Firsr ever virus

andymax76 · 06-15-2008, 02:23 PM

I would be eternally grateful if someone out there could help. I have happily surfed along until now with no problems, but have just been hit with my first virus. I am running XP SP2. I bought the tower second hand and have no installation CD. Tell you what happened....

I was downloading a file, then all of a sudden the wallpaper changed to a warning message, and some "antivirus08" program installed itself and kept popping up demanding me to scan my system. I didn't, but I did do a full scan on AVG and after AVG found 19 items it prompted me to restart, after which I find myself with only "set program access and defaults" and "printers and faxes" on the right hand side of my start menu. No control panel, run command or even my pictures etc. The wallpaper is now blank and I cant change it. HELP!!

andymax76 · 06-15-2008, 02:44 PM

Heres the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46: VIRUS ALERT!, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QXK Olive - {1542806F-9435-4B72-875D-845A86725465} - C:\WINDOWS\kvsdpfeaqnm.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: rtsplgob - {8E1F6C9A-86C0-4811-B45A-278E754B457F} - C:\WINDOWS\rtsplgob.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [fc9ddf71] rundll32.exe "C:\WINDOWS\system32\bfusirlb.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: rnopbfgt - {C19EB260-A18B-4ECB-9EF8-FC2FE252F28C} - C:\WINDOWS\rnopbfgt.dll (file missing)
O21 - SSODL: xkefqtgs - {AA4E4BFE-7A8F-40DF-9615-A3C3E8D67217} - C:\WINDOWS\xkefqtgs.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4480 bytes

Thanks for looking

Punk · 06-15-2008, 05:32 PM

Ok do not at any time run the anti-virus. It is a rogue A-V that will infect your PC.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

