• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
JimBeam69

Win32 Patched EM - Help Required

4 posts in this topic

I appear to have the above malware in my computer and I'm not sure how to remove it. Any help will be much appreciated!

 

Malwarebytes' Anti-Malware 1.44

Database version: 3628

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

24/01/2010 19:25:30

mbam-log-2010-01-24 (19-25-30).txt

 

Scan type: Quick Scan

Objects scanned: 116638

Time elapsed: 16 minute(s), 6 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

 

 

BitDefender QuickScan Beta 32-bit v0.9.9.0

------------------------------------------

 

Scan date: Sun Jan 24 19:26:45 2010

Machine ID: CF7F51D

 

 

 

Found 1 infected file!

------------------------

C:\WINDOWS\system32\ws2_32.dll - Trojan.Patched.EM

 

 

Processes

---------

<unsigned> Canon Camera Access Library 8 3584 C:\Program Files\Canon\CAL\CALMAIN.exe

<unsigned> Spybot - Search & Destroy 2976 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

<verified> .NET Framework 3.5 11452 C:\WINDOWS\SoftwareDistribution\Download\Install\dotnetfx35_x86.exe

<verified> Ad-Aware Service Application 1068 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

<verified> Apache HTTP Server 3588 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

<verified> Apache HTTP Server 832 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

<verified> app_filter Module 232 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

<verified> AVG Internet Security 1328 C:\Program Files\AVG\AVG9\avgchsvx.exe

<verified> AVG Internet Security 492 C:\Program Files\AVG\AVG9\avgcsrvx.exe

<verified> AVG Internet Security 1436 C:\Program Files\AVG\AVG9\avgcsrvx.exe

<verified> AVG Internet Security 3616 C:\Program Files\AVG\AVG9\avgemc.exe

<verified> AVG Internet Security 656 C:\Program Files\AVG\AVG9\avgnsx.exe

<verified> AVG Internet Security 1336 C:\Program Files\AVG\AVG9\avgrsx.exe

<verified> AVG Internet Security 2696 C:\Program Files\AVG\AVG9\avgtray.exe

<verified> AVG Internet Security 324 C:\Program Files\AVG\AVG9\avgwdsvc.exe

<verified> B's Recorder GOLD8 384 C:\WINDOWS\system32\bgsvcgen.exe

<verified> DNA 2852 C:\Program Files\DNA\btdna.exe

<verified> FinePixViewer 3260 C:\Program Files\FinePixViewer\QuickDCF2.exe

<verified> Firefox 4948 C:\Program Files\Mozilla Firefox\firefox.exe

<verified> Java Platform SE 6 U11 2172 C:\Program Files\Java\jre6\bin\jqs.exe

<verified> Java Platform SE 6 U11 2192 C:\Program Files\Java\jre6\bin\jusched.exe

<verified> Microsoft® Windows® Operating System 1568 C:\WINDOWS\Explorer.EXE

<verified> Microsoft® Windows® Operating System 5756 C:\WINDOWS\System32\alg.exe

<verified> Microsoft® Windows® Operating System 852 C:\WINDOWS\system32\csrss.exe

<verified> Microsoft® Windows® Operating System 2808 C:\WINDOWS\system32\ctfmon.exe

<verified> Microsoft® Windows® Operating System 948 C:\WINDOWS\system32\lsass.exe

<verified> Microsoft® Windows® Operating System 7492 C:\WINDOWS\system32\ntvdm.exe

<verified> Microsoft® Windows® Operating System 10224 C:\WINDOWS\system32\ntvdm.exe

<verified> Microsoft® Windows® Operating System 2512 C:\WINDOWS\system32\rundll32.exe

<verified> Microsoft® Windows® Operating System 1976 C:\WINDOWS\system32\RunDLL32.exe

<verified> Microsoft® Windows® Operating System 936 C:\WINDOWS\system32\services.exe

