Author Topic: A few suspicious items (Read 10463 times)

Two-eyes · « **on:** December 20, 2009, 02:12:41 PM »

Hi there guys. I was just doing a scan for the heck of it and put the hijack this log file in the CH process tool. A few things of interest came up.

1. I DO have comodo fire wall installed
2. vvsn.exe came back. CH thread from a few months ago
3. excel.exe. I DID NOT have exel running during the scan. So what is this?

My HijackThis report

Thanks guys, you're the best

.....

BC_Programmer · « **Reply #1 on:** December 20, 2009, 03:21:29 PM »

could you attach the actual log?

Two-eyes · « **Reply #2 on:** December 21, 2009, 03:05:01 AM »

omg. I am soooo stupid!!!! VERY SORRY

But i'm @ school. Will attach it when i arrive at home.

VERY VERY SORRY

BC_Programmer · « **Reply #3 on:** December 21, 2009, 03:12:51 AM »

Don't worry about it

Anyway, regarding excel.exe in the process list, it could be legitimate; Excel exposes it's abilities to other programs by being what's called an "COM Server" I won't bore you with the technical details, but suffice it to say that when another program uses excel features like that- or word features, or any office application- the program needs to start. However, since the user might not even know that the program is using excel features, excel never actuall shows itself.

THe problem is if the application never tells excel to quit- it stays open, even after the app your using quits. (or crashes), so excel remains in the task list.

Two-eyes · « **Reply #4 on:** December 21, 2009, 05:16:28 AM »

Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:50, on 20/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Startup: todo.txt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - https://secure.storegate.com/User/Files/Cabs/ImageUploader4.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\SYSTEM32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 11042 bytes

===================================================

Quote

I won't bore you with the technical details

Who are you, and what have you done with BC_Programmer?!?!

.
Thanks.

Again all, VERY sorry for the blonde moments

SuperDave · « **Reply #5 on:** December 23, 2009, 04:30:56 PM »

Hello Two-eyes and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Add or Remove Programs

1. Click on the Windows Start button and click on the Control Panel
2. In the Control Panel window, double-click Add or Remove Programs icon.
3. When the Add or Remove Programs window has fully populated, check for VVSN and uninstall

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Please send me another HJT log.

Two-eyes · « **Reply #6 on:** December 24, 2009, 11:53:23 AM »

Hi there Dave.

Windows messenger was removed successfully. I think that's why the O9 entries weren't there.

I did NOT find anything that has got to do with VVSN, or whenU. Also, I noticed that the O4 entry is still in the new HJT log.

That btw is right here:

Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:30, on 24/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Steven\Start Menu\Programs\Startup\procexp.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Folding@home\Folding@home-x86\[email protected]
C:\Documents and Settings\Steven\Application Data\Folding@home-x86\FahCore_78.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: procexp.exe
O4 - Startup: todo.txt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - https://secure.storegate.com/User/Files/Cabs/ImageUploader4.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\SYSTEM32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 10512 bytes

Thanks and merry Christmas

SuperDave · « **Reply #7 on:** December 24, 2009, 01:24:16 PM »

Quote

Thanks and merry Christmas

Thank you and best wishes for a Merry Christmas and a Happy New Year.

Quote

1. Click on the Windows Start button and click on the Control Panel
2. In the Control Panel window, double-click Add or Remove Programs icon.
3. When the Add or Remove Programs window has fully populated, check for VVSN and uninstall

Were you able to uninstall this program?
Assuming you couldn't find it in Add/Remove programs, try to find it with this:

Delete An Uninstall Entry

•Start HijackThis

•Click on the Open the Misc Tools section

•Click on the Open Uninstall Manager button.

•Highlight the entry you want to remove.

Code: [Select]

[B]VVSN [/B]•Click Delete this entry

Two-eyes · « **Reply #8 on:** December 25, 2009, 03:44:41 AM »

Hi.
I tried the thing from the add/remove program but didn't find VVSN. So I tried it from HJT, but didn't find anything either.

For the record, the file C:\Program Files\VVSN\VVSN.exe does not exist......well, the directory C:\Program Files\VVSN does not exist. [I searched for it and stuff, didn't turn up]

Thanks

SuperDave · « **Reply #9 on:** December 25, 2009, 05:07:33 PM »

You please send me another HJT log?

Two-eyes · « **Reply #10 on:** December 26, 2009, 06:32:08 AM »

Here it is:

Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:27:23, on 26/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Steven\Start Menu\Programs\Startup\procexp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: procexp.exe
O4 - Startup: todo.txt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - https://secure.storegate.com/User/Files/Cabs/ImageUploader4.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\SYSTEM32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 10463 bytes

SuperDave · « **Reply #11 on:** December 26, 2009, 11:50:05 AM »

Hello Two-eyes. That folder VVSN is still showing in the log. Let's try this tool and see if we can get rid of it.