andymax76 · 06-15-2008, 08:29 PM

ComboFix 08-06-12.2 - kevin 2008-06-15 20:14:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.240 [GMT 1:00]
Running from: J:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Adsl Software Limited
C:\WINDOWS\system32\bfusirlb.dll
C:\WINDOWS\system32\blrisufb.ini
C:\WINDOWS\system32\opVGNqss.ini
C:\WINDOWS\system32\opVGNqss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 14:46 . 2008-06-15 14:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 13:15 . 2008-06-15 13:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-15 12:38 . 2008-06-15 12:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-15 12:37 . 2008-06-15 12:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-15 12:37 . 2008-06-15 12:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 12:37 . 2008-06-15 12:37 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\SUPERAntiSpyware.com
2008-06-15 12:01 . 2008-06-15 12:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-15 11:59 . 2008-06-15 12:03 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-15 11:59 . 2008-06-15 11:59 <DIR> d-------- C:\Program Files\AVG
2008-06-15 11:59 . 2008-06-15 12:01 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\AVGTOOLBAR
2008-06-15 11:59 . 2008-06-15 11:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-06-15 11:59 . 2008-06-15 11:59 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-15 11:59 . 2008-06-15 11:59 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-15 11:59 . 2008-06-15 11:59 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-15 11:43 . 2008-06-15 12:45 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\TmpRecentIcons
2008-06-15 09:16 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-15 09:16 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-06-15 09:16 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-15 09:16 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-15 09:13 . 2008-06-15 09:13 <DIR> d-------- C:\Program Files\Trust
2008-06-15 09:12 . 2008-06-15 09:12 <DIR> d-------- C:\Documents and Settings\KEVIN~1HOM\LOCALS~1
2008-06-15 09:12 . 2008-06-15 09:12 <DIR> d-------- C:\Documents and Settings\KEVIN~1HOM
2008-06-15 09:12 . 2008-06-15 09:12 <DIR> d-------- C:\Documents and Settings\kevin.HOME\download
2008-06-15 09:12 . 2008-06-15 09:12 4,352 --a------ C:\WINDOWS\system32\drivers\moufiltr.sys
2008-06-14 21:18 . 2008-06-14 21:18 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\vlc
2008-06-14 21:18 . 2008-06-14 21:18 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\dvdcss
2008-06-14 21:17 . 2008-06-14 21:17 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-14 19:35 . 2008-06-15 09:21 <DIR> d-------- C:\Program Files\PokerStars
2008-06-14 14:53 . 2008-06-14 14:53 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-14 13:21 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-06-14 13:19 . 2008-06-14 13:33 <DIR> d-------- C:\Ladbrokes3DPoker
2008-06-14 13:18 . 2008-06-15 10:20 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\Ladbrokes
2008-06-14 13:18 . 2008-06-14 13:18 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\InstallShield
2008-06-14 13:05 . 2008-06-14 13:18 <DIR> d-------- C:\temp_dnld
2008-06-14 13:04 . 2008-06-14 13:04 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-14 12:53 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-06-14 12:52 . 2008-06-14 12:52 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-14 12:52 . 2008-06-14 13:19 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-14 12:52 . 2008-06-14 12:52 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-14 12:52 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\alsndmgr.cpl
2008-06-14 12:52 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2008-06-14 12:52 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-06-14 12:52 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
2008-06-14 12:52 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-06-14 12:52 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-06-14 12:52 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2008-06-14 12:52 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
2008-06-14 12:42 . 2008-04-23 05:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-14 12:42 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-14 12:42 . 2007-03-08 06:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-14 12:42 . 2008-04-23 05:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-14 12:42 . 2008-04-23 05:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-14 12:42 . 2008-04-23 05:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-14 12:42 . 2008-04-23 05:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-14 12:42 . 2008-04-23 05:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-14 12:42 . 2008-04-22 08:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-14 12:40 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 12:40 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\WINDOWS\Profiles
2008-06-14 08:55 . 2008-06-14 08:56 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\Documents and Settings\KEVIN~1~HOM\LOCALS~1
2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\Documents and Settings\KEVIN~1~HOM
2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\InterTrust
2008-06-13 16:54 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-13 16:51 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-13 16:51 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-25 17:05 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-05-25 17:05 . 2004-08-03 22:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys
2008-05-25 14:01 . 2008-05-25 14:01 7,680 --ahs---- C:\WINDOWS\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 00:01 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-04-24 23:52 --------- d-----w C:\Program Files\C-Media 3D Audio
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2008-04-25 01:01 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1542806F-9435-4B72-875D-845A86725465}]
C:\WINDOWS\kvsdpfeaqnm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8E1F6C9A-86C0-4811-B45A-278E754B457F}"= "C:\WINDOWS\rtsplgob.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{8e1f6c9a-86c0-4811-b45a-278e754b457f}]
[HKEY_CLASSES_ROOT\rtsplgob.1]
[HKEY_CLASSES_ROOT\TypeLib\{2858B7C6-04ED-47DD-88EA-7B488F260762}]
[HKEY_CLASSES_ROOT\rtsplgob]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 11:15 106496]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-15 11:59 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:56 15360]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"rnopbfgt"= {C19EB260-A18B-4ECB-9EF8-FC2FE252F28C} - C:\WINDOWS\rnopbfgt.dll [ ]
"xkefqtgs"= {AA4E4BFE-7A8F-40DF-9615-A3C3E8D67217} - C:\WINDOWS\xkefqtgs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MEDIAMOUSE]
--a------ 2008-06-15 09:12 2619904 C:\Program Files\Trust\MI-4900Z Wireless Optical Mouse\lsmouse.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-15 11:59]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-15 11:59]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-15 11:59]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-15 11:59]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5cf701d2-125a-11dd-ba30-f667e3a6ab5a}]
\Shell\AutoRun\command - F:\setup.exe

.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 20:17:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
************************************************** ************************
.
Completion time: 2008-06-15 20:19:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 19:19:06

Pre-Run: 76,017,422,336 bytes free
Post-Run: 76,487,983,104 bytes free

169 --- E O F --- 2008-06-15 14:20:19

This took about 10 minutes.

As if by magic, everything seems to be back to normal. Control panel back, screensaver back, speed back to normal. Am I out of the woods? I now have up-to-date free AVG 8 running.