<verified> Microsoft® Windows® Operating System 156 C:\WINDOWS\system32\spoolsv.exe

<verified> Microsoft® Windows® Operating System 1200 C:\WINDOWS\System32\svchost.exe

<verified> Microsoft® Windows® Operating System 1156 C:\WINDOWS\system32\svchost.exe

<verified> Microsoft® Windows® Operating System 1100 C:\WINDOWS\system32\svchost.exe

<verified> Microsoft® Windows® Operating System 3412 C:\WINDOWS\system32\svchost.exe

<verified> Microsoft® Windows® Operating System 460 C:\WINDOWS\system32\svchost.exe

<verified> Microsoft® Windows® Operating System 3688 C:\WINDOWS\System32\svchost.exe

<verified> Microsoft® Windows® Operating System 288 C:\WINDOWS\system32\svchost.exe

<verified> Microsoft® Windows® Operating System 1284 C:\WINDOWS\system32\svchost.exe

<verified> Microsoft® Windows® Operating System 1256 C:\WINDOWS\system32\svchost.exe

<verified> Microsoft® Windows® Operating System 4484 C:\WINDOWS\system32\wbem\unsecapp.exe

<verified> Microsoft® Windows® Operating System 500 C:\WINDOWS\system32\wbem\wmiprvse.exe

<verified> Microsoft® Windows® Operating System 892 C:\WINDOWS\system32\winlogon.exe

<verified> Microsoft® Windows® Operating System 11848 C:\WINDOWS\system32\wuauclt.exe

<verified> NVIDIA Driver Helper Service, Version 91.31 3204 C:\WINDOWS\system32\nvsvc32.exe

<verified> NVIDIA nSvcIp 2896 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

<verified> NVIDIA nSvcLog 3060 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

<verified> PowerDVD 2160 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

<verified> PRISM Wireless LAN 2180 C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE

<verified> Realtek Sound Manager 2124 C:\WINDOWS\SOUNDMAN.EXE

<verified> Wireless Monitor 3316 C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

 

 

Network activity

----------------

Process firefox.exe (4948) connected on port 80 (HTTP) - ey-in-f100.1e100.net

Process firefox.exe (4948) connected on port 80 (HTTP) - a88-221-40-20.deploy.akamaitechnologies.com

Process firefox.exe (4948) connected on port 80 (HTTP) - ds160.xs4all.nl

Process firefox.exe (4948) connected on port 80 (HTTP) - *.122.2o7.net

 

Process apache.exe (832) listens on ports: 3476

Process svchost.exe (1100) listens on ports: 12485

Process svchost.exe (1156) listens on ports: 135 (RPC)

Process svchost.exe (1284) listens on ports: 2869 (SSDP event notification, UPNP)

Process btdna.exe (2852) listens on ports: 19554

 

 

Autoruns and critical files

---------------------------

<unsigned> ae.tmp c:\windows\system32\ae.tmp

<unsigned> Spybot - Search & Destroy C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

<verified> Ad-Aware Admin Application C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe

<verified> Adobe Acrobat C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

<verified> Adobe Systems, Inc. Adobe Gamma Loader C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

<verified> AdobeCollabSync.exe C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

<verified> Ahead Software Gmbh NeroCheck C:\WINDOWS\system32\NeroCheck.exe

<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe

<verified> AVG Internet Security C:\Program Files\AVG\AVG9\avgtray.exe

<verified> AVG Internet Security C:\WINDOWS\system32\avgrsstx.dll

<verified> DNA C:\Program Files\DNA\btdna.exe

<verified> Google Update C:\Program Files\Google\Update\GoogleUpdate.exe

<verified> Google Updater C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

<verified> Java Platform SE 6 U11 C:\Program Files\Java\jre6\bin\jusched.exe

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\bthprops.cpl

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll

<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll

<verified> Nero BackItUp Scheduler C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

<verified> NVIDIA Compatible Windows 2000 Display driver, Ver C:\WINDOWS\system32\NvCpl.dll

