Computer Hope

Software => Computer viruses and spyware => Topic started by: lectrocrew on April 19, 2008, 07:19:40 AM

Title: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 19, 2008, 07:19:40 AM

I have run NoAdware spyware software for about 5 years along with AVG Internet Security full version for 2 years, and previously with Norton Internet Security. NoAdware has been very effective at finding spyware that AVG and Norton paid no attention to.
New situation = I just upgraded my AVG v7.5 to v8.0 and had some problems with slow surf speed and getting the firewall configured to work with my wireless router but after a re-install and a few hours of headaches the AVG 8.0 is working fine.
My current problem is that after the AVG 8.0 upgrade, NoAdware v5.0 finds a directory file named "AntiVirusGold" in 'C/Program Files/AVG' and gives an option to remove this file from my computer. The NoAdware item description =
"Purports to be anti-spyware software, but has been known to be installed through extremely devious methods.".
So what do I do; Allow NoAdware to remove the file, which will likely affect operation of AVG Internet Security, or add this "AntiVirusGold" file to the NoAdware ignore list? Or what other options do I have?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 19, 2008, 08:58:32 AM

AntiVirusGold is a rouge program and isn't part of AVG.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 19, 2008, 12:30:32 PM

Thanks evilfantasy !!!
So I removed AntiVirusGold from the NoAdware 'ignore list', scanned again, and allowed this file to be removed.
I guess NoAdware continues to be worth the $37 per year. It found this file during a scan of 192,168 files on 2 hard drives in less than 4 minutes. The $52.95 per year AVG took over 2 hours to scan 288,277 files on those same drives and did not find the AntiVirusGold file. What am I missing here?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 19, 2008, 12:38:54 PM

I'm not very familiar with Noadware but it sounds like it is doing a good job.

It wouldn't hurt to post a Hijackthis log so we can see if there isn't anything else hiding.

Download and rename HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) (HJT)

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.

Close HijackThis and rename it.
Go to C:\Program Files\Trend Micro\HijackThis.exe
Right click on HijackThis.exe and select Rename.
Type in sniper.exe and press Enter.
Right-click on sniper.exe and select Send To > Desktop (create shortcut)

From the desktop open Hijackthis.
If using Windows Vista, Right-click and Run As Administrator.
Click on the Do a system scan and save a log file button
Hijackthis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
- Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 19, 2008, 03:28:41 PM

Done. Sorry it took so long, I had to get the grass cut before it rains.
I clicked on the remove file from my computer button in NoAdware, but the 'AntiVirusGold' file showed up again after I restarted my computer and scanned again. I turned off system restore for all 3 drives {2 partitions on internal HD and 1 USB external drive}, clicked on remove file again in NoAdware then restarted again. The AntiVirusGold is still there after another scan with NoAdware.
This board will not let me post the HJT log file here. It says it exceeds the maximum character limit of 20000 characters. How should I post the log file results?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 19, 2008, 03:31:44 PM

Save the Hijackthis log to your desktop then go here > http://savefile.com/

There is no need to sign up, just upload the file and then post the link to it back here.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 19, 2008, 04:01:36 PM

It won't let me upload my file due to invalid security code'. I typed the code correctly?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 19, 2008, 04:05:22 PM

OK, take the log and copy and paste it into two different threads.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 19, 2008, 04:12:57 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:36 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\sniper.exe\sniper.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 19, 2008, 04:14:04 PM

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NoAdware5] "C:\Program Files\NoAdware5.0\NoAdware5.exe" :Min:
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://sports.espn.go.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205953650720
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://linksyssupport.webex.com/client/T26L/support/ieatgpc.cab
O18 - Protocol: bw+0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: offline-8876480 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - F:\vulcan_1024x768.jpg
O24 - Desktop Component 1: (no name) - F:\Nalu_1920x1440.jpg
O24 - Desktop Component 2: (no name) - F:\Adrianne_1400x1050.jpg
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Owner\My Documents\My Pictures\black_cat.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Owner\My Documents\My Pictures\cat13b.jpg
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Owner\My Documents\My Pictures\wanimal3t.gif

--
End of file - 22730 bytes

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 19, 2008, 04:24:04 PM

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O18 - Protocol: bwz0s <<Place a check next to ALL 77 of these with Logitech in the name

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.(It is free, the paid version has real time protection)

Link 1 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Link 2 (http://www.besttechie.net/tools/mbam-setup.exe)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please copy and paste the log into your next reply

Note: If you accidentally close the log it can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt

----------

Next post please add
MBAM log

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 19, 2008, 06:44:36 PM

Malwarebytes' Anti-Malware 1.11
Database version: 658

Scan type: Full Scan (C:\|F:\|L:\|)
Objects scanned: 134225
Time elapsed: 48 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
===============
Sorry it took so long. The scan took almost an hour and dinner with the family was ready just before the scan finished.
As you can see, MBAM found nothing.
Then I scaned with NoAdware again and found the AntiVirusGold is still there along with 16 not-critical cookies.
What now?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 19, 2008, 07:21:41 PM

This AntiVirusGold is in the AVG 8.0 drivers, {C:\Program Files\AVG\AVG8\Drivers}.
Here is my NoAdware log:

Noadware 5.0

---------------------

Removing Spyware Tracking Cookie...

Removing Registry Tracking Cookie...

Removing RegValues Tracking Cookie...

Fixing RegValue dataTracking Cookie...

Removing Cookies Tracking Cookie...

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt

[Deleted Cookie]

C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt

Removing Files Tracking Cookie...

Removing Folders Tracking Cookie...

Removing Spyware AntiVirusGold...

Removing Registry AntiVirusGold...

Removing RegValues AntiVirusGold...

Fixing RegValue dataAntiVirusGold...

Removing Cookies AntiVirusGold...

Removing Files AntiVirusGold...

Removing Folders AntiVirusGold...

[Removing Directory...]

C:\Program Files\AVG

Could not delete (C:\Program Files\AVG\AVG8\Drivers) error code = 145

Could not delete (C:\Program Files\AVG) error code = 145

[Directory Removal Failed (Not Empty or already removed)]

C:\Program Files\AVG

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 19, 2008, 08:51:05 PM

Where did you download AVG from?

This scan will only take a few minutes.

Download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) to your Desktop.

