ecdj.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/...ws-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wilcom.webex.com/client/T25L...g/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1EB64BC-AA11-4D09-82D7-0A8DF9C1240C}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
--
End of file - 6781 bytes

Thanks again for all your help. Keep up the great work. Hopefully this will be the last post for the year! You guys rock!

Bob

Katana

MRU Expert

1,682 Posts

7 Oct 2008, 7:05pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

I'm afraid I have unpleasant news for you. You have evidence of a Very Dangerous infection on this machine.
It is a TSPY_ZBOT.WL See HERE for more details

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have the worst kind.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.

I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection

Bob39

Icrontic Technician

79 Posts

8 Oct 2008, 10:51pm

Hi Katana

Well thanks for letting me now what i'm dealing with here. Even if it wasn't good to hear.

After talking with my boss, he thought that disinfecting the computer would be the best thing to do. However, he hasn't disabled his internet connection, because other computers are using a printer hooked onto his comp. I'm not sure if this will affect the cleansing of our system, but i thought that it might be important for you to know.

THanks
Bob

Katana

MRU Expert

1,682 Posts

9 Oct 2008, 10:19am

Quoting Bob39

~ my boss, he thought that disinfecting the computer would be the best thing to do.

Your boss and I obviously differ on the definition of "the best thing to do"

But, it's his choice

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
ComboFix Log
Installed Programs List

Bob39

Icrontic Technician

79 Posts

9 Oct 2008, 9:41pm

Hi Katana

I've seemed to have had a problem after I ran ComboFix. Malwarebytes' Anti-malware worked perfectly, and i thought that ComboFix did as well. However, my internet connection stopped working after ComboFix was done. I restarted the computer, and clicked repair, and it said that "Local Area Connection does not have a valid IP." Also, Window mail said that pop.bell had some problem with it. I was running Vista in case you needed to know.

Thanks
Bob

Katana

MRU Expert

1,682 Posts

9 Oct 2008, 9:49pm

Double click on C:\WINDOWS\ERDNT\subs\erdnt.exe

If that doesn't fix the problem .....

Double click on C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe

Bob39

Icrontic Technician

79 Posts

10 Oct 2008, 9:11pm

I tried double clicking C:\WINDOWS\ERDNT\subs\erdnt.exe
like you told me, but it wasn't located there. the subs folder didn't come up, even after I went to tools>folder options>view>show hidden files and folders. I tried double clicking C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe and it said "With this program, you can restore a registry backup of your windows NT/2000/XP system. However, I was running Vista. I started it anyways without changing the sttings, and it gave me 14 messages stating:

"Unable to create a backup of the current registry file C:\Windows\System32\config\security!

Continue restoration of this file?"

I had 14 of these messages, with the bolded part changing each time, and I pressed YES for each.

Then I got 3 or 4 messages saying:

"Error restoring C:\windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT to C:\User\CGNa\NTUSER.DAT!

Continue with the next file?
[Reg CreateKeyEx: 5- Access is denied]"

I got 3 or 4 of these messages, with the bolded part changing eash time, and I pressed YES for each again. However, at the end, my Internet was still not working.

I'm sorry for the slow replies, but my boss only lets me work right before I go home, and a little bit at my lunch.

THanks
Bob

Katana

MRU Expert

1,682 Posts

10 Oct 2008, 9:30pm

ComboFix created a fresh system restore point before it started, please restore to that point.

One point I should mention, the tools we use are designed to be run on home computers.
Office machines have different network and internet settings that can be "fixed" by these tools.

Do you have an IT department or person ?

Bob39

Icrontic Technician

79 Posts

13 Oct 2008, 2:48am

We did have an IT person set up our internet connection, but he usually takes very long to respond to our calls. On top of this, we need to frequently check our e-mail for our business, so I need to make windows mail and the internet work ASAP.

Can you tell me where the system restore point is located?

Thanks
Bob39

Katana

MRU Expert

1,682 Posts

13 Oct 2008, 2:26pm

Click Start (Vista Orb) type "system restore" then click Enter

Bob39

Icrontic Technician

79 Posts

14 Oct 2008, 4:01pm

Thanks a lot!!!!

. Our internet works now. I've posted the logs here.

Mbam

Malwarebytes' Anti-Malware 1.28
Database version: 1248
Windows 6.0.6000
10/10/2008 1:50:59 PM
mbam-log-2008-10-10 (13-50-59).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 124908
Time elapsed: 45 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphccucj0ecdj (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Users\CGNA\AppData\Roaming\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Users\CGNA\AppData\Local\Temp\.ttD611.tmp (Adware.XPAntivirus) -> Quarantined and deleted successfully.
C:\Users\CGNA\AppData\Local\Temp\.tt883.tmp (Adware.XPAntivirus) -> Quarantined and deleted successfully.
C:\Users\CGNA\AppData\Local\Temp\.ttB16A.tmp (Adware.XPAntivirus) -> Quarantined and deleted successfully.
C:\Users\CGNA\AppData\Local\Temp\.tt3074.tmp (Adware.XPAntivirus) -> Quarantined and deleted successfully.
C:\Users\CGNA\AppData\Roaming\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\CGNA\AppData\Roaming\sysproc64\sysproc86.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Installed programs