<verified> NVIDIA Firewall. C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

<verified> NVIDIA Media Center Library C:\WINDOWS\system32\nvmctray.dll

<verified> nwiz.exe C:\WINDOWS\system32\nwiz.exe

<verified> PowerDVD C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

<verified> PRISM Wireless LAN C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE

<verified> QuickTime C:\Program Files\QuickTime\qttask.exe

<verified> Realtek Sound Manager C:\WINDOWS\SOUNDMAN.EXE

<verified> Registry Shaver C:\Program Files\REGSHAVE\REGSHAVE.EXE

<verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll

<verified> Wireless Monitor C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

 

 

Browser plugins

---------------

<unsigned> Google Earth Plugin C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll

 

<verified> AcroIEHelper Library c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll

<verified> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll

<verified> Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll

<verified> Ask.com Toolbar c:\program files\askbardis\bar\bin\askbar.dll

<verified> AVG Internet Security c:\program files\avg\avg9\avgssie.dll

<verified> BitDefender QuickScan C:\Documents and Settings\Stewart\Application Data\Mozilla\Firefox\Profiles/f5zgb0n9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

<verified> BitDefender QuickScan C:\Documents and Settings\Stewart\Application Data\Mozilla\Firefox\Profiles/f5zgb0n9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

<verified> DNA Plug-in C:\Program Files\DNA\plugins\npbtdna.dll

<verified> Google Update C:\Program Files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

<verified> Google Updater C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

<verified> GoogleToolbarNotifier c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll

<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe

<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll

<verified> Java Platform SE 6 U11 c:\program files\java\jre6\bin\ssv.dll

<verified> Java Platform SE 6 U11 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll

<verified> Microsoft® Windows Live Login Helper c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll

<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wshbth.dll

<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll

<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\puren-gb.dll

<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\PURen-us.dll

<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

<verified> NVIDIA Application Filter C:\WINDOWS\system32\nvappfilter.dll

<verified> Picasa C:\Program Files\Picasa2\npPicasa2.dll

<verified> Picasa C:\Program Files\Picasa2\npPicasa3.dll

<verified> Playnet Inc. Presenter C:\Program Files\Internet Explorer\plugins\NPplaynet.dll

<verified> Playnet Inc. Presenter C:\Program Files\Mozilla Firefox\plugins\NPplaynet.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

<verified> Spybot - Search & Destroy c:\program files\spybot - search & destroy\sdhelper.dll

<verified> VideoEgg Publisher C:\Program Files\Mozilla Firefox\plugins\npvideoegg-loader.dll

<verified> Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll

<verified> Yahoo! Toolbar c:\program files\yahoo!\companion\installs\cpn\yt.dll

 

 

Missing files

-------------

File not found: C:\Program Files\Blubster\Blubster.exe SILENT

referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Blubster"

 

File not found: c:\windows\system32\opnmnfvl.dll

referenced in: HKCR\CLSID\{6D243481-F26F-4126-995E-A4FB12E84C7E}\InprocServer32\(default)

 

File not found: c:\windows\system32\pmnnkcrr.dll

referenced in: HKCR\CLSID\{0DD8BEC0-E869-49BE-A8B1-C98827E0AA51}\InprocServer32\(default)

 

File not found: cbXPfCVp.dll

referenced in: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXPfCVp\"DllName"

 

File not found: tbjrfz.dll

referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

 

File not found: tfbvjo.dll

referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

 

 

Scan

----

 

No file uploaded.