Extract all the files to your Destop.
A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press Enter
- This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
- When it is done, the results of the scan will be displayed and it will create a log named rapport.txt
  - This is in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
- Please attach that log in your next reply.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/processutil/processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)[/LEFT]

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 20, 2008, 07:25:53 AM

SmitFraudFix v2.315

Scan done at 9:10:45.10, Sun 04/20/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="F:\\vulcan_1024x768.jpg"
"SubscribedURL"="F:\\vulcan_1024x768.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="F:\\Nalu_1920x1440.jpg"
"SubscribedURL"="F:\\Nalu_1920x1440.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="F:\\Adrianne_1400x1050.jpg"
"SubscribedURL"="F:\\Adrianne_1400x1050.jpg"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL,avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Compact Wireless-G USB Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4934C8E4-4A75-4AF3-BA5D-2403C2DCD3BD}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4934C8E4-4A75-4AF3-BA5D-2403C2DCD3BD}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4934C8E4-4A75-4AF3-BA5D-2403C2DCD3BD}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

-----------------
ALSO,
To answer your question:
I downloaded the AVG 8.0 file as a license upgrade from the Grisoft site here:
http://www.grisoft.com/us.90223

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 20, 2008, 07:35:35 AM

I went to work at 10pm last night till 7am so I probably won't stay awake much longer. I'll check back later to see if you've posted anything further or need more information. Thanks a ton for all your help!!!
Mike

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 20, 2008, 08:40:00 AM

That didn't find it.

More thorough scan....

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
Link #3 (http://www.forospyware.com/sUBs/ComboFix.exe)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
Choose Yes to accept the Disclaimers.[

When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this Combofix tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) with screenshots that will detail the downloading and running of combofix more thoroughly. Still be sure to rename combofix as detailed above.

----------

Next post
Combofix log

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 20, 2008, 01:48:17 PM

Quote

Click this link to see a list of security programs that should be disabled and how to disable them.

If yours is not listed and you don't know how to disable it, please ask.

I have Combofix.exe and Windows XP boot disk downloaded to my desktop and ready to run but:
The instructions given in the link to disable AVG don't work for AVG8. It works for AVG 7.5, I've done that before. I cannot find a way to disable antivirus, antispyware or anti rootkit. All others I have disabled {firewall, e-mail scanner, resident sheild, anti spam, search sheild, active surf sheild ect.}
The AVG website is not much help.
http://www.grisoft.com/ww.faq.num-1209#faq_1209 (http://www.grisoft.com/ww.faq.num-1209#faq_1209)

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: patio on April 20, 2008, 02:15:24 PM

Disable the FireFox / AVG addon and see if this helps...
Restart FireFox after doing so.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 20, 2008, 02:37:31 PM

I disabled the AVG add-ons but still don't see where to disable the anti virus, spyware, rootkit.
I can terminate processes from the AVG system tools menu, but I'm not sure which process I need to terminate. I tried this route once but the 2nd process I terminated, ended the AVG control panel I was using although it returned after reboot.
I don't know if terminating processes is even an optional way to disable the program, but since I can't find this control anywhere including advanced settings, will it work for what I'm trying to do?
My terminate process options are:
avgam.exe
avgemc.exe

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 20, 2008, 02:39:28 PM

Sorry
I hit the enter button by mistake. I have more terminate process options. Please give me a moment to type them

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 20, 2008, 02:44:13 PM

Additional options =
avgfws8.exe
avgnsx.exe
avgrsx.exe
avgsystx.exe
avgtray.exe
avgui.exe
avgwdsvc.exe

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 20, 2008, 04:40:48 PM

Just try running Combofix. AVG may not block it from running. If it does block it then we will run it a different way.

Combofix uses scripts that some AV's see as malicious.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: patio on April 20, 2008, 06:32:04 PM

Sorry for jumpin in EF.
I just finished reading AVG 8.0 installs an addon to Firefox and thought it may be the hangup.

patio.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 20, 2008, 06:52:01 PM

Any time Patio. Useful advice is always welcome.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 07:37:05 AM

OK. Sorry for the delay. Another night at work. When I got home this morning I scanned with NoAdware again. Only 1 threat, AntiVirusGold. I then disabled NoAdware and what parts of AVG that I could, then I ran combofix per instructions I printed from the bleeping computer website.
After it ran I saved the combofix logfile and I will try to post it in another reply, or 2 separate replies {it is large}..
Immediately after running combofix, with no re-boot, I enabled NoAdware and scanned in quickscan mode. It found 5 threats as listed below. I did not allow NoAdware to remove any of the threats yet.
---------------------------------
Noadware v5.0 --------------------------

Reference File = C:\Program Files\NoAdware5.0\noadware4_041808.na

---------------------------

Spyware Name = Kazaa

Location = HKEY_CURRENT_USER\software\kazaa

Type = RegKey

Spyware Name = Kazaa

Location = HKEY_CURRENT_USER\Software\Kazaa\LocalContent

Type = RegKey

Spyware Name = Backdoor.Bifrose

Location = HKEY_CURRENT_USER\Software\Wget

Type = RegKey

Spyware Name = Trojan.PWS.Tanspy

Location = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

Type = RegKey

Spyware Name = AntiVirusGold

Location = C:\Program Files\AVG

Type = Directory

---------------------------------
Next I started a scan with AVG. I'll probably post this reply before it finishes it's scan due to time but so far it has scanned 474xxx objects and found 8 suspect files but list 0 as threats thus far. I'll post that log when it finishes.
------------------------

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 07:39:26 AM

My combofix log {part 1}:

ComboFix 08-04-20.2 - Owner 2008-04-21 8:29:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1548 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\tmp70.tmp
C:\WINDOWS\system32\tmp71.tmp
C:\WINDOWS\system32\tmp72.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 09:10 . 2008-04-20 09:09   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-04-20 09:10 . 2008-04-20 09:09   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-04-20 09:10 . 2008-04-20 09:09   86,528   --a------   C:\WINDOWS\system32\VACFix.exe
2008-04-20 09:10 . 2008-04-20 09:09   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-04-20 09:10 . 2008-04-20 09:09   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-04-20 09:10 . 2008-04-20 09:09   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-04-20 09:10 . 2008-04-20 09:09   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-04-20 09:10 . 2008-04-20 09:10   3,318   --a------   C:\WINDOWS\system32\tmp.reg
2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 15:06 . 2008-04-19 17:09   <DIR>   d--------   C:\Program Files\Trend Micro
2008-04-18 22:36 . 2008-04-18 22:36   <DIR>   dr-h-----   C:\Documents and Settings\Owner\Application Data\SecuROM
2008-04-18 22:36 . 2008-04-18 22:36   107,888   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\WINDOWS\system32\AGEIA
2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\Program Files\AGEIA Technologies
2008-04-18 22:32 . 2005-05-26 15:34   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
2008-04-18 22:21 . 2008-04-19 01:33   <DIR>   d--------   C:\Program Files\Rail Simulator
2008-04-18 17:58 . 2008-04-20 16:08   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-04-18 17:58 . 2008-04-18 17:58   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-18 17:58 . 2008-04-18 17:58   75,272   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-18 17:58 . 2008-04-18 17:58   12,424   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-18 17:58 . 2008-04-18 17:58   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-04-18 17:38 . 2008-04-18 17:38   45,568   --a------   C:\WINDOWS\system32\avgfwdx.dll
2008-04-18 17:38 . 2008-04-18 17:38   22,528   --a------   C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-04-18 13:17 . 2008-04-20 15:16   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-17 09:11 . 2008-04-17 21:26   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-04-17 09:11 . 2008-04-17 09:11   12,424   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys.install_backup
2008-04-17 09:11 . 2008-04-17 09:11   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll.install_backup
2008-04-17 09:10 . 2008-04-17 09:10   <DIR>   d--------   C:\Program Files\AVG
2008-04-17 09:09 . 2008-04-17 20:57   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2008-04-07 20:02 . 2008-04-07 20:02   <DIR>   d--------   C:\Documents and Settings\Owner\Bluetooth Software
2008-04-07 19:56 . 2008-04-07 19:56   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Logitech
2008-04-07 19:56 . 2008-04-07 19:56   118,784   -r-------   C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
2008-04-07 19:55 . 2008-04-07 20:01   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Logitech
2008-04-07 19:55 . 2008-04-07 19:55   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-07 19:55 . 2005-10-05 12:00   47,104   --a------   C:\WINDOWS\system32\drivers\vserial.sys
2008-04-07 19:55 . 2005-10-05 12:00   18,167   --a------   C:\WINDOWS\system32\drivers\vsb.sys
2008-04-07 19:54 . 2008-04-07 19:56   <DIR>   d--------   C:\Program Files\Logitech
2008-04-07 19:54 . 2008-04-07 19:54   <DIR>   d--------   C:\Program Files\Common Files\Logitech
2008-04-07 19:51 . 2008-04-07 19:51   <DIR>   d--------   C:\Program Files\WIDCOMM
2008-04-07 16:48 . 2008-04-07 16:48   <DIR>   d--------   C:\Program Files\Safari
2008-04-07 16:45 . 2008-04-07 16:45   <DIR>   d--------   C:\Program Files\iTunes
2008-04-07 16:45 . 2008-04-07 16:45   <DIR>   d--------   C:\Program Files\iPod
2008-04-07 16:44 . 2008-04-07 16:44   <DIR>   d--------   C:\Program Files\QuickTime
2008-04-06 16:31 . 2008-04-07 07:49   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Ulead Systems
2008-04-06 16:29 . 2008-04-06 16:29   <DIR>   d--------   C:\Program Files\Ulead Systems
2008-04-06 15:14 . 2005-11-24 19:51   245,248   --a------   C:\WINDOWS\system32\rt73.sys
2008-04-06 15:14 . 2008-04-06 15:14   20,747   --a------   C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-06 15:14 . 2005-12-06 04:24   7,846   --a------   C:\WINDOWS\system32\rt73.cat
2008-04-06 15:14 . 2008-04-06 15:14   1,361   --a------   C:\WINDOWS\system32\WLAN.INI
2008-04-06 13:14 . 2008-04-06 16:29   <DIR>   d--------   C:\Program Files\Common Files\Ulead Systems
2008-04-06 13:14 . 2008-04-06 16:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-04-04 12:21 . 2006-12-28 13:12   290,816   --a------   C:\WINDOWS\system32\hcwzblast.dll
2008-04-04 12:21 . 2007-03-28 07:16   90,175   --a------   C:\WINDOWS\system32\hcwblast.ocx
2008-04-04 12:21 . 2007-03-28 07:15   65,603   --a------   C:\WINDOWS\system32\hcwIRblast.dll
2008-04-04 12:21 . 2005-07-28 13:33   40,960   --a------   C:\WINDOWS\system32\GButton.ocx
2008-04-04 12:21 . 2004-10-06 14:03   248   --a------   C:\WINDOWS\HCWBlast_sav.ini
2008-04-04 12:21 . 2004-10-06 14:03   248   --a------   C:\WINDOWS\HCWBlast.ini
2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\WINDOWS\system32\Hauppauge
2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\Program Files\nanoPEG for WinTV
2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\Program Files\Common Files\IviSDK
2008-04-04 12:18 . 2008-04-18 18:51   <DIR>   d--------   C:\Program Files\WinTV
2008-04-04 12:18 . 2008-04-06 07:58   <DIR>   d--------   C:\MyVideos
2008-04-04 12:16 . 2004-08-03 23:10   85,376   --a------   C:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-04-04 12:15 . 2007-05-10 14:43   367,744   -ra------   C:\WINDOWS\system32\drivers\hcw18bda.sys
2008-04-03 20:44 . 2008-04-03 20:44   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\vlc
2008-04-03 20:43 . 2008-04-09 12:40   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\dvdcss
2008-04-03 20:41 . 2008-04-03 20:41   <DIR>   d--------   C:\Program Files\VideoLAN
2008-04-02 16:45 . 2008-04-18 18:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-02 16:45 . 2008-04-02 16:45   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-02 16:43 . 2008-04-02 16:43   <DIR>   d--------   C:\Program Files\Bonjour
2008-04-02 16:43 . 2008-04-10 13:45   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-02 16:42 . 2008-04-18 22:32   <DIR>   d----c---   C:\WINDOWS\system32\DRVSTORE
2008-04-02 16:42 . 2008-04-02 16:42   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-04-02 16:42 . 2008-04-02 16:43   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-02 16:41 . 2008-04-02 16:41   <DIR>   d--------   C:\Program Files\Common Files\Apple
2008-04-02 16:41 . 2008-04-02 16:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
2008-04-01 13:01 . 2008-04-01 13:01   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\CyberLink
2008-04-01 12:54 . 2008-04-01 12:54   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-01 12:42 . 2008-04-01 12:43   <DIR>   d--------   C:\Program Files\CyberLink
2008-03-31 21:46 . 2008-03-31 21:55   <DIR>   d--------   C:\WINDOWS\NV35842212.TMP
2008-03-31 21:46 . 2007-12-10 14:24   159,458   --a------   C:\WINDOWS\system32\nvapps.nvb
2008-03-31 21:44 . 2008-03-31 21:44   <DIR>   d--------   C:\NVIDIA
2008-03-31 21:36 . 2008-03-31 21:36   <DIR>   d--------   C:\Program Files\SystemRequirementsLab
2008-03-31 17:03 . 2008-03-31 17:03   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-31 17:01 . 2008-03-31 17:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Nero
2008-03-31 13:18 . 2008-03-31 13:18   <DIR>   d--------   C:\Program Files\MSXML 4.0
2008-03-31 12:40 . 2008-03-31 12:40   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2008-03-31 12:40 . 2004-08-12 10:10   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2008-03-31 12:38 . 2008-03-31 12:38   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-03-31 12:38 . 2008-03-31 12:39   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2008-03-31 12:08 . 2008-04-15 07:39   69   --a------   C:\WINDOWS\NeroDigital.ini
2008-03-31 10:59 . 2008-03-31 10:59   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-31 10:54 . 2008-03-31 10:54   <DIR>   d--------   C:\Program Files\Nero
2008-03-31 10:54 . 2008-03-31 17:02   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-03-28 23:37 . 2008-03-28 23:37   90,112   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37   57,344   --a------   C:\WINDOWS\system32\QuickTime.qts
2008-03-25 10:34 . 2006-12-06 00:19   44   --a------   C:\WINDOWS\system32\lxdcrwrd.ini
2008-03-25 10:33 . 2008-03-25 10:35   <DIR>   d--------   C:\Program Files\Lexmark 1300 Series
2008-03-25 10:33 . 2007-05-17 09:54   323,584   --a------   C:\WINDOWS\system32\LXDChcp.dll
2008-03-25 10:33 . 2007-05-17 10:09   286,720   --a------   C:\WINDOWS\system32\LXDCinst.dll
2008-03-25 10:33 . 2008-03-25 10:34   131,959   --a------   C:\WINDOWS\system32\LexFiles.ulf
2008-03-25 10:32 . 2007-03-28 09:16   344,064   -ra------   C:\WINDOWS\system32\lxdccoin.dll
2008-03-25 10:32 . 2007-03-18 21:45   77,906   -ra------   C:\WINDOWS\system32\lxdccfg.dll
2008-03-25 10:32 . 2007-05-25 05:19   1,827   -ra------   C:\WINDOWS\system32\lxdc.loc
2008-03-24 16:13 . 2008-03-25 10:33   <DIR>   d--------   C:\Program Files\Lexmark Toolbar
2008-03-24 16:03 . 2008-02-22 02:33   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-03-24 04:29 . 2008-03-24 04:29   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Leadertech
2008-03-24 03:02 . 2008-03-24 03:02   <DIR>   d--------   C:\WINDOWS\Sun
2008-03-23 04:38 . 2008-03-23 04:38   <DIR>   d--------   C:\Program Files\Linksys Wireless-G Print Server
2008-03-23 04:38 . 2006-10-18 18:32   37,248   --a------   C:\WINDOWS\system32\lknuhub.sys
2008-03-23 04:38 . 2006-10-18 18:32   11,648   --a------   C:\WINDOWS\system32\lknucmp.sys
2008-03-23 04:38 . 2006-10-18 18:35   1,393   --a------   C:\WINDOWS\system32\lknucmp.inf
2008-03-23 04:38 . 2006-10-18 18:36   1,371   --a------   C:\WINDOWS\system32\lknuhub.inf
2008-03-22 20:00 . 2008-03-22 20:01   16,826   --ah-----   C:\WINDOWS\system32\brdiag.GID
2008-03-21 21:02 . 2008-03-22 14:37   247   --a------   C:\WINDOWS\BRMRCV.INI
2008-03-21 20:53 . 2008-03-21 20:53   <DIR>   d--------   C:\Brother
2008-03-21 18:22 . 2008-03-21 18:22   1,673,180   --a------   C:\Program Files\WRT54GSv7_7.50.5_fw_US_code.bin
2008-03-21 17:52 . 2006-10-18 18:32   37,248   --a------   C:\WINDOWS\system32\drivers\lknuhub.sys
2008-03-21 17:52 . 2006-10-18 18:32   11,136   --a------   C:\WINDOWS\system32\drivers\lknuhst.sys
2008-03-21 17:51 . 2007-02-28 22:58   813   -ra------   C:\setup.iss
2008-03-21 16:56 . 2008-03-23 05:41   <DIR>   d--------   C:\Program Files\Brownie
2008-03-21 16:55 . 2008-03-22 19:58   <DIR>   d--------   C:\Program Files\Brother