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
ATI AVIVO Codecs
AVG Free 8.0
Brother MFL-Pro Suite
Business-in-a-Box
CDDRV_Installer
CorelDRAW Graphics Suite X3
CorelDRAW Graphics Suite X3
EN
FontNav
Freez Screen Video Capture v1.2
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)
GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HP Product Detection
ImageConverter Plus 7.1
Java(TM) 6 Update 5
KhalInstallWrapper
Logitech Communications Manager
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.14)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Spybot - Search & Destroy
Update Manager
VBA
Wilcom ES and Design Workflow 2006
WinRAR archiver
Yahoo! Install Manager
Yahoo! Search Protection
Yahoo! Toolbar

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59, on 2008-10-15
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Business-in-a-Box\BIBLauncher.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\wuauclt.exe
c:\program files\wilcom\es2006\bin\es.exe
C:\PROGRA~1\Brother\Brmfl04g\FAXRX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe
O4 - HKCU\..\Run: [userinit] C:\Users\CGNA\AppData\Roaming\oembios.exe
O4 - HKCU\..\Run: [braviax] C:\Windows\system32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/...ws-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wilcom.webex.com/client/T25L...g/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1EB64BC-AA11-4D09-82D7-0A8DF9C1240C}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
--
End of file - 6708 bytes

Sorry for the slow reply, but it was a long weekend here due to thanksgiving. Thanks again for helping me out. Keep up the good work

Katana

MRU Expert

1,682 Posts

14 Oct 2008, 7:13pm

Ok, let's see what we can do without ComboFix

Information

AVG Free 8.0
"we need to frequently check our e-mail for our business"

Errm ... I'm not trying to sound picky here, but "AVG Anti-Virus Free Edition is only available for single computer use for home and non commercial use."
http://free.avg.com/download-avg-ant...s-free-edition
Just so you know.

----------------------------------------------------------- -----------------------------------------------------------
Step 1

Please note:- Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator
Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKCU\..\Run: [userinit] C:\Users\CGNA\AppData\Roaming\oembios.exe
O4 - HKCU\..\Run: [braviax] C:\Windows\system32\braviax.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/...ws-i586-jc.cab

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Please note:- Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator

OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below.

Code:

C:\Users\CGNA\AppData\Roaming\oembios.exe
C:\Windows\system32\braviax.exe

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

----------------------------------------------------------- -----------------------------------------------------------
Step 4
Logs/Information to Post in Reply
Please post the following logs/Information in your reply

OTMoveIt Log
RSIT Logs
C:\Combofix.txt

----------------------------------------------------------- -----------------------------------------------------------

Additional Notes

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Now download and install Java Runtime Environment (JRE) 6 Update 7.

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and if you prefer a smaller program you can get Foxit 2.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Adobe Reader 8.1.2

Bob39

Icrontic Technician

79 Posts

15 Oct 2008, 3:49pm

HI Katana

I have all the scans you told me to run. However, I'm still going to update Java, and Adobe Acrobat Reader. I'm aware that I'm not supposed to be using AVG Anti-Virus Free Edition for my work computer, but the truth is that we didn't have any anti-virus installed. After we started to notice that our computer wasn't performing like usual, we installed AVG to check if it had a virus, and we left it on our computer.

Also, I think, that you meant for me to post the Hijack This log instead of the ComboFix log. However, i posted both.

OTMoveIt3

Error: Unable to interpret <C:\Users\CGNA\AppData\Roaming\oembios.exe> in the current context!
Error: Unable to interpret <C:\Windows\system32\braviax.exe> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10162008_113611

RSITLogs

info.txt:

info.txt logfile of random's system information tool 1.04 2008-10-16 11:37:46
======Uninstall list======
-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI AVIVO Codecs-->MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Brother MFL-Pro Suite-->"C:\Program Files\InstallShield Installation Information\{D83BD5E2-5AF4-49F6-B5C1-484A9760E73D}\Setup.exe" -runfromtemp -l0x0009 Brunin03.dll -removeonly
Business-in-a-Box-->C:\Program Files\Business-in-a-Box\Installer.exe /u
CDDRV_Installer-->MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
CorelDRAW Graphics Suite X3-->C:\Program Files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} C:\Users\CGNA\AppData\Local\Temp\CGSX3.log
CorelDRAW Graphics Suite X3-->MsiExec.exe /I{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}
EN-->MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
FontNav-->MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
Freez Screen Video Capture v1.2-->"C:\Program Files\Smallvideosoft\Freez Screen Video Capture\unins000.exe"
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)-->C:\Windows\SQL9_KB948109_ENU\Hotfix.exe /Uninstall
GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)-->C:\Windows\SQLTools9_KB948109_ENU\Hotfix.exe /Uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Product Detection-->MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
ImageConverter Plus 7.1-->"C:\Program Files\ImageConverter Plus\unins000.exe"
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KhalInstallWrapper-->MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
Logitech Communications Manager-->MsiExec.exe /I{BD202930-5F70-4B35-B875-1E28604F328D}
Logitech SetPoint-->C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2005 Express Edition-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update Manager-->MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VBA-->MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Wilcom ES and Design Workflow 2006-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D025DA9-C5C9-44D5-9B6E-83D42648F453}\setup.exe" -l0x9 -removeonly
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager-->C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~2.DLL
Yahoo! Search Protection-->C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
=====HijackThis Backups=====
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [lphccucj0ecdj] C:\Windows\system32\lphccucj0ecdj.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKCU\..\Run: [braviax] C:\Windows\system32\braviax.exe
O4 - HKCU\..\Run: [userinit] C:\Users\CGNA\AppData\Roaming\oembios.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/...ws-i586-jc.cab
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
======Security center information======
AV: AVG Anti-Virus Free (disabled)
AS: AVG Anti-Virus Free (disabled)
AS: Windows Defender
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\ImageConverter Plus;
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=16
"PROCESSOR_IDENTIFIER"=x86 Family 16 Model 2 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0202
"NUMBER_OF_PROCESSORS"=4
-----------------EOF-----------------

