Home / Software / Computer viruses and spyware / I have a trojan
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] 2 3 4  All - (Bottom) Print
Author Topic: I have a trojan  (Read 1513 times)
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« on: April 23, 2011, 04:01:48 PM »
It's  trojan agent_r.XJ and I can't get rid of it with AVG. Thanks in advance.
IP logged
BIG BLUE HEAVEN
Allan
Moderator
Genius



Thanked: 856
Posts: 14,482

Experience: Guru
OS: Windows 7



Forum Administrator
« Reply #1 on: April 23, 2011, 04:13:40 PM »
Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html
IP logged
Expert-At-AnyThing
Greenhorn



Posts: 5

Experience: Beginner
OS: Unknown
« Reply #2 on: April 24, 2011, 10:31:38 AM »
Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. Second Warning! Once more and you will be banned. Dave
« Last Edit: April 24, 2011, 01:24:27 PM by SuperDave » IP logged
Allan
Moderator
Genius



Thanked: 856
Posts: 14,482

Experience: Guru
OS: Windows 7



Forum Administrator
« Reply #3 on: April 24, 2011, 11:39:24 AM »
Ignore the above post
IP logged
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« Reply #4 on: April 24, 2011, 07:45:44 PM »
OK, I think I have everything. Here goes.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/24/2011 at 07:19 PM

Application Version : 4.51.1000

Core Rules Database Version : 6911
Trace Rules Database Version: 4723

Scan type       : Complete Scan
Total Scan Time : 01:25:13

Memory items scanned      : 421
Memory threats detected   : 0
Registry items scanned    : 6913
Registry threats detected : 2
File items scanned        : 58167
File threats detected     : 104

Adware.Gamevance
   HKU\S-1-5-21-1960408961-1532298954-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}
   HKCR\CLSID\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}

Rogue.AntiMalwareDoctor
   C:\Documents and Settings\John\Application Data\49635A3E2A995D37D5F86BBA45632884

Adware.Tracking Cookie
   cdn.insights.gravity.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   .bravenet.com [ C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\xh8t7iiq.default\cookies.sqlite ]
   C:\Documents and Settings\John\Cookies\john@bravenet[10].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[11].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[1].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[2].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[3].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[4].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[5].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[6].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[7].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[8].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[9].txt
   C:\Documents and Settings\John\Cookies\john@counter5.bravenet[1].txt
   C:\Documents and Settings\John\Cookies\john@counter5.bravenet[2].txt
   C:\Documents and Settings\John\Cookies\john@counter5.bravenet[3].txt
   C:\Documents and Settings\John\Cookies\john@counter5.bravenet[4].txt
   interclick.com [ C:\Documents and Settings\Kathy\Application Data\Macromedia\Flash Player\#SharedObjects\JULVMYMC ]
   media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\3V8WCCL7 ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\3V8WCCL7 ]
   C:\Documents and Settings\NetworkService\Cookies\system@2o7[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@2o7[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ads.blogtalkradio[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[7].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@burstbeacon[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[6].txt
   C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@findology[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@overture[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@pixel.invitemedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@pro-market[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@search.findxml[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@specificclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@user.lucidmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@user.lucidmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@user.lucidmedia[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@user.lucidmedia[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@www.burstbeacon[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt


Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 3

4/24/2011 8:53:12 PM
mbam-log-2011-04-24 (20-53-12).txt

Scan type: Quick Scan
Objects scanned: 57801
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:43:23 PM, on 4/24/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\sniper.exe\hijackthis\hijackthis.exe\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigblueheaven.proboards.com/index.cgi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8c49a3d1-585b-4eab-985d-6ad480b4f23d} - C:\Program Files\Kentucky Wildcats Toolbar\Helper.dll
R3 - URLSearchHook: (no name) -  - (no file)
R3 - URLSearchHook: Funchester Toolbar - {6fe46bf4-267f-4d8c-89b9-6c7947823145} - C:\Program Files\Funchester\prxtbFun2.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FCTBPos00Pos - {2A118156-5307-4BFB-9548-B423FDF368A8} - C:\Program Files\Kentucky Wildcats Toolbar\Toolbar.dll
O2 - BHO: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Funchester - {6fe46bf4-267f-4d8c-89b9-6c7947823145} - C:\Program Files\Funchester\prxtbFun2.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Common Files\FreeCause\DCA\dca-bho.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O3 - Toolbar: Kentucky Wildcats Toolbar - {7EF32AD9-C8AC-44E3-A39F-913E777ADEEE} - C:\Program Files\Kentucky Wildcats Toolbar\Toolbar.dll
O3 - Toolbar: Funchester Toolbar - {6fe46bf4-267f-4d8c-89b9-6c7947823145} - C:\Program Files\Funchester\prxtbFun2.dll
O3 - Toolbar: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Text%20Twist/Images/stg_drm.ocx
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Text%20Twist/Images/armhelper.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\HmelyoffLabs\VHToolkit\Skype4COM.dll
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: NST ToolTipFixer (TTFixerService) - NeoSmart Technologies - C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe

--
End of file - 8925 bytes
IP logged
BIG BLUE HEAVEN
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« Reply #5 on: April 25, 2011, 07:35:25 AM »
This morning the computer wouldn't let me on the internet or even call up anything on my desktop. I booted in safe mode and it still wouldn't tie on. I eventually did a system restore to Friday and from the looks of it, undone everything I had done yesterday.
IP logged
BIG BLUE HEAVEN
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« Reply #6 on: April 26, 2011, 05:37:44 AM »
I'm really desperate for help. I know a lot of folks on here do and am not trying to be pushy. I know you guys are volunteers but it's been almost two days now and this Trojan is driving me nuts.
IP logged
BIG BLUE HEAVEN
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« Reply #7 on: April 26, 2011, 09:38:37 AM »
I think I may have stumbled on why after quarantining the threats found in Superantispyware is that two of the threats listed as adware are in the registry. After deleting them, I can't open anything on the desktop or get on the internet. I can't even get on the internet in safe mode.
IP logged
BIG BLUE HEAVEN
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #8 on: April 26, 2011, 12:53:43 PM »
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*********************************************************
Quote
threats listed as adware are in the registry. After deleting them, I can't open anything on the desktop or get on the internet. I can't even get on the internet in safe mode.
Sorry for the delay. By removing those two entries in the Registry you may have rendered your computer unfixable. Please stay away from the Registry. Even the experts don't like going there.
Let's try this. Please download MBAM on another computer and transfer it to the infected computer using the above method.
Boot in Safe Mode and try to run the MBAM scan. Now boot in Normal and try running it again. Let me know what happens

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« Reply #9 on: April 26, 2011, 05:07:02 PM »
I'm able to access the internet now so I may not need the advice offered. Please continue your instructions.
IP logged
BIG BLUE HEAVEN
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #10 on: April 27, 2011, 10:45:03 AM »
Ok. Please run MBAM as well as these other scans and post the logs.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
**********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« Reply #11 on: April 27, 2011, 09:45:59 PM »
I ran Malwarebytes ans Superspyware but had trouble with the first link on the dds program. When trying to open it, it wanted to open as a screen saver. I tried the second link and when opening it all I got was an empty black prompt page?
IP logged
BIG BLUE HEAVEN
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« Reply #12 on: April 27, 2011, 11:01:34 PM »
OK, I couldn't get dds to work so I ran all of the files that Allen suggested (Patio's guidelines) and here are the files.

Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 3

4/27/2011 2:49:35 PM
mbam-log-2011-04-27 (14-49-35).txt

Scan type: Quick Scan
Objects scanned: 61704
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2011 at 08:09 PM

Application Version : 4.51.1000

Core Rules Database Version : 6911
Trace Rules Database Version: 4723

Scan type       : Complete Scan
Total Scan Time : 02:41:20

Memory items scanned      : 414
Memory threats detected   : 0
Registry items scanned    : 6945
Registry threats detected : 2
File items scanned        : 66645
File threats detected     : 75

Adware.Gamevance
   HKU\S-1-5-21-1960408961-1532298954-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}
   HKCR\CLSID\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}

Adware.Tracking Cookie
   C:\Documents and Settings\John\Cookies\john@doubleclick[1].txt
   C:\Documents and Settings\John\Cookies\john@ru4[1].txt
   C:\Documents and Settings\John\Cookies\john@adbrite[1].txt
   C:\Documents and Settings\John\Cookies\john@questionmarket[2].txt
   C:\Documents and Settings\John\Cookies\john@bravenet[2].txt
   C:\Documents and Settings\John\Cookies\john@realmedia[1].txt
   C:\Documents and Settings\John\Cookies\john@atdmt[2].txt
   C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[2].txt
   2mdn.net [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   adsatt.espn.go.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   bannerfarm.ace.advertising.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   cache.specificmedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   cdn.eyewonder.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   cdn.insights.gravity.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   cdn2.invitemedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   cdn4.specificclick.net [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   content.oddcast.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   content.yieldmanager.edgesuite.net [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   core.insightexpressai.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   ds.serving-sys.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   fuckedhard18.net [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   gw.callingbanners.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   ia.media-imdb.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   ictv-ic-ec.indieclicktv.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   img-cdn.mediaplex.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   indieclick.3janecdn.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   input.insights.gravity.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   interclick.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   m1.2mdn.net [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   macromedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media-0.phonezoo.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.cnbc.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.easy2.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.expedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.king5.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.kyte.tv [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.mtvnservices.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.oprah.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.resulthost.org [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.scanscout.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media.tattomedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media1.break.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   media10.washingtonpost.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   msnbcmedia.msn.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   multimedia.msn.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   naiadsystems.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   objects.tremormedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   oddcast.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   *censored*.dreammovies.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   rmd.atdmt.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   s0.2mdn.net [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   serving-sys.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   spe.atdmt.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   speed.pointroll.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   static.2mdn.net [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   static.cdn.360.sorensonmedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   static.discoverymedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   udn.specificclick.net [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   video.pornorama.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   video.redorbit.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   vidii.hardsextube.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   vidii2.hardsextube.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   www.crackle.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   www.hentaimedia.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   www.naiadsystems.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   www.oddcast.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   www.pornhub.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   www.webhostrevenue.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   www2.jumpstartmediavault.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   wwwstatic.megaporn.com [ C:\Documents and Settings\John\Application Data\Macromedia\Flash Player\#SharedObjects\LL2GRT6H ]
   interclick.com [ C:\Documents and Settings\Kathy\Application Data\Macromedia\Flash Player\#SharedObjects\JULVMYMC ]
   C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tracking.waterfrontmedia[1].txt

Malware.Trace
   C:\WINDOWS\TASKS\{22116563-108C-42c0-A7CE-60161B75E508}.job


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:52:53 AM, on 4/28/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\sniper.exe\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigblueheaven.proboards.com/index.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8c49a3d1-585b-4eab-985d-6ad480b4f23d} - C:\Program Files\Kentucky Wildcats Toolbar\Helper.dll
R3 - URLSearchHook: (no name) -  - (no file)
R3 - URLSearchHook: Funchester Toolbar - {6fe46bf4-267f-4d8c-89b9-6c7947823145} - C:\Program Files\Funchester\prxtbFun2.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FCTBPos00Pos - {2A118156-5307-4BFB-9548-B423FDF368A8} - C:\Program Files\Kentucky Wildcats Toolbar\Toolbar.dll
O2 - BHO: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Funchester - {6fe46bf4-267f-4d8c-89b9-6c7947823145} - C:\Program Files\Funchester\prxtbFun2.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Common Files\FreeCause\DCA\dca-bho.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O3 - Toolbar: Kentucky Wildcats Toolbar - {7EF32AD9-C8AC-44E3-A39F-913E777ADEEE} - C:\Program Files\Kentucky Wildcats Toolbar\Toolbar.dll
O3 - Toolbar: Funchester Toolbar - {6fe46bf4-267f-4d8c-89b9-6c7947823145} - C:\Program Files\Funchester\prxtbFun2.dll
O3 - Toolbar: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Online Armor\OAui.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Text%20Twist/Images/stg_drm.ocx
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Text%20Twist/Images/armhelper.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\HmelyoffLabs\VHToolkit\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Online Armor\OAcat.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Online Armor\oasrv.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: NST ToolTipFixer (TTFixerService) - NeoSmart Technologies - C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe

--
End of file - 10352 bytes


I hope this is OK.
IP logged
BIG BLUE HEAVEN
The Bubba
Topic Starter
Hopeful



Thanked: 1
Posts: 295

Experience: Familiar
OS: Windows XP

BIG BLUE HEAVEN
« Reply #13 on: April 28, 2011, 08:19:10 AM »
I finally got the DDS to run, here are the files.


.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by John at 10:10:30.03 on Thu 04/28/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.480 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\John\Desktop\dds.pif
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://bigblueheaven.proboards.com/index.cgi
uURLSearchHooks: FCToolbarURLSearchHook Class: {8c49a3d1-585b-4eab-985d-6ad480b4f23d} - c:\program files\kentucky wildcats toolbar\Helper.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Funchester Toolbar: {6fe46bf4-267f-4d8c-89b9-6c7947823145} - c:\program files\funchester\prxtbFun2.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Kentucky Wildcats Toolbar BHO: {2a118156-5307-4bfb-9548-b423fdf368a8} - c:\program files\kentucky wildcats toolbar\Toolbar.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Funchester Toolbar: {6fe46bf4-267f-4d8c-89b9-6c7947823145} - c:\program files\funchester\prxtbFun2.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\common files\freecause\dca\dca-bho.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Kentucky Wildcats Toolbar: {7ef32ad9-c8ac-44e3-a39f-913e777adeee} - c:\program files\kentucky wildcats toolbar\Toolbar.dll
TB: Funchester Toolbar: {6fe46bf4-267f-4d8c-89b9-6c7947823145} - c:\program files\funchester\prxtbFun2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [IE New Window Maximizer] c:\program files\ie new window maximizer\iemaximizer.exe
mRun: [BOC-426] c:\progra~1\comodo\cboclean\BOC426.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Text%20Twist/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Text%20Twist/Images/armhelper.ocx
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\hmelyofflabs\vhtoolkit\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32464]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-4-26 207280]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 296400]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-4-26 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-4-26 39048]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-4-26 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2011-4-26 29464]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2011-4-26 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2008-10-21 73464]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2011-4-26 381512]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2011-4-26 4326472]
R2 TTFixerService;NST ToolTipFixer;c:\program files\neosmart technologies\tooltipfixer\ToolTipFixer.exe [2007-6-27 10240]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-8 135664]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-4-26 947528]
S3 DigiCellDriver;DigiCellDriver;\??\c:\program files\msi\dualcorecenter\ntglm7x.sys --> c:\program files\msi\dualcorecenter\NTGLM7X.sys [?]
S3 MsibiosDevice;MsibiosDevice;c:\program files\msi\live update 4\lu4\msibios.sys [2009-9-14 18432]
S3 PCAlertDriver;PCAlertDriver;\??\c:\program files\msi\pc alert 4\ntglm7x.sys --> c:\program files\msi\pc alert 4\NTGLM7X.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2011-4-26 70408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-04-28 03:56:11   388096   ----a-r-   c:\docume~1\john\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-26 17:33:25   --------   d-----w-   c:\docume~1\john\applic~1\OnlineArmor
2011-04-26 17:33:25   --------   d-----w-   c:\docume~1\alluse~1\applic~1\OnlineArmor
2011-04-26 17:32:10   39048   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2011-04-26 17:32:10   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-04-26 17:32:10   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-04-26 17:32:08   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-04-26 17:32:01   --------   d-----w-   c:\program files\Online Armor
2011-04-26 15:44:59   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2011-04-26 15:44:33   87784   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2011-04-26 15:44:33   207280   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2011-04-26 15:44:20   70408   ----a-w-   c:\windows\system32\drivers\pctplsg.sys