 

Scan finished - communication took 2 sec

Total traffic - 0.02 MB sent, 1.03 KB recvd

Scanned 762 files and modules - 500 seconds

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:46:39, on 24/01/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Stewart\Desktop\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\AE.tmp,

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0DD8BEC0-E869-49BE-A8B1-C98827E0AA51} - C:\WINDOWS\system32\pmnnKCrr.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {6D243481-F26F-4126-995E-A4FB12E84C7E} - C:\WINDOWS\system32\opnmNFVL.dll (file missing)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: (no name) - {E1808F9F-484D-4B75-A011-0359FF92E9C8} - (no file)

O2 - BHO: (no name) - {E906991E-1DA1-4ACA-9E39-5F3AD2D11DC5} - (no file)

O2 - BHO: (no name) - {F8C2A486-AABD-453D-9F26-9FEF10D6ED89} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [blubster] C:\Program Files\Blubster\Blubster.exe SILENT

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Exif Launcher 2.lnk = ?

O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://radgepelt.spaces.live.com//PhotoUpload/MsnPUpld.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - AppInit_DLLs: tfbvjo.dll,tbjrfz.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: cbXPfCVp - cbXPfCVp.dll (file missing)

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: Google Update Service (gupdate1c9f83b1e0c603a) (gupdate1c9f83b1e0c603a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 10054 bytes

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

 

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Please change the location of HijackThis.exe.

Create a new folder in your C: Drive

Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.

It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.

This way you can undo any changes if something goes wrong and will prevent the tool placing shortcuts on your Desktop and creating temporary files in your C:\ drive.

===

 

The Hosts file was altered, so please for your added security install this one.

 

Download HostsXpert

 

Tutorial, go here:

http://i28.photobucket.com/albums/c227/tetonbob/emoticons/HostsXpert4.jpg

  • Unzip HostsXpert to it's own folder.
  • Run HostsXpert.exe
  • Click: Make Writable? in the upper left corner.
  • Click: Download
  • Click: MVPs Hosts
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.

Note: If a custom Hosts file was in place, also edit those entries back in.

*/*

I suggest that you update the new version of the Hosts file, every 6 weeks. I Do.

 

All you need to know about the hosts file.

http://www.mvps.org/winhelp2002/hosts.htm

===

 

You have Ask Toolbar installed.

 

I strongly recommend you remove it from your computer via the Add/Remove Programs list, because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
  • Or you can dowload and run this uninstaller.
    http://autoclean.computersitter.com/documentation/li/ask-toolbar-remover

 

If you uninstalled the Ask Toolbar as recommended, using Windows Explorer delete the following folders if found:

C:\Program Files\AskBarDis

C:\Program Files\AskSearch

C:\Program Files\AskSBar

C:\Program Files\AskTBar

C:\Program Files\Ask.com

===

 

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.

When everything is done and your log is clean again, you can enable it again.

If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

 

Please don't forget this step to disable TeaTimer.

 

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\AE.tmp,

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {0DD8BEC0-E869-49BE-A8B1-C98827E0AA51} - C:\WINDOWS\system32\pmnnKCrr.dll (file missing)

O2 - BHO: (no name) - {6D243481-F26F-4126-995E-A4FB12E84C7E} - C:\WINDOWS\system32\opnmNFVL.dll (file missing)

O2 - BHO: (no name) - {E1808F9F-484D-4B75-A011-0359FF92E9C8} - (no file)

O2 - BHO: (no name) - {E906991E-1DA1-4ACA-9E39-5F3AD2D11DC5} - (no file)

O2 - BHO: (no name) - {F8C2A486-AABD-453D-9F26-9FEF10D6ED89} - (no file)

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll <- optional fix only if you have deleted the Ask Bar. See my note.

O20 - AppInit_DLLs: tfbvjo.dll,tbjrfz.dll

O20 - Winlogon Notify: cbXPfCVp - cbXPfCVp.dll (file missing)

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete this file in bold.

C:\WINDOWS\system32\AE.tmp

C:\WINDOWS\system32\tfbvjo.dll

C:\WINDOWS\system32\tbjrfz.dll

 

Restart the computer normally.

===

 

Please run this security check for my review.

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Submit a fresh HijackThis log.

 

Let me know what problem persists.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0