Log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by CGNA at 2008-10-16 11:37:44
Microsoft® Windows Vista™ Business
System drive C: has 184 GB (77%) free of 238 GB
Total RAM: 2047 MB (49% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37, on 2008-10-16
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Business-in-a-Box\BIBLauncher.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\Brother\Brmfl04g\FAXRX.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\CGNA\Desktop\OTMoveIt3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\CGNA\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\CGNA.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wilcom.webex.com/client/T25L...g/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1EB64BC-AA11-4D09-82D7-0A8DF9C1240C}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
--
End of file - 6124 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-04-01 880368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-05-08 2403392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-04-01 880368]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-05-08 2403392]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-05-09 1006264]
"Kernel and Hardware Abstraction Layer"=C:\Windows\KHALMNPR.EXE [2007-04-11 56080]
"LogitechCommunicationsManager"=C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-01-12 488984]
"LVCOMSX"=C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe [2007-01-12 244512]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"ControlCenter3"=C:\Program Files\Brother\ControlCenter3\brctrcen.exe [2006-07-19 65536]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2008-01-10 223984]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-10-01 1234712]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-05-09 1232896]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2008-01-10 223984]
"BIBLauncher"=C:\Program Files\Business-in-a-Box\BIBLauncher.exe [2008-05-12 431320]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\atashost]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dabf3536-3930-11dd-8e7b-001d92afdce6}]
shell\AutoRun\command - notepad readme.txt

