Jump to content


Photo

Win32 Patched EM - Help Required


  • This topic is locked This topic is locked
3 replies to this topic

#1 JimBeam69

JimBeam69

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 24 January 2010 - 02:56 PM

I appear to have the above malware in my computer and I'm not sure how to remove it. Any help will be much appreciated!

Malwarebytes' Anti-Malware 1.44
Database version: 3628
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/01/2010 19:25:30
mbam-log-2010-01-24 (19-25-30).txt

Scan type: Quick Scan
Objects scanned: 116638
Time elapsed: 16 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




BitDefender QuickScan Beta 32-bit v0.9.9.0
------------------------------------------

Scan date: Sun Jan 24 19:26:45 2010
Machine ID: CF7F51D



Found 1 infected file!
------------------------
C:\WINDOWS\system32\ws2_32.dll - Trojan.Patched.EM


Processes
---------
<unsigned> Canon Camera Access Library 8 3584 C:\Program Files\Canon\CAL\CALMAIN.exe
<unsigned> Spybot - Search & Destroy 2976 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

<verified> .NET Framework 3.5 11452 C:\WINDOWS\SoftwareDistribution\Download\Install\dotnetfx35_x86.exe
<verified> Ad-Aware Service Application 1068 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
<verified> Apache HTTP Server 3588 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
<verified> Apache HTTP Server 832 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
<verified> app_filter Module 232 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
<verified> AVG Internet Security 1328 C:\Program Files\AVG\AVG9\avgchsvx.exe
<verified> AVG Internet Security 492 C:\Program Files\AVG\AVG9\avgcsrvx.exe
<verified> AVG Internet Security 1436 C:\Program Files\AVG\AVG9\avgcsrvx.exe
<verified> AVG Internet Security 3616 C:\Program Files\AVG\AVG9\avgemc.exe
<verified> AVG Internet Security 656 C:\Program Files\AVG\AVG9\avgnsx.exe
<verified> AVG Internet Security 1336 C:\Program Files\AVG\AVG9\avgrsx.exe
<verified> AVG Internet Security 2696 C:\Program Files\AVG\AVG9\avgtray.exe
<verified> AVG Internet Security 324 C:\Program Files\AVG\AVG9\avgwdsvc.exe
<verified> B's Recorder GOLD8 384 C:\WINDOWS\system32\bgsvcgen.exe
<verified> DNA 2852 C:\Program Files\DNA\btdna.exe
<verified> FinePixViewer 3260 C:\Program Files\FinePixViewer\QuickDCF2.exe
<verified> Firefox 4948 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> Java™ Platform SE 6 U11 2172 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Java™ Platform SE 6 U11 2192 C:\Program Files\Java\jre6\bin\jusched.exe
<verified> Microsoft® Windows® Operating System 1568 C:\WINDOWS\Explorer.EXE
<verified> Microsoft® Windows® Operating System 5756 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 852 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 2808 C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System 948 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 7492 C:\WINDOWS\system32\ntvdm.exe
<verified> Microsoft® Windows® Operating System 10224 C:\WINDOWS\system32\ntvdm.exe
<verified> Microsoft® Windows® Operating System 2512 C:\WINDOWS\system32\rundll32.exe
<verified> Microsoft® Windows® Operating System 1976 C:\WINDOWS\system32\RunDLL32.exe
<verified> Microsoft® Windows® Operating System 936 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 156 C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 1200 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1156 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1100 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 3412 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 460 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 3688 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 288 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1284 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1256 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 4484 C:\WINDOWS\system32\wbem\unsecapp.exe
<verified> Microsoft® Windows® Operating System 500 C:\WINDOWS\system32\wbem\wmiprvse.exe
<verified> Microsoft® Windows® Operating System 892 C:\WINDOWS\system32\winlogon.exe
<verified> Microsoft® Windows® Operating System 11848 C:\WINDOWS\system32\wuauclt.exe
<verified> NVIDIA Driver Helper Service, Version 91.31 3204 C:\WINDOWS\system32\nvsvc32.exe
<verified> NVIDIA nSvcIp 2896 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
<verified> NVIDIA nSvcLog 3060 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
<verified> PowerDVD 2160 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
<verified> PRISM Wireless LAN 2180 C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE
<verified> Realtek Sound Manager 2124 C:\WINDOWS\SOUNDMAN.EXE
<verified> Wireless Monitor 3316 C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe


Network activity
----------------
Process firefox.exe (4948) connected on port 80 (HTTP) - ey-in-f100.1e100.net
Process firefox.exe (4948) connected on port 80 (HTTP) - a88-221-40-20.deploy.akamaitechnologies.com
Process firefox.exe (4948) connected on port 80 (HTTP) - ds160.xs4all.nl
Process firefox.exe (4948) connected on port 80 (HTTP) - *.122.2o7.net

Process apache.exe (832) listens on ports: 3476
Process svchost.exe (1100) listens on ports: 12485
Process svchost.exe (1156) listens on ports: 135 (RPC)
Process svchost.exe (1284) listens on ports: 2869 (SSDP event notification, UPNP)
Process btdna.exe (2852) listens on ports: 19554


Autoruns and critical files
---------------------------
<unsigned> ae.tmp c:\windows\system32\ae.tmp
<unsigned> Spybot - Search & Destroy C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

<verified> Ad-Aware Admin Application C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
<verified> Adobe Acrobat C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
<verified> Adobe Systems, Inc. Adobe Gamma Loader C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
<verified> AdobeCollabSync.exe C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
<verified> Ahead Software Gmbh NeroCheck C:\WINDOWS\system32\NeroCheck.exe
<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified> AVG Internet Security C:\Program Files\AVG\AVG9\avgtray.exe
<verified> AVG Internet Security C:\WINDOWS\system32\avgrsstx.dll
<verified> DNA C:\Program Files\DNA\btdna.exe
<verified> Google Update C:\Program Files\Google\Update\GoogleUpdate.exe
<verified> Google Updater C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
<verified> Java™ Platform SE 6 U11 C:\Program Files\Java\jre6\bin\jusched.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\bthprops.cpl
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
<verified> Nero BackItUp Scheduler C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
<verified> NVIDIA Compatible Windows 2000 Display driver, Ver C:\WINDOWS\system32\NvCpl.dll
<verified> NVIDIA Firewall. C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
<verified> NVIDIA Media Center Library C:\WINDOWS\system32\nvmctray.dll
<verified> nwiz.exe C:\WINDOWS\system32\nwiz.exe
<verified> PowerDVD C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
<verified> PRISM Wireless LAN C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE
<verified> QuickTime C:\Program Files\QuickTime\qttask.exe
<verified> Realtek Sound Manager C:\WINDOWS\SOUNDMAN.EXE
<verified> Registry Shaver C:\Program Files\REGSHAVE\REGSHAVE.EXE
<verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll
<verified> Wireless Monitor C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe


Browser plugins
---------------
<unsigned> Google Earth Plugin C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll

<verified> AcroIEHelper Library c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll
<verified> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified> Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified> Ask.com Toolbar c:\program files\askbardis\bar\bin\askbar.dll
<verified> AVG Internet Security c:\program files\avg\avg9\avgssie.dll
<verified> BitDefender QuickScan C:\Documents and Settings\Stewart\Application Data\Mozilla\Firefox\Profiles/f5zgb0n9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
<verified> BitDefender QuickScan C:\Documents and Settings\Stewart\Application Data\Mozilla\Firefox\Profiles/f5zgb0n9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> DNA Plug-in C:\Program Files\DNA\plugins\npbtdna.dll
<verified> Google Update C:\Program Files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
<verified> Google Updater C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
<verified> GoogleToolbarNotifier c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
<verified> Java™ Platform SE 6 U11 c:\program files\java\jre6\bin\ssv.dll
<verified> Java™ Platform SE 6 U11 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified> Microsoft® Windows Live Login Helper c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wshbth.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\puren-gb.dll
<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\PURen-us.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> NVIDIA Application Filter C:\WINDOWS\system32\nvappfilter.dll
<verified> Picasa C:\Program Files\Picasa2\npPicasa2.dll
<verified> Picasa C:\Program Files\Picasa2\npPicasa3.dll
<verified> Playnet Inc. Presenter C:\Program Files\Internet Explorer\plugins\NPplaynet.dll
<verified> Playnet Inc. Presenter C:\Program Files\Mozilla Firefox\plugins\NPplaynet.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<verified> QuickTime Plug-in 7.1.3 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<verified> Spybot - Search & Destroy c:\program files\spybot - search & destroy\sdhelper.dll
<verified> VideoEgg Publisher C:\Program Files\Mozilla Firefox\plugins\npvideoegg-loader.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> Yahoo! Toolbar c:\program files\yahoo!\companion\installs\cpn\yt.dll


Missing files
-------------
File not found: C:\Program Files\Blubster\Blubster.exe SILENT
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Blubster"

File not found: c:\windows\system32\opnmnfvl.dll
referenced in: HKCR\CLSID\{6D243481-F26F-4126-995E-A4FB12E84C7E}\InprocServer32\(default)

File not found: c:\windows\system32\pmnnkcrr.dll
referenced in: HKCR\CLSID\{0DD8BEC0-E869-49BE-A8B1-C98827E0AA51}\InprocServer32\(default)

File not found: cbXPfCVp.dll
referenced in: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXPfCVp\"DllName"

File not found: tbjrfz.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: tfbvjo.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"


Scan
----

No file uploaded.