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 17:43   ---------   d-----w   C:\Program Files\Lx_cats
2008-04-08 00:02   19,372   ----a-w   C:\WINDOWS\system32\drivers\frmupgr.sys
2008-04-07 23:56   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-04-06 19:14   ---------   d-----w   C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-03-29 10:55   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-24 20:03   ---------   d-----w   C:\Program Files\Java
2008-03-23 05:00   ---------   d-s---w   C:\Documents and Settings\All Users\Application Data\Memeo
2008-03-23 00:13   ---------   d--h--w   C:\Documents and Settings\Owner\Application Data\GTek
2008-03-21 20:55   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-03-21 20:28   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-03-21 00:43   ---------   d-----w   C:\Program Files\Enroute Imaging
2008-03-21 00:36   ---------   d-----w   C:\Program Files\OLYMPUS
2008-03-20 21:58   ---------   d-----w   C:\Program Files\Analog Devices
2008-03-20 21:02   ---------   d-----w   C:\Program Files\Picasa2
2008-03-20 00:28   ---------   d-----w   C:\Program Files\Common Files\MySoftware
2008-03-19 23:32   ---------   d-----w   C:\Program Files\Google
2008-03-19 23:31   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-19 23:29   ---------   d-----w   C:\Program Files\Western Digital Technologies
2008-03-19 22:23   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-03-19 20:47   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Corel
2008-03-19 20:45   ---------   d-----w   C:\Program Files\Intel
2008-03-19 20:04   ---------   d-----w   C:\Program Files\WexTech
2008-03-19 20:04   ---------   d-----w   C:\Program Files\Common Files\WexTech Shared
2008-03-19 20:04   ---------   d-----w   C:\Program Files\Common Files\LHSPF
2008-03-19 20:01   ---------   d-----w   C:\Program Files\Corel
2008-03-19 20:01   ---------   d-----w   C:\Program Files\Borland
2008-03-19 19:48   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Sonic
2008-03-19 19:47   ---------   d-----w   C:\Program Files\Common Files\Sonic
2008-03-19 19:46   ---------   d-----w   C:\Program Files\Sonic
2008-03-19 18:32   ---------   d-----w   C:\Program Files\Linksys EasyLink Advisor
2008-03-19 18:18   499,712   ----a-w   C:\WINDOWS\system32\msvcp71.dll
2008-03-19 18:18   348,160   ----a-w   C:\WINDOWS\system32\msvcr71.dll
2008-03-19 17:16   ---------   d-----w   C:\Program Files\Microsoft IntelliType Pro
2008-03-19 17:16   ---------   d-----w   C:\Program Files\Microsoft IntelliPoint
2008-03-19 14:48   ---------   d--ha-w   C:\Documents and Settings\All Users\Application Data\GTek
2008-03-19 13:47   ---------   d-----w   C:\Program Files\Western Digital
2008-03-19 13:47   ---------   d-----w   C:\Program Files\Common Files\Java
2008-03-19 13:47   ---------   d-----w   C:\Program Files\B's Recorder GOLD5
2008-03-19 13:47   ---------   d-----w   C:\Program Files\ArcSoft
2008-03-19 13:47   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-03-19 02:55   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-03-01 13:06   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-02-23 02:38   43,872   ----a-w   C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 16:02   107,368   ----a-w   C:\WINDOWS\system32\GEARAspi.dll
.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 07:40:35 AM