Thanks a million for the help...

andymax76 · 06-15-2008, 08:35 PM

PS I have also removed superantispyware so that AVG is the only a-s running.

cohen · 06-15-2008, 10:17 PM

Are you still having the problem?

andymax76 · 06-16-2008, 03:13 PM

Not as far as I can see, but is there likely to be anything lurking in the background?

andymax76 · 06-16-2008, 04:17 PM

Here is the hjt log after running combifix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:17, on 16/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QXK Olive - {1542806F-9435-4B72-875D-845A86725465} - C:\WINDOWS\kvsdpfeaqnm.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: rtsplgob - {8E1F6C9A-86C0-4811-B45A-278E754B457F} - C:\WINDOWS\rtsplgob.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: rnopbfgt - {C19EB260-A18B-4ECB-9EF8-FC2FE252F28C} - C:\WINDOWS\rnopbfgt.dll (file missing)
O21 - SSODL: xkefqtgs - {AA4E4BFE-7A8F-40DF-9615-A3C3E8D67217} - C:\WINDOWS\xkefqtgs.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3826 bytes

Any further steps to take?

GameMaster · 06-17-2008, 09:09 AM

Hi, Punk asked me if I can replace him on this one as he has exams and won't be helping until Friday.

It seems that he's done a great job here. I think the ComboFix deleted all the nasties, but I still want to try this one:

Download Avenger, and unzip it to your desktop or somewhere you can find it.Â (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

Open a Notepad file by clicking Start > RunÂ and typing Notepad.exe in the box, click OK.
Click Format, and ensure Word Wrap is unchecked.
Copy and Paste the text in the box below into Notepad.
Now save the file as RemoveFiles.txt in a location where you can find it.

Quote:

Files to delete:
C:\WINDOWS\xkefqtgs.dll
C:\WINDOWS\kvsdpfeaqnm.dll
C:\WINDOWS\rtsplgob.dll
C:\WINDOWS\rnopbfgt.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:
Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
Double click it to enter it into Avenger.
Click the green traffic light symbol.
You will be asked if you want to execute the script, answer Yes.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer Yes, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created C:\avenger.txt.
Copy and Paste it into your next post please.

If this is clean, you're probably clean.

andymax76 · 06-17-2008, 04:45 PM

Ok, I had to find avenger elsewhere, as that link didn't work for some reason.

Here's the log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\xkefqtgs.dll" not found!
Deletion of file "C:\WINDOWS\xkefqtgs.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\kvsdpfeaqnm.dll" not found!
Deletion of file "C:\WINDOWS\kvsdpfeaqnm.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\rtsplgob.dll" not found!
Deletion of file "C:\WINDOWS\rtsplgob.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\rnopbfgt.dll" not found!
Deletion of file "C:\WINDOWS\rnopbfgt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

And a HJT after that:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QXK Olive - {1542806F-9435-4B72-875D-845A86725465} - C:\WINDOWS\kvsdpfeaqnm.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: rtsplgob - {8E1F6C9A-86C0-4811-B45A-278E754B457F} - C:\WINDOWS\rtsplgob.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: rnopbfgt - {C19EB260-A18B-4ECB-9EF8-FC2FE252F28C} - C:\WINDOWS\rnopbfgt.dll (file missing)
O21 - SSODL: xkefqtgs - {AA4E4BFE-7A8F-40DF-9615-A3C3E8D67217} - C:\WINDOWS\xkefqtgs.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4028 bytes

Thanks for your help.

06-15-2008, 02:23 PM	#1 (permalink)
andymax76 New Member Join Date: Jun 2008 Posts: 8	Firsr ever virus I would be eternally grateful if someone out there could help. I have happily surfed along until now with no problems, but have just been hit with my first virus. I am running XP SP2. I bought the tower second hand and have no installation CD. Tell you what happened.... I was downloading a file, then all of a sudden the wallpaper changed to a warning message, and some "antivirus08" program installed itself and kept popping up demanding me to scan my system. I didn't, but I did do a full scan on AVG and after AVG found 19 items it prompted me to restart, after which I find myself with only "set program access and defaults" and "printers and faxes" on the right hand side of my start menu. No control panel, run command or even my pictures etc. The wallpaper is now blank and I cant change it. HELP!!