======List of files/folders created in the last 1 months======
2008-10-16 11:37:44 ----D---- C:\rsit
2008-10-16 11:33:09 ----D---- C:\_OTMoveIt
2008-10-10 14:32:20 ----A---- C:\ComboFix.txt
2008-10-10 14:27:41 ----D---- C:\QooBox
2008-10-10 14:27:40 ----A---- C:\Windows\zip.exe
2008-10-10 14:27:40 ----A---- C:\Windows\VFIND.exe
2008-10-10 14:27:40 ----A---- C:\Windows\SWXCACLS.exe
2008-10-10 14:27:40 ----A---- C:\Windows\SWSC.exe
2008-10-10 14:27:40 ----A---- C:\Windows\SWREG.exe
2008-10-10 14:27:40 ----A---- C:\Windows\sed.exe
2008-10-10 14:27:40 ----A---- C:\Windows\NIRCMD.exe
2008-10-10 14:27:40 ----A---- C:\Windows\grep.exe
2008-10-10 14:27:40 ----A---- C:\Windows\fdsv.exe
2008-10-10 14:27:32 ----D---- C:\ComboFix
2008-10-10 14:27:31 ----A---- C:\Windows\system32\CF12528.exe
2008-10-10 14:27:03 ----A---- C:\Windows\system32\swsc.exe
2008-10-10 14:27:03 ----A---- C:\Windows\system32\CF12421.exe
2008-10-10 12:55:35 ----D---- C:\Users\CGNA\AppData\Roaming\Malwarebytes
2008-10-10 12:55:32 ----D---- C:\ProgramData\Malwarebytes
2008-10-10 12:55:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-02 20:49:01 ----D---- C:\SampleDatabase
2008-10-02 20:48:01 ----D---- C:\Clipart
2008-10-02 20:27:24 ----A---- C:\Windows\system32\atsckernel.exe
2008-10-02 20:27:23 ----A---- C:\Windows\system32\atashost.exe
2008-09-24 08:40:39 ----A---- C:\Windows\system32\wups2.dll
2008-09-24 08:40:39 ----A---- C:\Windows\system32\wucltux.dll
2008-09-24 08:40:39 ----A---- C:\Windows\system32\wuaueng.dll
2008-09-24 08:40:39 ----A---- C:\Windows\system32\wuauclt.exe
2008-09-24 08:40:19 ----A---- C:\Windows\system32\wups.dll
2008-09-24 08:40:19 ----A---- C:\Windows\system32\wudriver.dll
2008-09-24 08:40:19 ----A---- C:\Windows\system32\wuapi.dll
2008-09-24 08:40:10 ----A---- C:\Windows\system32\wuwebv.dll
2008-09-24 08:40:10 ----A---- C:\Windows\system32\wuapp.exe
======List of files/folders modified in the last 1 months======
2008-10-16 11:37:45 ----D---- C:\Windows\Prefetch
2008-10-16 11:37:42 ----D---- C:\Windows\Temp
2008-10-16 09:49:52 ----D---- C:\CGDesign
2008-10-16 09:40:18 ----A---- C:\Windows\Brfaxrx.ini
2008-10-16 08:16:29 ----SHD---- C:\System Volume Information
2008-10-16 07:58:36 ----SD---- C:\Windows\Downloaded Program Files
2008-10-15 08:32:33 ----D---- C:\Windows\System32
2008-10-15 08:32:33 ----D---- C:\Windows\inf
2008-10-15 08:32:33 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-10-14 10:44:56 ----D---- C:\Windows\system32\wbem
2008-10-14 10:44:56 ----D---- C:\Windows
2008-10-14 10:43:47 ----D---- C:\Windows\system32\config
2008-10-14 10:43:39 ----D---- C:\Windows\Tasks
2008-10-14 10:43:39 ----D---- C:\Windows\system32\spool
2008-10-14 10:43:39 ----D---- C:\Windows\system32\catroot2
2008-10-14 10:43:38 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-10-14 10:43:37 ----D---- C:\Windows\registration
2008-10-14 10:42:28 ----D---- C:\Windows\system32\WDI
2008-10-10 14:29:49 ----D---- C:\Windows\system32\drivers
2008-10-10 14:29:49 ----D---- C:\Windows\AppPatch
2008-10-10 14:29:49 ----D---- C:\Program Files\Common Files
2008-10-10 14:27:31 ----D---- C:\Windows\system32\en-US
2008-10-10 12:55:32 ----RD---- C:\Program Files
2008-10-10 12:55:32 ----HD---- C:\ProgramData
2008-10-04 18:41:03 ----HD---- C:\$AVG8.VAULT$
2008-10-02 20:55:43 ----D---- C:\ProgramData\WebEx
2008-10-02 20:51:03 ----D---- C:\Design
2008-10-02 20:49:26 ----RSD---- C:\Windows\Fonts
2008-10-02 20:48:38 ----D---- C:\Program Files\Wilcom
2008-10-02 20:45:56 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-02 20:38:36 ----D---- C:\Windows\winsxs
2008-09-27 14:19:02 ----SHD---- C:\Windows\Installer
2008-09-24 08:41:28 ----D---- C:\Windows\PolicyDefinitions
2008-09-24 08:41:03 ----D---- C:\Windows\system32\catroot
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2008-08-30 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2008-08-27 26824]
R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-05-10 320000]
R2 aksfridge;HASP Fridge; C:\Windows\system32\DRIVERS\aksfridge.sys [2007-03-12 351744]
R2 Hardlock;Hardlock; C:\Windows\system32\drivers\hardlock.sys [2007-03-06 694272]
R2 wntpport;wntpport; C:\Windows\system32\drivers\wntpport.sys [2001-01-19 28416]
R3 akshasp;Aladdin HASP Key; C:\Windows\system32\DRIVERS\akshasp.sys [2007-03-06 329856]
R3 akshhl;Aladdin HASP HL Key; C:\Windows\system32\DRIVERS\akshhl.sys [2007-03-06 135424]
R3 aksusb;Aladdin USB Key; C:\Windows\system32\DRIVERS\aksusb.sys [2007-03-06 99712]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-20 3478528]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2007-04-11 34832]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2007-04-11 36112]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 44544]
R3 SydexFDD;Sydex Diskette Driver; \??\C:\Windows\system32\Drivers\sydexfdd.sys [2003-08-01 13359]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2006-11-02 35328]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-05-09 11264]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\Windows\system32\DRIVERS\L8042Kbd.sys [2007-01-23 20496]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 atashost;WebEx Service Host for Support Center; C:\Windows\system32\atashost.exe [2008-10-02 20376]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-12-20 643072]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2006-11-02 22016]
R2 hasplms;HASP License Manager; C:\Windows\system32\hasplms.exe [2007-03-15 535807]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R2 MSSQLSERVER;SQL Server (MSSQLSERVER); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2006-11-02 22016]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2006-11-02 521216]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-08 138168]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2006-11-02 22016]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2006-11-02 562176]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
-----------------EOF-----------------