combofix {part 2}

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-04-18 17:58 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-18 17:58 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-18 17:58 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-04-07 19:56 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"lxdcmon.exe"="C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" [ ]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 04:19 20480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-09-05 12:19 94208 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-09-05 12:19 94208 C:\WINDOWS\KHALMNPR.Exe]
"Logitech BT Wizard"="LBTWiz.exe" []
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 12:00 53248]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-08-17 23:19:54 622653]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-04-07 19:56:23 196608]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-07 19:54:51 671744]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= F:\vulcan_1024x768.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= F:\Nalu_1920x1440.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= F:\Adrianne_1400x1050.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\Owner\My Documents\My Pictures\black_cat.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\Documents and Settings\Owner\My Documents\My Pictures\cat13b.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Owner\My Documents\My Pictures\wanimal3t.gif
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 12:00 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2006-10-25 19:01 65536 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=C:\WINDOWS\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK
backup=C:\WINDOWS\pss\Desktop Application Director 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware InterCom.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware InterCom.lnk
backup=C:\WINDOWS\pss\MySoftware InterCom.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-04-18 17:58 1177368 C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-03-19 19:32 1862144 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-02-05 19:52 849280 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 2006-11-21 21:08 813912 C:\Program Files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2007-01-08 22:17 52256 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDiagnosticM]
--a------ 2007-02-27 16:29 315392 C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-01-08 22:26 68640 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
--------- 2006-06-06 11:47 118784 C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 SE\Ulead DVD MovieFactory 5\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"RichVideo"=2 (0x2)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\app4r.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-18 17:58]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-18 17:58]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-18 17:57]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-18 17:57]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-04-18 17:57]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-18 17:58]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-10-25 19:10]
R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-05-25 05:38]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-18 17:38]
R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\WINDOWS\system32\drivers\hcw18bda.sys [2007-05-10 14:43]
R3 lknuhst;Linksys Network USB Host Controller;C:\WINDOWS\system32\DRIVERS\lknuhst.sys [2006-10-18 18:32]
R3 LKNUHUB;Linksys Network USB Root Hub;C:\WINDOWS\system32\DRIVERS\lknuhub.sys [2006-10-18 18:32]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-05-25 05:38]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-18 17:38]
S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 13:12]

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 08:31:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-04-21 8:34:03
ComboFix-quarantined-files.txt 2008-04-21 12:33:01

Pre-Run: 18,073,759,744 bytes free
Post-Run: 19,050,729,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

384 --- E O F --- 2008-04-09 02:06:51

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 10:03:59 AM

Did Noadware just start reporting this infection when you installed AVG8?

Could this be a false positive?

Use the Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Click Accept.
Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
- - Extended[/COLOR]
  - Scan Options:
  - - Scan Archives[/COLOR]
      - Scan Mail Bases[/COLOR]
    - Click OK & have it scan My Computer
    When the scan is done, in the Scan is complete window (below), any infection is displayed.
    There is no option to clean/disinfect, however, we need to analyze the information on the report.
    
    To obtain the report:
    Click on: Save Report As...
    
    (http://i154.photobucket.com/albums/s258/evilfantasy69/kscancomplete.jpg)
    - Next, in the Save as prompt, Save in area, select: Desktop.
    - In the File name area, use KScan, or something similar.
    - In Save as type: click the drop arrow and select: Text file [*.txt]
    - Then, click: Save
    (http://i154.photobucket.com/albums/s258/evilfantasy69/Kas-Savetxt.gif)
    
    Please copy and paste the Kaspersky Online Scanner Report in your next post.
    
    ---------------
    
    Next post
    Kaspersky log

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 12:41:50 PM

Quote

Did Noadware just start reporting this infection when you installed AVG8?

Yes, I believe so. My NoAdware autoscans every morning {provided my computer is on, which it usually is}, at 6am while I'm at work, the last scan log for 4-17-2008 completed at 6:05am without the AntiVirusGold in it is here:
=======================
Noadware v5.0 --------------------------

Reference File = C:\Program Files\NoAdware5.0\noadware4_040408.na

---------------------------

Spyware Name = Tracking Cookie

Location = adinterax

Type = Cookie

Spyware Name = Tracking Cookie

Location = adopt.specificclick

Type = Cookie

Spyware Name = Tracking Cookie

Location = specificclick

Type = Cookie

======================

The scan for 4-18-2008 completed at 6:04am is here:
=======================

Noadware v5.0 --------------------------

Reference File = C:\Program Files\NoAdware5.0\noadware4_041608.na

---------------------------

Spyware Name = Tracking Cookie

Location = ad.yieldmanager

Type = Cookie

Spyware Name = Tracking Cookie

Location = bluestreak

Type = Cookie

Spyware Name = Tracking Cookie

Location = media.adrevolver

Type = Cookie

Spyware Name = Tracking Cookie

Location = ssl-hints.netflame

Type = Cookie

Spyware Name = AntiVirusGold

Location = C:\Program Files\AVG

Type = Directory

=======================

Quote

Could this be a false positive?

I guess so, although you make that call. I didn't know there was such a thing as a false positive.

Should I do anything about the files found after the combofix ran or continue to the "Kaspersky Online Scanner" now?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 12:48:44 PM

We will clean up the tools we have used when we are done.