06-15-2008, 05:32 PM	#3 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 18 Posts: 4,880	Ok do not at any time run the anti-virus. It is a rogue A-V that will infect your PC. Download and Run ComboFix If you already have Combofix, please delete this copy and download it again as it's being updated regularly. Download this file from one of the three below listed places : http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe Then double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end. __________________ Punk's anti-hackers website Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see

06-15-2008, 10:17 PM	#6 (permalink)
cohen Diamond Member Join Date: Jan 2008 Location: Melbourne, Australia Age: 14 Posts: 8,162	Are you still having the problem? __________________ My Website Forum Site JOIN NOW! Desktop / Laptop Motherboard: Asus M2N X SE / Unknown CPU: AMD 4000+ 2.1GHZ x 2 / Intel Pentium M 1.60GHZ Ram: 2GB Transcend / 512MB Hard Drive: 320GB / 60GB Video Card: Both Intergrated Monitor: 19" Benq / 15.4" OS: Windows Vista Home Premium Service Pack 1 / Windows XP Professional Service Pack 3

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
HELP riddled with Trojans :(	Hey it's me	Computer Security	32	03-19-2008 05:12 PM
Infected With Look2me;Popups include:Dofact,Yourtruths,Drivecleaner.Here is HJT Log.	ranzy	Computer Security	9	09-05-2006 03:54 PM
Base 64.dll	soccerdude	Computer Security	3	09-04-2006 03:16 PM
My Computer is also sick!	beergoggles	Computer Security	12	02-26-2006 09:51 PM
Computer Problems - A joke	Darkomen	General Computer Chat	31	10-31-2005 06:37 PM

06-15-2008, 02:44 PM	#2 (permalink)
andymax76 New Member Join Date: Jun 2008 Posts: 8	Heres the hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:46: VIRUS ALERT!, on 15/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: QXK Olive - {1542806F-9435-4B72-875D-845A86725465} - C:\WINDOWS\kvsdpfeaqnm.dll (file missing) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: rtsplgob - {8E1F6C9A-86C0-4811-B45A-278E754B457F} - C:\WINDOWS\rtsplgob.dll (file missing) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [fc9ddf71] rundll32.exe "C:\WINDOWS\system32\bfusirlb.dll",b O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: rnopbfgt - {C19EB260-A18B-4ECB-9EF8-FC2FE252F28C} - C:\WINDOWS\rnopbfgt.dll (file missing) O21 - SSODL: xkefqtgs - {AA4E4BFE-7A8F-40DF-9615-A3C3E8D67217} - C:\WINDOWS\xkefqtgs.dll (file missing) O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 4480 bytes Thanks for looking