Combofix

ComboFix 08-10-08.05 - CGNA 2008-10-10 14:28:45.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.1368 [GMT -7:00]
Running from: C:\Users\CGNA\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\Downloaded Program Files\setup.inf
.
((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.
2008-10-10 12:55 . 2008-10-10 12:55 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-10-10 12:55 . 2008-10-10 12:55 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-10-10 12:55 . 2008-10-10 12:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-10 12:55 . 2008-09-10 00:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-10-10 12:55 . 2008-09-10 00:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-10-02 20:49 . 2008-10-02 20:49 <DIR> d-------- C:\SampleDatabase
2008-10-02 20:48 . 2008-10-02 20:48 <DIR> d-------- C:\Clipart
2008-10-02 20:45 . 2000-05-03 17:26 244,232 --a------ C:\Windows\System32\MSFLXGRD.OCX
2008-10-02 20:45 . 1997-01-21 18:16 133,392 --a------ C:\Windows\System32\MSMAPI32.OCX
2008-10-02 20:45 . 2001-01-19 15:21 28,416 --a------ C:\Windows\System32\drivers\WNTPPORT.SYS
2008-10-02 20:45 . 1998-10-29 16:58 20,644 --a------ C:\Windows\System32\EMTRANS.VXD
2008-10-02 20:45 . 2000-02-21 14:00 13,712 --a------ C:\Windows\System32\SYDEXFDD.VXD
2008-10-02 20:45 . 2000-02-29 14:01 13,425 --a------ C:\Windows\System32\W9XPPORT.VXD
2008-10-02 20:45 . 2003-08-01 13:00 13,359 --a------ C:\Windows\System32\drivers\SYDEXFDD.SYS
2008-10-02 20:27 . 2008-10-02 20:27 76,184 --a------ C:\Windows\System32\atsckernel.exe
2008-10-02 20:27 . 2008-10-02 20:27 20,376 --a------ C:\Windows\System32\atashost.exe
2008-09-24 08:40 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-09-24 08:40 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-09-24 08:40 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-09-24 08:40 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-09-24 08:40 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-09-24 08:40 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-09-24 08:40 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-09-24 08:40 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-09-24 08:40 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-09-15 08:04 . 2008-10-04 18:41 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-11 08:56 . 2008-07-30 16:47 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-11 08:56 . 2008-07-30 20:34 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-09-11 08:56 . 2008-06-25 20:22 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-11 08:56 . 2008-07-30 20:34 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 03:55 --------- d-----w C:\ProgramData\WebEx
2008-10-03 03:48 --------- d-----w C:\Program Files\Wilcom
2008-10-03 03:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 15:25 97,928 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-08-27 21:15 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
2008-08-27 21:15 --------- d-----w C:\Program Files\AVG
2008-08-27 21:13 --------- d-----w C:\ProgramData\avg8
2008-08-23 18:21 --------- d-----w C:\Program Files\Trend Micro
2008-08-21 19:51 --------- d-----w C:\ProgramData\Kaspersky Lab Setup Files
2008-08-21 19:46 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-08-21 19:37 --------- d-----w C:\ProgramData\TEMP
2008-08-21 16:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-15 10:09 --------- d-----w C:\Program Files\Windows Mail
2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-07-10 10:14 174 --sha-w C:\Program Files\desktop.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-05-09 1232896]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 223984]
"BIBLauncher"="C:\Program Files\Business-in-a-Box\BIBLauncher.exe" [2008-05-12 431320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 223984]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-01 1234712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\Windows\KHALMNPR.Exe]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-10 692224]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{69FDF9B3-7988-4B9E-B6CF-3F599E8420B9}"= UDP:1947:HASP SRM
"{F1CE6BE7-9598-4615-9BD5-72E7C55FB8A9}"= TCP:1947:HASP SRM
"{905C5D92-AD63-475F-BE26-51DDDCAEFAB8}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 7680]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 aksfridge;HASP Fridge;C:\Windows\system32\DRIVERS\aksfridge.sys [2007-03-12 351744]
R2 atashost;WebEx Service Host for Support Center;C:\Windows\system32\atashost.exe [2008-10-02 20376]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 hasplms;HASP License Manager;C:\Windows\system32\hasplms.exe -run [ ]
R2 wntpport;wntpport;C:\Windows\system32\drivers\wntpport.sys [2001-01-19 28416]
R3 akshhl;Aladdin HASP HL Key;C:\Windows\system32\DRIVERS\akshhl.sys [2007-03-06 135424]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-20 3478528]
R3 SydexFDD;Sydex Diskette Driver;C:\Windows\system32\Drivers\sydexfdd.sys [2003-08-01 13359]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dabf3536-3930-11dd-8e7b-001d92afdce6}]
\shell\AutoRun\command - notepad readme.txt
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\CGNA\AppData\Roaming\Mozilla\Firefox\Profiles\mae6ojuc.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 14:30:48
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-10 14:32:19
ComboFix-quarantined-files.txt 2008-10-10 21:32:02
Pre-Run: 190,475,214,848 bytes free
Post-Run: 190,616,338,432 bytes free
129 --- E O F --- 2008-10-09 15:06:53

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48, on 2008-10-16
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Business-in-a-Box\BIBLauncher.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\Brother\Brmfl04g\FAXRX.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\CGNA\Desktop\OTMoveIt3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wilcom.webex.com/client/T25L...g/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1EB64BC-AA11-4D09-82D7-0A8DF9C1240C}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
--
End of file - 6056 bytes

Thanks for all your help. I'm updating Java and Adobe Acrobat right now.