Go ahead with the kaspersky scan. It won't remove anything but the log will be very helpful.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 02:23:08 PM

Sorry for the delay. That scan took about an hour. Results below:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 21, 2008 4:18:40 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/04/2008
Kaspersky Anti-Virus database records: 719150
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\
   F:\
   L:\

Scan Statistics:
   Total number of scanned objects: 97346
   Number of viruses found: 1
   Number of infected objects: 3
   Number of suspicious objects: 0
   Duration of the scan process: 00:56:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg8\Antispam\scoffset.bin.incr   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\AvgAm\avgam.lck   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\emc\Log\emc.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgam.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log.1   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgfw8u.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgns.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgrs.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgsched.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\commonpriv.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\commonpub.log   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log   Object is locked   skipped
C:\Documents and Settings\Owner\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\bl.db   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\is2.db   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008042120080422\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\BWDocMap.pht   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\BWInfopakMap.pht   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\D0000000.FCS   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\inuse.txt   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\L0000003.FCS   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\main.log   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.idx   Object is locked   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\default   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\Internet.evt   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\system   Object is locked   skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
F:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
F:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped
L:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp   Object is locked   skipped
L:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
L:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped

Scan process completed.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 21, 2008, 02:28:09 PM

The log is clean. I am pretty sure that it was a false positive being given by Noadware.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

(http://i154.photobucket.com/albums/s258/evilfantasy69/combofixu-1.jpg)

.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
Download OTMoveIt2 by OldTimer OTMoveIt2.exe (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.

Let me know how things are now.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 02:41:03 PM

Quote

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.

When I click on the 'CleanUp button I get an error box that says:
"OTMoveIt2
I/O error 1784"
I clicked the 'OK' in that box and tried clicking the CleanUp button again and got the same message.
What did I miss?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 02:44:00 PM

Did the list load into the box under the yellow bar?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 02:51:29 PM

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 21, 2008, 02:53:28 PM

OK, open this attachment and copy then paste the entire list into the window under the yellow bar in OTMoveIt2. Then click the CleanUp button.

[recovering space - attachment deleted by admin]

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 02:56:30 PM

Done but I get the same error message

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 03:01:54 PM

Below is a copy - paste of whats in that box.

[nobackups]
[deleteself]
avenger.zip <Avenger by Swandog46>
avenger.exe
Avenger
avenger.txt
bfu.zip <BFU by Merijn>
BFU
combofix.exe <ComboFix by sUBs>
Combo-Fix.sys
ComboFix
erdnt
QooBox
ComboFix*.txt
catchme <delete service>
catchme.exe
fdsv.exe
grep.exe
moveex.exe
nircmd.exe
sed.exe
swreg.exe
Swsc.exe
Swxcacls.exe
VFind.exe
WS2Fix.exe
zip.exe
tmp.reg
dss.exe <Deckard's System Scanner by Deckard>
Deckard
deljob.exe <Author Unknown>
deljob
logit.txt
FindAWF.exe <FindAWF by noahdfear>
AWF.txt
fixwareout.exe <FixWareout by LonnyRJones>
fixwareout
fsbl.exe <F-Secure BlackLight>
fsbl*.log
gmer.exe <GMER by Gmer>
gmer.dll
gmer.ini
gmer.log
gmer_uninstall.cmd
gmer.sys
gmer <delete service>
haxfix.exe <Haxfix by Markie>
haxfix.txt
killbox.exe <Killbox by Option^Explicit>
!Killbox
NoLop.exe <NoLop by ?>
NoLop.txt
NoLopOLD.txt
delete.bat
OTMoveIt.exe <OTMoveIt by OldTimer>
OTMoveIt2.exe
_OTMoveIt
OTScanIt.exe <OTScanIt by OldTimer>
OTScanIt
rustbfix.exe <Rustbfix by Ejvindh>
Rustbfix
sdfix.exe <SDFix by Andy_Manchesta>
SDFix
Silent Runners.vbs <by Andrew ARONOFF>
SmitfraudFix.exe <SmitfraudFix by S!Ri>
SmitfraudFix
rapport.txt
SysInsite <System Insite by Bobbi Flekman>
VundoFix.exe <VundoFix by Atribune>
VundoFix Backups
vundofix.txt
vundofix.vft
win32delfkil.exe <WinDelfKil by Markie>
_backupD
windelf.txt
winpfind.exe <WinPfind by OldTimer>
WinPfind
WinPFind3u.exe <WinPFind3 by OldTimer>
WinPFind3u
WinPFind35u.exe <WinPFind35 by OldTimer>
WinPFind35u
cleanup.txt

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 21, 2008, 03:08:58 PM

Strange.

These are the files we are trying to delete with OTMoveIt2. You may have to go in and manually delete them.

C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 03:14:14 PM

Ok. I've deleted 1 so far. Give me a few minutes.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 03:27:53 PM

done, and only because I am trying to be cautious, do I now empty my 'Recycle Bin'?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 03:29:48 PM

Yep, then do the rest of the instructions.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 03:59:30 PM

Quote

Use the Secunia Software Inspector to check for out of date software.

Click Start Now

Check the box next to Enable thorough system inspection.

Click Start

Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

When I clicked the start button in Secunia Software Inspector, it showed a message saying I needed Sun Java from www.java.com for Secunia Software Inspector to run correctly. so I went to java.com and downloaded the latest java file and verified that I have the latest version, but it looks like Secunia still has a problem with a java applet issue. Below is the current status:

Detection Statistics:

0 Applications Detected in Total
0 Insecure Versions Detected
0 Secure Versions Detected

Running For:
0 minutes, 0 seconds

Errors Detected:
0 Errors Detected
Enable thorough system inspection.
Enable the Secunia Software Inspector to search for software installed in non-default locations.

Beta Test! 10 days left of beta period
Beta test the 2nd generation Secunia NSI, the network aware edition of the Software Inspector. Download NSISetup.exe
Status / Currently Processing:

*There might be problems loading the Java Applet in your browser.
-------------------
*I wrapped the last sentence in bold myself.
what now?
BTW, did I mention that I really appreciate your time doing this!!!

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 04:09:57 PM

You may need to restart the computer if you just downloaded the Java.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 04:29:19 PM

I still get the same message. Is this the java download I need?
http://www.java.com/en/

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 04:31:47 PM

Yes thats it. Are you using Firefox or IE? It will work better in IE, but I just used it earlier today in Firefox so I am not sure what is going on. Try turning off your firewall and see if it works.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 04:40:59 PM

I'm running IE7. I tried with my AVG firewall disabled and windows firewall is off as normal. Also in control panel > internet options > security, the value for "sripting of java applets" is 'enable'.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 04:47:00 PM

See if you can download and run the SECUNIA PSI Personal Edition - free also.

https://psi.secunia.com/

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 05:06:11 PM

that worked fine. It shows I have 3 insecure programs and 83 patched:
The 3 insecure are:

Adobe flash player 9.x {active x control}
Safari for windows 3.x
Sun java JRE 1.5x / 5x

I don't see how to copy paste or post a log with this?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 05:12:41 PM

Use the Adobe Online Uninstaller (http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157) to fully uninstall all old versions of flash player.