06-15-2008, 08:29 PM	#4 (permalink)
andymax76 New Member Join Date: Jun 2008 Posts: 8	ComboFix 08-06-12.2 - kevin 2008-06-15 20:14:17.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.240 [GMT 1:00] Running from: J:\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users.WINDOWS\Application Data\Adsl Software Limited C:\WINDOWS\system32\bfusirlb.dll C:\WINDOWS\system32\blrisufb.ini C:\WINDOWS\system32\opVGNqss.ini C:\WINDOWS\system32\opVGNqss.ini2 . ((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 ))))))))))))))))))))))))))))))) . 2008-06-15 14:46 . 2008-06-15 14:46 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-15 13:15 . 2008-06-15 13:15 <DIR> d-------- C:\Documents and Settings\Administrator 2008-06-15 12:38 . 2008-06-15 12:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com 2008-06-15 12:37 . 2008-06-15 12:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-15 12:37 . 2008-06-15 12:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-15 12:37 . 2008-06-15 12:37 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\SUPERAntiSpyware.com 2008-06-15 12:01 . 2008-06-15 12:26 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-06-15 11:59 . 2008-06-15 12:03 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-06-15 11:59 . 2008-06-15 11:59 <DIR> d-------- C:\Program Files\AVG 2008-06-15 11:59 . 2008-06-15 12:01 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\AVGTOOLBAR 2008-06-15 11:59 . 2008-06-15 11:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8 2008-06-15 11:59 . 2008-06-15 11:59 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-06-15 11:59 . 2008-06-15 11:59 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-06-15 11:59 . 2008-06-15 11:59 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-06-15 11:43 . 2008-06-15 12:45 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\TmpRecentIcons 2008-06-15 09:16 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-06-15 09:16 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll 2008-06-15 09:16 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-06-15 09:16 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-06-15 09:13 . 2008-06-15 09:13 <DIR> d-------- C:\Program Files\Trust 2008-06-15 09:12 . 2008-06-15 09:12 <DIR> d-------- C:\Documents and Settings\KEVIN~1HOM\LOCALS~1 2008-06-15 09:12 . 2008-06-15 09:12 <DIR> d-------- C:\Documents and Settings\KEVIN~1HOM 2008-06-15 09:12 . 2008-06-15 09:12 <DIR> d-------- C:\Documents and Settings\kevin.HOME\download 2008-06-15 09:12 . 2008-06-15 09:12 4,352 --a------ C:\WINDOWS\system32\drivers\moufiltr.sys 2008-06-14 21:18 . 2008-06-14 21:18 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\vlc 2008-06-14 21:18 . 2008-06-14 21:18 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\dvdcss 2008-06-14 21:17 . 2008-06-14 21:17 <DIR> d-------- C:\Program Files\VideoLAN 2008-06-14 19:35 . 2008-06-15 09:21 <DIR> d-------- C:\Program Files\PokerStars 2008-06-14 14:53 . 2008-06-14 14:53 1,160 --a------ C:\WINDOWS\mozver.dat 2008-06-14 13:21 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2008-06-14 13:19 . 2008-06-14 13:33 <DIR> d-------- C:\Ladbrokes3DPoker 2008-06-14 13:18 . 2008-06-15 10:20 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\Ladbrokes 2008-06-14 13:18 . 2008-06-14 13:18 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\InstallShield 2008-06-14 13:05 . 2008-06-14 13:18 <DIR> d-------- C:\temp_dnld 2008-06-14 13:04 . 2008-06-14 13:04 0 --a------ C:\WINDOWS\nsreg.dat 2008-06-14 12:53 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe 2008-06-14 12:52 . 2008-06-14 12:52 <DIR> d-------- C:\Program Files\Realtek AC97 2008-06-14 12:52 . 2008-06-14 13:19 <DIR> d--h----- C:\Program Files\InstallShield Installation Information 2008-06-14 12:52 . 2008-06-14 12:52 <DIR> d-------- C:\Program Files\Common Files\InstallShield 2008-06-14 12:52 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\alsndmgr.cpl 2008-06-14 12:52 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe 2008-06-14 12:52 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys 2008-06-14 12:52 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe 2008-06-14 12:52 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe 2008-06-14 12:52 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe 2008-06-14 12:52 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll 2008-06-14 12:52 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav 2008-06-14 12:42 . 2008-04-23 05:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-06-14 12:42 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-06-14 12:42 . 2007-03-08 06:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-06-14 12:42 . 2008-04-23 05:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-06-14 12:42 . 2008-04-23 05:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-06-14 12:42 . 2008-04-23 05:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-06-14 12:42 . 2008-04-23 05:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-06-14 12:42 . 2008-04-23 05:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-06-14 12:42 . 2008-04-22 08:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-14 12:40 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-14 12:40 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\WINDOWS\system32\Adobe 2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\WINDOWS\Profiles 2008-06-14 08:55 . 2008-06-14 08:56 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\Documents and Settings\KEVIN~1~HOM\LOCALS~1 2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\Documents and Settings\KEVIN~1~HOM 2008-06-14 08:55 . 2008-06-14 08:55 <DIR> d-------- C:\Documents and Settings\kevin.HOME\Application Data\InterTrust 2008-06-13 16:54 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-06-13 16:51 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-06-13 16:51 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys 2008-05-25 17:05 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys 2008-05-25 17:05 . 2004-08-03 22:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys 2008-05-25 14:01 . 2008-05-25 14:01 7,680 --ahs---- C:\WINDOWS\Thumbs.db . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-25 00:01 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe 2008-04-24 23:52 --------- d-----w C:\Program Files\C-Media 3D Audio 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ------- Sigcheck ------- 2008-04-25 01:01 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1542806F-9435-4B72-875D-845A86725465}] C:\WINDOWS\kvsdpfeaqnm.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{8E1F6C9A-86C0-4811-B45A-278E754B457F}"= "C:\WINDOWS\rtsplgob.dll" [ ] [HKEY_CLASSES_ROOT\clsid\{8e1f6c9a-86c0-4811-b45a-278e754b457f}] [HKEY_CLASSES_ROOT\rtsplgob.1] [HKEY_CLASSES_ROOT\TypeLib\{2858B7C6-04ED-47DD-88EA-7B488F260762}] [HKEY_CLASSES_ROOT\rtsplgob] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Cmaudio"="cmicnfg.cpl" [] "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 11:15 106496] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-15 11:59 1177368] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:56 15360] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "rnopbfgt"= {C19EB260-A18B-4ECB-9EF8-FC2FE252F28C} - C:\WINDOWS\rnopbfgt.dll [ ] "xkefqtgs"= {AA4E4BFE-7A8F-40DF-9615-A3C3E8D67217} - C:\WINDOWS\xkefqtgs.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MEDIAMOUSE] --a------ 2008-06-15 09:12 2619904 C:\Program Files\Trust\MI-4900Z Wireless Optical Mouse\lsmouse.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-15 11:59] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-15 11:59] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-15 11:59] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-15 11:59] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5cf701d2-125a-11dd-ba30-f667e3a6ab5a}] \Shell\AutoRun\command - F:\setup.exe . ************************************************ ******************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-15 20:17:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe . ********************************************** ********************** . Completion time: 2008-06-15 20:19:10 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-15 19:19:06 Pre-Run: 76,017,422,336 bytes free Post-Run: 76,487,983,104 bytes free 169 --- E O F --- 2008-06-15 14:20:19 This took about 10 minutes. As if by magic, everything seems to be back to normal. Control panel back, screensaver back, speed back to normal. Am I out of the woods? I now have up-to-date free AVG 8 running. Thanks a million for the help...