Bob

Katana

MRU Expert

1,682 Posts

15 Oct 2008, 4:47pm

Information

Also, I think, that you meant for me to post the Hijack This log instead of the ComboFix log

Nope

Combofix creates a log of what it removes, and since we restored to before the ComboFix run, I wanted to see what needed removing

----------------------------------------------------------- -----------------------------------------------------------

Step 1

OTMoveIt

Please note:- Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below.

Code:

:files
C:\Users\CGNA\AppData\Roaming\oembios.exe
C:\Windows\system32\braviax.exe
C:\Windows\Downloaded Program Files\setup.inf

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Windows\system32\atsckernel.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\Windows\Brfaxrx.ini

If Virustotal is too busy please try Jotti

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

OTMI3 Log
Virus Total Results
Kaspersky Log
How are things running now, any problems still ?

Bob39

Icrontic Technician

79 Posts

21 Oct 2008, 12:37am

I'm very sorry for the late replies. However, I am busy with school right now,

and don't have time to stay longer at work. I will try to reply to you by the day after tomorrow.

Thanks
Bob

Bob39

Icrontic Technician

79 Posts

22 Oct 2008, 4:03pm

Hi katana

I tried to do what you asked, however i had a couple of roblems with some of the tasks. I could not upgrade jave because it gave me an error stating:

This installation package is not supported by this processor type. Contact your product vendor.

I also had an error with running the Kaspersky online scanner. The error this time said that:

Windows has blocked this software because it cannot verify the publisher.
Name: default/
Publisher: Unknown Publisher

Other than that, everything went well. Here are the results:

OTMI3 Log

========== FILES ==========
File/Folder C:\Users\CGNA\AppData\Roaming\oembios.exe not found.
File/Folder C:\Windows\system32\braviax.exe not found.
C:\Windows\Downloaded Program Files\setup.inf moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10232008_080045

Virus Total for: C:\Windows\system32\atsckernel.exe

File atsckernel.exe received on 10.22.2008 14:02:47 (CET)
Current status: finished
Result: 0/36 (0.00%)

[RIGHT]

Compact
Print results

[/RIGHT]

AntivirusVersionLast UpdateResultAhnLab-V32008.10.22.02008.10.22-AntiVir7.9.0.52008.10.22-Authentium5.1.0.42008.10.22-Avast4.8.1248.02008.10.22-AVG8.0.0.1612008.10.22-BitDefender7.22008.10.22-CAT-QuickHeal9.502008.10.22-ClamAV0.93.12008.10.22-DrWeb4.44.0.091702008.10.22-eSafe7.0.17.02008.10.19-eTrust-Vet31.6.61632008.10.22-Ewido4.02008.10.22-F-Prot4.4.4.562008.10.21-F-Secure8.0.14332.02008.10.22-Fortinet3.113.0.02008.10.22-GData192008.10.22-IkarusT3.1.1.44.02008.10.22-K7AntiVirus7.10.5012008.10.21-Kaspersky7.0.0.1252008.10.22-McAfee54112008.10.22-Microsoft1.40052008.10.22-NOD3235452008.10.22-Norman5.80.022008.10.22-Panda9.0.0.42008.10.22-PCTools4.4.2.02008.10.21-Prevx1V22008.10.22-Rising20.67.22.002008.10.22-SecureWeb-Gateway6.7.62008.10.22-Sophos4.34.02008.10.22-Sunbelt3.1.1742.12008.10.21-Symantec102008.10.22-TheHacker6.3.1.0.1232008.10.22-TrendMicro8.700.0.10042008.10.22-VBA323.12.8.82008.10.22-ViRobot2008.10.22.14322008.10.22-VirusBuster4.5.11.02008.10.21-Additional informationFile size: 76184 bytesMD5...: af4aa8986300f1eb6017774b4c979928SHA1..: c98a0e223c6a2b955d0519172425b27de3381858SHA256: e3fa01e70127e40b47f132d1d6dd26abe49dbd07b6729f6d7ef084ee46705087SHA512: 3fd5b5f2c40e837fd96e2576600f6a321c521634be31a30ada53ee55ac677c1c
3efa3313b9a82e98f8351a16a2b20ac56f9d8b0c829eaf8114655ca544842a77PEiD..: Armadillo v1.71TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40c610
timedatestamp.....: 0x48b87be3 (Fri Aug 29 22:44:51 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xba0d 0xbc00 6.10 edc14eb78fda2324c4e1a57af68605ae
.rdata 0xd000 0x27c6 0x2800 5.36 544a3a18d6099b0ac40577a3919236be
.data 0x10000 0x92c 0xa00 4.64 2ed7de7012eade53bcbbd067ea18b8d2
.rsrc 0x11000 0x2008 0x2200 4.94 c99cd978ff93472ae30f0eb6e15dd48c