Then install the New Version (http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash)

----------

Go to add/remove programs and uninstall any old version of Java, leaving only the newest one 1.6.0.6

----------

Update Safari - Not sure how since I don't use it.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 05:30:46 PM

OK. I ran the 'Download Solution for all 3 insecure programs and re-scanned with Secunia PSI.
This scan only shows 1 insecure program; Sun Java JRE 1.5x / 5.x
I'll try uninstalling it and downloading again.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 05:32:26 PM

Go to C:\Program Files\Java and delete the 1.5x / 5.x folder.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 05:44:46 PM

It won't let me delete it.
I get a message:
"cannot delete jusched.exe. access is denied. Make sure the disk is not full or write protected and that the file is not currently in use".

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 21, 2008, 05:49:05 PM

Hmm, try this.

Download JavaRa.zip (http://prm753.bchea.org/click/click.php?id=9)

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Exit JavaRa.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 05:58:32 PM

done. Now I still have these folders in C/Program Files/Java/
jre1.5.0_12
jre1.6.0_05

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 06:03:00 PM

Actually both of those are old lol.

New version can be downloaded and installed HERE (http://www.filehippo.com/download_java_runtime/)

Then go to add/remove programs and uninstall all but the 1.6.0.6 that was just installed. Then go to program files and check for any old folders and delete them. All except for the 1.6.0.6 that was just installed.

Sorry, forgot that it just updated again last week.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 06:21:47 PM

Done.

'java 6 update 6' is the only java showing in add / remeve programs

In Program Files it added jre1.6.0_06, and let me delete jre1.6.0_05, but it still won't let me delete jre1.5.0_12

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 06:27:09 PM

Is the jre1.5.0_12 folder in Program Files, or is it just the entry in add/remove programs that is there?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 06:32:25 PM

jre1.5.0_12
is in program files. It does not show up in add / remove programs

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 06:37:26 PM

Download Unlocker 1.8.6 (http://ccollomb.free.fr/unlocker/) (scroll down the page a little)

Use Unlocker to try and delete the file. You will just right click it and choose Unlocker, then select delete.

If that doesn't work then try to delete it in safe mode.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 06:46:39 PM

Unlocker 1.8.6 won't delete it. It ask if I wanted it to perform the delete operation at next start-up and I clicked yes. Should I re-start now to try?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 06:48:28 PM

Oh, I'm sorry. how do I delete it in safe mode?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 21, 2008, 07:05:28 PM

See if it is gone after restarting. If not then restart in safe mode and try to delete it.

Starting your computer in safe mode

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 21, 2008, 07:38:54 PM

Quote from: evilfantasy on April 21, 2008, 07:05:28 PM

See if it is gone after restarting.

It's gone. Yeah!!!

I'm going to have to leave for work in a few minutes. I'm sure your getting tired anyway. I have an appointment after work in the morning but will log back on afterward. When you get time, I'll need to get instructions on deleting the files in the latest NoAdware scan shown below.
Thanks again for all your help!!!

Noadware v5.0 --------------------------

Reference File = C:\Program Files\NoAdware5.0\noadware4_042108.na

---------------------------

Spyware Name = Kazaa

Location = HKEY_CURRENT_USER\software\kazaa

Type = RegKey

Spyware Name = Kazaa

Location = HKEY_CURRENT_USER\Software\Kazaa\LocalContent

Type = RegKey

Spyware Name = Backdoor.Bifrose

Location = HKEY_CURRENT_USER\Software\Wget

Type = RegKey

Spyware Name = Trojan.PWS.Tanspy

Location = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

Type = RegKey

Spyware Name = Tracking Cookie

Location = 2o7

Type = Cookie

Spyware Name = Tracking Cookie

Location = ad.yieldmanager

Type = Cookie

Spyware Name = Tracking Cookie

Location = adinterax

Type = Cookie

Spyware Name = Tracking Cookie

Location = adopt.specificclick

Type = Cookie

Spyware Name = Tracking Cookie

Location = ads.pointroll

Type = Cookie

Spyware Name = Tracking Cookie

Location = advertising

Type = Cookie

Spyware Name = Tracking Cookie

Location = atdmt

Type = Cookie

Spyware Name = Tracking Cookie

Location = bluestreak

Type = Cookie

Spyware Name = Tracking Cookie

Location = DoubleClick

Type = Cookie

Spyware Name = Tracking Cookie

Location = media.adrevolver

Type = Cookie

Spyware Name = Tracking Cookie

Location = richmedia.yahoo

Type = Cookie

Spyware Name = Tracking Cookie

Location = specificclick

Type = Cookie

Spyware Name = Tracking Cookie

Location = ssl-hints.netflame

Type = Cookie

Spyware Name = Tracking Cookie

Location = xiti

Type = Cookie

Spyware Name = AntiVirusGold

Location = C:\Program Files\AVG

Type = Directory

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 22, 2008, 06:32:00 AM

Try running Spybot and see if it gets rid of them. I am sort of wondering about Noadware now that I am positive it is seeing AVG as antivirusgold when it is clearly not that.

http://www.filehippo.com/download_spybot_search_destroy/

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: lectrocrew on April 22, 2008, 08:37:39 AM

Good morning evilfantasy.
I'm currently on another computer because mine has become so slow it took over 6 minutes to load this forum page after I clicked on the link in 'My Favorites'.
I tried installing spybot but it's so slow that I got an error box before the file could download. The box says:
"File Download
Error sending request the operation timed out".
My internet speed has been getting progressively slower during the time we have been trying to delete this AntiVirusGold file. Should I try removing some of those programs we have been using that are still on my desktop? There are a couple that run when I start my computer like Secunia and Unlocker assistant. Several icons on my desktop include
OTMoveIt2
Smithfraud
mbam
sniper.exe
hjt
kscan
unlocker1.8.6

Also, my AVG8 does not show any threats in the scan it did overnight, but it does ask if I want to remove 135 potentially dangerous files. Should I let it delete those files yet?

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 22, 2008, 09:10:10 AM

You can uninstall or delete
OTMoveIt2
Smithfraud
sniper.exe
hjt
kscan
unlocker1.8.6

I would keep MBAM as it doesn't run unless you want it to and is great for an occasional scan.

Try working through some of the steps HERE (http://www.techsupportteam.org/forum/computer-maintenance/1181-maintenance-guide.html) including Disk cleanup, disk defrag and Manage autostart items. See if that improves performance.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 22, 2008, 09:55:46 AM

Okay, I got most everything deleted and uninstalled and she's back running real well. Thanks so much for all your help!!!
I'll go through the list of maintenance items listed in your link later this evening. We've had 2 other mechanics call in sick where I work the last 2 nights and I've been working my *censored* off keeping all the extra machinery running by myself. And without much sleep the last few days, I won't be able to stay awake any longer enough to get all the maintenance steps done, not right anyway lol.
Wow, we've spent a lot of time working on this AntiVirusGold thing which looks like nothing to worry about anyway. It has been a real good learning experience for me.
Thank again!
BTW, is there a link to contribute a donation to this board? It's been very helpfull to me a few times and since it doesn't have a bunch of advertisements bothering everything, I figure I should help out with the operations. :)
later,
Mike

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 22, 2008, 10:02:58 AM

Glad everything is getting back to normal :) Sometimes the simple ones turn into real beasts when the layers begin to get un-peeled!