2011-04-26 15:44:10   --------   d-----w-   c:\program files\Spyware Doctor
2011-04-26 15:44:10   --------   d-----w-   c:\docume~1\john\applic~1\PC Tools
2011-04-26 15:44:10   --------   d-----w-   c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-26 15:42:41   --------   d-----w-   c:\docume~1\john\applic~1\GetRightToGo
2011-04-26 15:20:31   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2011-04-26 15:20:31   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-04-26 15:07:27   --------   d-----w-   c:\program files\Xvid
2011-04-26 14:46:01   --------   d-----w-   c:\program files\PC Tools Firewall Plus(4)
2011-04-26 12:11:32   --------   d-----w-   c:\program files\PC Tools Firewall Plus(3)
2011-04-25 20:22:36   --------   d-----w-   c:\program files\PC Tools Firewall Plus(2)
2011-04-25 01:05:41   --------   d-----w-   c:\program files\Java(2)
2011-04-25 00:40:23   --------   d-----w-   c:\docume~1\john\applic~1\PCToolsFirewallPlus
2011-04-25 00:38:59   --------   d-----w-   c:\program files\common files\PC Tools
2011-04-24 21:44:00   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-04-23 20:32:03   --------   d-----w-   c:\program files\Enigma Software Group
2011-04-23 19:30:57   --------   d-----w-   c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-04-23 01:42:10   --------   d-----w-   c:\docume~1\alluse~1\applic~1\DivX
.
==================== Find3M  ====================
.
2011-03-19 13:21:41   0   ----a-w-   c:\windows\system32\ConduitEngine.tmp
2011-03-07 05:33:50   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06   420864   ----a-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21:11   1857920   ----a-w-   c:\windows\system32\win32k.sys
2011-02-22 23:06:29   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-02-22 23:06:29   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59   385024   ----a-w-   c:\windows\system32\html.iec
2011-02-17 12:32:12   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39   290432   ----a-w-   c:\windows\system32\atmfd.dll
2011-02-09 13:53:52   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53:52   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-08 13:33:55   978944   ----a-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33:55   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35   2067456   ----a-w-   c:\windows\system32\mstscax.dll
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200JB-00GVA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x872E1730]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x872e7a10]; MOV EAX, [0x872e7a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;  }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x87381AB8]
3 CLASSPNP[0xF77EFFD7] -> nt!IofCallDriver[0x804E37D5] -> [0x87323920]
5 PCTCore[0xF76BB88F] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000064[0x87383F18]
7 ACPI[0xF7746620] -> nt!IofCallDriver[0x804E37D5] -> [0x87326D98]
\Driver\atapi[0x87377A10] -> IRP_MJ_CREATE -> 0x872E1730
error: Read  A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x872E157B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:12:47.81 ===============
IP logged
BIG BLUE HEAVEN
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #14 on: April 28, 2011, 11:22:58 AM »
Quote
When trying to open it, it wanted to open as a screen saver. I tried the second link and when opening it all I got was an empty black prompt page?
Must be just a hiccup. I tried them and they both work. The main thing is that your were able to run the scan and it show a rootkit which could be causing this.

I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
*******************************************************
You may have problems running this tool entirely. If that happens, please let me know. I will know what's causing it.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory..
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
Pages: [1] 2 3 4  All - (Top) Print 
Home / Software / Computer viruses and spyware / I have a trojan « previous next »
 


Login with username, password and session length

Old Forum Search | Forum Rules
Copyright © 2010 Computer Hope ® All rights reserved.
Powered by SMF 2.0 RC3 | SMF © 2006–2010, Simple Machines LLC
Page created in 0.431 seconds with 21 queries.