( 9 imports )
> SHLWAPI.dll: PathRemoveFileSpecA
> KERNEL32.dll: FreeLibrary, GetProcAddress, LoadLibraryA, lstrcmpiA, GetModuleHandleA, CreateFileA, ExpandEnvironmentStringsA, Sleep, Thread32Next, Thread32First, CreateToolhelp32Snapshot, GetExitCodeProcess, FreeEnvironmentStringsA, CreateProcessA, GetEnvironmentStrings, SetEnvironmentVariableA, GetEnvironmentVariableA, GetVersionExA, UnmapViewOfFile, WideCharToMultiByte, MapViewOfFile, CreateFileMappingA, GetFileSize, lstrlenA, lstrcpyA, lstrcatA, GlobalDeleteAtom, GlobalGetAtomNameA, GetModuleFileNameA, GlobalFree, SetEvent, ReleaseMutex, CreateEventA, CreateMutexA, LocalFree, LeaveCriticalSection, EnterCriticalSection, GetCommandLineA, InitializeCriticalSection, HeapDestroy, DeleteCriticalSection, lstrcpynA, lstrcpynW, VirtualProtect, FlushInstructionCache, ResumeThread, CreateThread, GetStartupInfoA, WaitForSingleObject, GlobalAlloc, WaitForMultipleObjects, GetCurrentThreadId, GetCurrentProcessId, GetTickCount, MulDiv, GlobalUnlock, GlobalLock, GetLastError, CloseHandle, SetLastError, GetCurrentProcess, GlobalAddAtomA, MultiByteToWideChar
> USER32.dll: ScreenToClient, ChangeDisplaySettingsExA, CallWindowProcA, SetWindowLongA, GetClientRect, SetWindowPos, CreateWindowExA, GetClassInfoExA, LoadCursorA, LoadImageA, RegisterClassExA, LoadStringW, SetFocus, PostQuitMessage, LoadStringA, LoadMenuA, LoadAcceleratorsA, PeekMessageA, TranslateMessage, DestroyWindow, PostThreadMessageA, DefWindowProcA, GetWindowThreadProcessId, GetCursorPos, wsprintfA, MessageBoxA, ChangeDisplaySettingsA, ReplyMessage, GetWindow, IsWindow, GetWindowTextLengthA, GetWindowRect, GetUserObjectInformationA, InvalidateRect, UpdateWindow, WaitForInputIdle, EnumChildWindows, MessageBeep, CharNextA, EnumThreadWindows, GetWindowLongA, IsWindowVisible, GetWindowTextA, GetPropA, IsWindowEnabled, IsIconic, ShowWindow, SetForegroundWindow, BringWindowToTop, GetMessageA, mouse_event, OpenInputDesktop, SendInput, GetThreadDesktop, OpenDesktopA, SetThreadDesktop, CloseDesktop, EmptyClipboard, SetClipboardData, GetClassNameA, MapVirtualKeyA, keybd_event, FindWindowA, PostMessageA, RedrawWindow, ExitWindowsEx, ChangeClipboardChain, SetClipboardViewer, GetClipboardOwner, OpenClipboard, GetClipboardData, CloseClipboard, SendMessageA, GetForegroundWindow, GetSystemMetrics, GetDoubleClickTime, GetDesktopWindow, ChildWindowFromPointEx, DispatchMessageA
> ADVAPI32.dll: AdjustTokenPrivileges, OpenProcessToken, CreateProcessAsUserA, RegCloseKey, RegQueryValueExA, ImpersonateLoggedOnUser, LookupAccountSidA, GetTokenInformation, DuplicateTokenEx, RegOpenKeyExA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, FreeSid, SetSecurityInfo, SetEntriesInAclA, AllocateAndInitializeSid, GetSecurityInfo, LookupPrivilegeValueA
> SHELL32.dll: SHGetPathFromIDListA, SHAppBarMessage, ShellExecuteExA
> RPCRT4.dll: RpcServerUnregisterIf, RpcBindingFree, RpcStringFreeA, RpcServerUseProtseqEpA, RpcBindingFromStringBindingA, RpcStringBindingComposeA, NdrFreeBuffer, NdrConvert, NdrSendReceive, NdrConformantArrayMarshall, NdrGetBuffer, NdrConformantArrayBufferSize, NdrClientInitializeNew, RpcRaiseException, I_RpcGetBuffer, NdrServerInitializeNew, NdrConformantArrayUnmarshall
> ole32.dll: CoUninitialize, CoCreateInstance, CoInitialize
> MSVCP60.dll: __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __1_Lockit@std@@QAE@XZ, __0_Lockit@std@@QAE@XZ, __Mstd@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@0@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ
> MSVCRT.dll: _mbsicmp, _splitpath, strchr, _mbsnbcpy, strstr, _mbsstr, strcat, strncmp, memcpy, _except_handler3, _strdup, strlen, free, __2@YAPAXI@Z, __CxxFrameHandler, memset, strncpy, _mbsrchr, strcmp, _mbschr, _mbspbrk, _mbsinc, malloc, realloc, memmove, strcpy, _exit, _XcptFilter, exit, _acmdln, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _strcmpi, _strupr, __getmainargs, _strnicmp

( 0 exports )

Virus Total for: C:\Windows\Brfaxrx.ini

File Brfaxrx.ini received on 10.22.2008 17:55:16 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/36 (0%)

Loading server information...
Your file is queued in position: 2.
Estimated start time is between 45 and 64 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
[RIGHT]

Compact
Print results

[/RIGHT]

Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

AntivirusVersionLast UpdateResultAhnLab-V32008.10.22.02008.10.22-AntiVir7.9.0.52008.10.22-Authentium5.1.0.42008.10.22-Avast4.8.1248.02008.10.22-AVG8.0.0.1612008.10.22-BitDefender7.22008.10.22-CAT-QuickHeal9.502008.10.22-ClamAV0.93.12008.10.22-DrWeb4.44.0.091702008.10.22-eSafe7.0.17.02008.10.22-eTrust-Vet31.6.61632008.10.22-Ewido4.02008.10.22-F-Prot4.4.4.562008.10.22-F-Secure8.0.14332.02008.10.22-Fortinet3.113.0.02008.10.22-GData192008.10.22-IkarusT3.1.1.44.02008.10.22-K7AntiVirus7.10.5032008.10.22-Kaspersky7.0.0.1252008.10.22-McAfee54112008.10.22-Microsoft1.40052008.10.22-NOD3235462008.10.22-Norman5.80.022008.10.22-Panda9.0.0.42008.10.22-PCTools4.4.2.02008.10.22-Prevx1V22008.10.22-Rising20.67.22.002008.10.22-SecureWeb-Gateway6.7.62008.10.22-Sophos4.34.02008.10.22-Sunbelt3.1.1742.12008.10.21-Symantec102008.10.22-TheHacker6.3.1.0.1232008.10.22-TrendMicro8.700.0.10042008.10.22-VBA323.12.8.82008.10.22-ViRobot2008.10.22.14322008.10.22-VirusBuster4.5.11.02008.10.22-Additional informationFile size: 192 bytesMD5...: 18c27078b34393015ebfb17e9d3da049SHA1..: c828343c9104b1807aacce4c7812ba68179ea22dSHA256: 88ebadb08f133944844ddb7b6a72b76ecd843213823d8934c77e110048394cdaSHA512: acc92e391b990b5f7dcca567a647e09584420aa25ca19883d2075ca915729747
7b1afdd6bf95004b9069049e23114911698062329fe8385b971737a38f047121PEiD..: -TrID..: File type identification
Generic INI configuration (100.0%)PEInfo: -

How are things Running Now?

The virus wasn't very noticable in the begining. However, I'm glad to say that
the desktop has changed back to normal and that I don't experience the lagging
anymore.

I'm very sorry for the late results. THanks for all your help.

Bob

Katana

MRU Expert

1,682 Posts

22 Oct 2008, 5:44pm

Quoting Bob39

I could not upgrade jave because it gave me an error
I also had an error with running the Kaspersky online scanner.

It may be because the machine is running Vista Business.
I would recommend buying an Antivirus as soon as possible.
NOD32 and Kaspersky are both very good solutions.

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

You can also delete any logs we have produced, and empty your Recycle bin.

Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/par...avwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Bob39

Icrontic Technician

79 Posts

25 Oct 2008, 5:50pm

Hi katana

I opened run and type in "ComboFix /u" like you told me to, however, the comp said that it couldn't find Combo Fix. I just occurred to me that I moved the file, and that might be why. However, I think that it might also have something to do with the fact that we did a system restore, and that ComboFix wasn't really used. Please correct me if I'm wrong however. I'll try to move ComboFix back to the desktop tomorrow and try again.

My boss is thinking of buying BitDefender Total Security because it was recommended to him by one of his friends. Do you think that he would be better off with Kaspersky? Also, he is thinking of using the Bitdefender Anti Spyware that he will get with it. Should he use the other anti Spyware programs that you suggested? Or is Bitdefender Anti-spyware good enough?

Other than that, everything looks fine. Thanks for all your help. Keep up the good work.

Thanks
Bob

Katana

MRU Expert

1,682 Posts

25 Oct 2008, 7:35pm

Quoting Bob39

I just occurred to me that I moved the file, and that might be why

That is definitely why.

Bitdefender is fine

Bob39

Icrontic Technician

79 Posts

27 Oct 2008, 11:57am

I tried to find ComboFix and move it to the desktop, however, i couldn't locate it. Even after I searched for it using the start search in Vista.

Katana

MRU Expert

1,682 Posts

27 Oct 2008, 2:25pm

Please download an updated copy from one of the links below

ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3

Make sure you save it on the desktop.

Next do the following

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /u

Combofix will uninstall, and you are good to go.

Bob39

Icrontic Technician

79 Posts

27 Oct 2008, 7:43pm

Thanks for all your help. ComboFix did uninstall successfully, and virus is fully deleted from my computer, due to the incredible help and advise you guys gave. You rock.

Thanks again
Bob

Katana

MRU Expert

1,682 Posts

30 Oct 2008, 1:43pm

Glad we could be of assistance! This topic is now closed.

If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Some learn computer quickly orther don't	XPhater	Folding@Home	5	24 May 2008 9:18pm
Networking XP Computers, Computer Illiterate here....	sailinstud420	Networking & Security	52	14 Mar 2005 4:13am

		Icrontic Forums > Tech: Software > Spyware & Virus Removal (Closed)
boss's Computer

Jump to

This Thread	Search this Thread
Print Email	Search this Thread: Advanced Search

Username
Password	Forgot?
Remember me