We don't accept donations and I did ask this question once to the owner Nathan. Here is his response.

Quote from: Computer Hope Admin on April 01, 2008, 06:12:07 PM

Please refer users who're wanting to donate to the below link:

http://www.computerhope.com/issues/ch000586.htm

Although I've accepted donations in the past I originally created Computer Hope to help users and not make millions. The money I make from Google is enough to support me and Computer Hope and keep the site free without the need of donations.

Let me know if there is anything else. I am sort of wondering about Noadware now. I don't think it is bad, but they shouldn't be flagging AVG as malicious. Spybot should get anything that is left over though.

Cheers.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 26, 2008, 07:40:10 PM

My computer was running fine at the time I last posted, but over the last few days has become really slow again. Web surfing speed is intermittant. One minute it loads the page very quickly, then on the next click it times out and give me a message below:
Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

What you can try:
Diagnose Connection Problems

More information

-------------------
My wireless connection is "Very Good / 54 Mbps
There are 2 other computers in the house on this DSL connection, {1 wired / 1 wireless} They have normal consistant browsing speed.
Since I installed various new hardware devices back around early March, {250 Gb internal drive, 320 Gb external drive, 1Gb x 2 SDRAM, NVidia graphics card, CD-RW drive, DVD-RW drive, ect.}, my browsing speed has been fast and consistant. It wasn't until I found this AntiVirusGold ect. that I started having slow performance problems. I'm not saying the AntiVirusGold is the culprit, nor any other virus / spyware ect., but possibly something I did during the process of investigating this.

Since I last posted I have
preformed maintenance task listed in your guide,
purchased the MBAM software paid version,
re-installed Spybot,
un-installed AVG8 then re-installed AVG 7.5 with no improvement, then un-installed AVG 7.5 / installed AVG8, {AVG had broken / partial fonts in the scan log results. After re-installing AVG8 this is still happening.} I don't see how to 'copy paste' or 'save as' a scan log for AVG?
un-installed NoAdware,
installed Windows Defender,

I've noticed on my computer is: the image I'm suppose to see on the Java test page does not show up as it is suppose to, but on the 'verify installation page it says,
Verified Java Version

"Congratulations!

You have the recommended Java installed (1.6.0_06)."
-----------------------
ALSO,
Somewhere along the way while investigating that AntiVirusGold I came up with an Ebay icon on my desktop. I did not click on it because I was suspicious and When I scanned with MBAM scan on 4-22-08 it found:
"Files Infected:
C:\Documents and Settings\Owner\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent)"
But even after MBAM was supposed to have removed this Ebay threat, I still had an Ebay shortcut in my quick launch taskbar. I right clicked on it and tried to delete it, but it did not give me a drop-down menu with delete option. Then I dragged it to my desktop and tried to delete it there with the same result. It is still there. How do I get rid of this safely?

MBAM scan log for 4-22-08 below followed by most recent scan log:
=======================
Malwarebytes' Anti-Malware 1.11
Database version: 670

Scan type: Full Scan (C:\|F:\|L:\|)
Objects scanned: 130316
Time elapsed: 48 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.

========================
SUPERAntiSpyware and MBAM log for today attached:

[recovering space - attachment deleted by admin]

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 26, 2008, 07:41:59 PM

SUPERAntiSpyware log attached

[recovering space - attachment deleted by admin]

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgra
Post by: evilfantasy on April 26, 2008, 08:05:45 PM

A few questions.

Is there an entry in add/remove programs that is related to the new eBay icon?
Have you tried to delete it in safe mode?
Are the other computers are running AVG as well.

Download Panda Anti-Rootkit.zip (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip)
Unzip it and run the PAVARK.exe file.
Tick the box that says In depth scan and follow the on screen instructions.
Let me know the results in your reply and also post a new Hijackthis log.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 27, 2008, 12:24:17 PM

Quote from: evilfantasy on April 26, 2008, 08:05:45 PM

A few questions.

Is there an entry in add/remove programs that is related to the new eBay icon?

No, FYI, I did find another program that I missed earlier that I don't remember installing, "WebEx", so I un-installed it.

Quote

Have you tried to delete it in safe mode?

I had not tried deleting in safe mode yet but did try this morning and the Ebay icon did delete.

Quote

Are the other computers are running AVG as well.

The wired desktop computer is running AVG, the wired / wireless notebook is running Trend Micro.

Quote

Download Panda Anti-Rootkit.zip (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip)
Unzip it and run the PAVARK.exe file.
Tick the box that says In depth scan and follow the on screen instructions.
Let me know the results in your reply and also post a new Hijackthis log.

The first HJT log is from last night before deleting the ebay icon, 2nd HJT log is from today after deleting the Ebay icon. PAVARK is also after deleting Ebay icon.
I have not deleted anything yet with HJT.
-----------------
Panda results = scanned 4785 items / rootkits detected 0
-----------------
BTW, I've surfed several sites after re-starting and performance seems to be doing extremely well so far.

[recovering space - attachment deleted by admin]

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 27, 2008, 01:00:28 PM

Quote from: evilfantasy

]Is there an entry in add/remove programs that is related to the new eBay icon?

Quote from: lectrocrew

No, FYI, I did find another program that I missed earlier that I don't remember installing, "WebEx", so I un-installed it.

Never mind. I googled it and it is software provided by Cisco, which is the parent company of Linksys, the manufacturer of my wireless router, adapter and print server. I evidentally installed it when installing software for one of these devices.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 27, 2008, 01:21:59 PM

Is there an entry in add/remove for Logitec Desktop Messenger? There is again multiple entries in the HJT log for this and it is un-necessary. Other than that it all looks OK.

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: lectrocrew on April 27, 2008, 01:45:00 PM

Yes, it was available in 'Add Remove Programs' and I removed it. My Logitech Bluetooth wireless keyboard and mouse still work fine after re-start so I guess I don't need Logitech messenger anyway.

I have a few questions about some of the software I'm using so I'll be posting those in the appropriate section sometime soon, if I ever get a night off work {working 7 nights}.
Well, thanks again to this board and for your time an expertise!

Title: Re: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade
Post by: evilfantasy on April 27, 2008, 02:06:22 PM

No problem.