Scan finished - communication took 2 sec
Total traffic - 0.02 MB sent, 1.03 KB recvd
Scanned 762 files and modules - 500 seconds



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:46:39, on 24/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Stewart\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\AE.tmp,
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD8BEC0-E869-49BE-A8B1-C98827E0AA51} - C:\WINDOWS\system32\pmnnKCrr.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {6D243481-F26F-4126-995E-A4FB12E84C7E} - C:\WINDOWS\system32\opnmNFVL.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: (no name) - {E1808F9F-484D-4B75-A011-0359FF92E9C8} - (no file)
O2 - BHO: (no name) - {E906991E-1DA1-4ACA-9E39-5F3AD2D11DC5} - (no file)
O2 - BHO: (no name) - {F8C2A486-AABD-453D-9F26-9FEF10D6ED89} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://radgepelt.spa...ad/MsnPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: tfbvjo.dll,tbjrfz.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: cbXPfCVp - cbXPfCVp.dll (file missing)
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1c9f83b1e0c603a) (gupdate1c9f83b1e0c603a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10054 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 27 January 2010 - 08:31 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 28 January 2010 - 09:42 AM

Hi,
I'm nasdaq and will be helping you.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong and will prevent the tool placing shortcuts on your Desktop and creating temporary files in your C:\ drive.
===

The Hosts file was altered, so please for your added security install this one.

Download HostsXpert

Tutorial, go here:
http://i28.photobuck...HostsXpert4.jpg
  • Unzip HostsXpert to it's own folder.
  • Run HostsXpert.exe
  • Click: Make Writable? in the upper left corner.
  • Click: Download
  • Click: MVPs Hosts
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.
Note: If a custom Hosts file was in place, also edit those entries back in.
*/*
I suggest that you update the new version of the Hosts file, every 6 weeks. I Do.

All you need to know about the hosts file.
http://www.mvps.org/...p2002/hosts.htm
===

You have Ask Toolbar installed.

I strongly recommend you remove it from your computer via the Add/Remove Programs list, because:
  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
  • Or you can dowload and run this uninstaller.
    http://autoclean.com...toolbar-remover

If you uninstalled the Ask Toolbar as recommended, using Windows Explorer delete the following folders if found:
C:\Program Files\AskBarDis
C:\Program Files\AskSearch
C:\Program Files\AskSBar
C:\Program Files\AskTBar
C:\Program Files\Ask.com
===

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.
When everything is done and your log is clean again, you can enable it again.
If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

Please don't forget this step to disable TeaTimer.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:


F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\AE.tmp,
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {0DD8BEC0-E869-49BE-A8B1-C98827E0AA51} - C:\WINDOWS\system32\pmnnKCrr.dll (file missing)
O2 - BHO: (no name) - {6D243481-F26F-4126-995E-A4FB12E84C7E} - C:\WINDOWS\system32\opnmNFVL.dll (file missing)
O2 - BHO: (no name) - {E1808F9F-484D-4B75-A011-0359FF92E9C8} - (no file)
O2 - BHO: (no name) - {E906991E-1DA1-4ACA-9E39-5F3AD2D11DC5} - (no file)
O2 - BHO: (no name) - {F8C2A486-AABD-453D-9F26-9FEF10D6ED89} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
<- optional fix only if you have deleted the Ask Bar. See my note.
O20 - AppInit_DLLs: tfbvjo.dll,tbjrfz.dll
O20 - Winlogon Notify: cbXPfCVp - cbXPfCVp.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.

Delete this file in bold.
C:\WINDOWS\system32\AE.tmp
C:\WINDOWS\system32\tfbvjo.dll
C:\WINDOWS\system32\tbjrfz.dll

Restart the computer normally.
===

Please run this security check for my review.

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Submit a fresh HijackThis log.

Let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 11 February 2010 - 10:16 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button