06-15-2008, 08:35 PM	#5 (permalink)
andymax76 New Member Join Date: Jun 2008 Posts: 8	PS I have also removed superantispyware so that AVG is the only a-s running.

06-16-2008, 03:13 PM	#7 (permalink)
andymax76 New Member Join Date: Jun 2008 Posts: 8	Not as far as I can see, but is there likely to be anything lurking in the background?

06-16-2008, 04:17 PM	#8 (permalink)
andymax76 New Member Join Date: Jun 2008 Posts: 8	Here is the hjt log after running combifix: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:17, on 16/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: QXK Olive - {1542806F-9435-4B72-875D-845A86725465} - C:\WINDOWS\kvsdpfeaqnm.dll (file missing) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: rtsplgob - {8E1F6C9A-86C0-4811-B45A-278E754B457F} - C:\WINDOWS\rtsplgob.dll (file missing) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O21 - SSODL: rnopbfgt - {C19EB260-A18B-4ECB-9EF8-FC2FE252F28C} - C:\WINDOWS\rnopbfgt.dll (file missing) O21 - SSODL: xkefqtgs - {AA4E4BFE-7A8F-40DF-9615-A3C3E8D67217} - C:\WINDOWS\xkefqtgs.dll (file missing) O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe -- End of file - 3826 bytes Any further steps to take?

06-17-2008, 04:45 PM	#10 (permalink)
andymax76 New Member Join Date: Jun 2008 Posts: 8	Ok, I had to find avenger elsewhere, as that link didn't work for some reason. Here's the log: Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\WINDOWS\xkefqtgs.dll" not found! Deletion of file "C:\WINDOWS\xkefqtgs.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\kvsdpfeaqnm.dll" not found! Deletion of file "C:\WINDOWS\kvsdpfeaqnm.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\rtsplgob.dll" not found! Deletion of file "C:\WINDOWS\rtsplgob.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\rnopbfgt.dll" not found! Deletion of file "C:\WINDOWS\rnopbfgt.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ***************** Finished! Terminate. And a HJT after that: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:48, on 17/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: QXK Olive - {1542806F-9435-4B72-875D-845A86725465} - C:\WINDOWS\kvsdpfeaqnm.dll (file missing) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: rtsplgob - {8E1F6C9A-86C0-4811-B45A-278E754B457F} - C:\WINDOWS\rtsplgob.dll (file missing) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O21 - SSODL: rnopbfgt - {C19EB260-A18B-4ECB-9EF8-FC2FE252F28C} - C:\WINDOWS\rnopbfgt.dll (file missing) O21 - SSODL: xkefqtgs - {AA4E4BFE-7A8F-40DF-9615-A3C3E8D67217} - C:\WINDOWS\xkefqtgs.dll (file missing) O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE -- End of file - 4028 bytes Thanks for your help.