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Two-eyes · « **Reply #12 on:** December 28, 2009, 03:24:13 PM »

sorry for the delay.
sooooo:
I did not find a way how to disable AVG 9.0. I even tried to uninstall it, and THAT created problems. I also didn't disable my Comodo Firewall, (because I couldn't find the systray icon. I'm currently banging my head on the wall, because I just realised that I could disable it from elsewhere)

Teatimer was easy.

May I note that CF did NOT reboot my computer, and neither did I...

Hopefully all of this didn't create problems with the CF scan. Here are the TWO logs.

Many thanks.

Quote

ComboFix 09-12-27.04 - Steven 28/12/2009 22:58:54.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.391 [GMT 1:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-28 21:20 . 2009-12-28 21:20   --------   d-----w-   c:\documents and settings\Steven\Application Data\AVG9
2009-12-22 18:36 . 2009-12-16 14:43   4043032   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 18:36 . 2009-12-16 14:43   3776280   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-22 18:36 . 2009-12-19 17:20   294656   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-22 18:36 . 2009-12-16 14:42   3967256   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-20 20:35 . 2009-12-20 20:35   --------   d-----w-   c:\program files\Trend Micro
2009-12-19 22:13 . 2009-12-19 22:14   52224   ----a-w-   c:\documents and settings\Steven\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-19 19:52 . 2009-12-19 19:52   4844296   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-19 17:21 . 2009-12-16 14:42   2352920   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-18 21:40 . 2009-12-18 21:40   98304   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\nxgameeu.dll
2009-12-18 21:40 . 2009-12-18 21:40   258352   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\unicows.dll
2009-12-18 21:40 . 2009-12-18 21:40   331776   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\NGMResource.dll
2009-12-18 21:39 . 2009-12-19 20:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\NexonEU
2009-12-18 21:39 . 2009-12-18 21:39   532480   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\NGMDll.dll
2009-12-18 21:39 . 2009-12-18 21:39   155648   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\NGM.exe
2009-12-18 21:00 . 2009-12-18 21:00   --------   d-----w-   c:\windows\system32\Adobe
2009-12-18 20:26 . 2009-12-18 21:50   --------   d-----w-   C:\Download
2009-12-18 20:25 . 2009-12-18 21:40   --------   d-----w-   C:\Nexon
2009-12-18 20:24 . 2009-12-18 20:24   421888   ----a-w-   c:\windows\NEXON_EU_DownloaderUpdater.exe
2009-12-05 08:46 . 2009-12-05 08:59   --------   d-----w-   c:\program files\SpeedFan
2009-12-05 08:30 . 2009-12-05 08:45   --------   d-----w-   C:\Rain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 21:54 . 2009-11-15 13:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2009-12-28 21:40 . 2007-09-20 17:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-27 21:23 . 2009-11-27 17:01   --------   d-----w-   c:\documents and settings\Steven\Application Data\mIRC
2009-12-27 21:23 . 2006-11-09 10:28   --------   d-----w-   c:\program files\mIRC
2009-12-27 10:32 . 2009-09-13 17:11   --------   d-----w-   c:\documents and settings\Steven\Application Data\Folding@home-x86
2009-12-19 22:14 . 2009-09-20 09:58   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-19 22:13 . 2009-09-20 10:00   117760   ----a-w-   c:\documents and settings\Steven\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-19 19:52 . 2009-09-20 12:39   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-19 19:36 . 2009-03-07 13:30   --------   d-----w-   c:\documents and settings\Steven\Application Data\HP
2009-12-16 15:45 . 2009-09-21 09:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-16 15:10 . 2007-10-02 17:26   --------   d-----w-   c:\program files\Common Files\HP
2009-12-16 15:10 . 2007-09-26 18:23   --------   d-----w-   c:\program files\HP
2009-12-03 15:14 . 2009-09-20 12:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2009-09-20 12:39   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-27 19:49 . 2007-01-20 18:45   --------   d-----w-   c:\program files\Google
2009-11-25 16:08 . 2009-09-25 19:12   171552   ----a-w-   c:\windows\system32\guard32.dll
2009-11-25 16:08 . 2009-09-25 19:12   133064   ----a-w-   c:\windows\system32\drivers\cmdguard.sys
2009-11-19 21:21 . 2005-12-09 08:58   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-19 19:30 . 2009-08-19 09:58   --------   d-----w-   c:\documents and settings\Steven\Application Data\HpUpdate
2009-11-17 18:28 . 2009-09-25 19:12   87104   ----a-w-   c:\windows\system32\drivers\inspect.sys
2009-11-17 18:27 . 2009-09-25 19:12   25160   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
2009-11-17 18:16 . 2007-09-20 17:08   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-11-15 18:16 . 2009-11-15 18:16   --------   d-----w-   c:\documents and settings\Steven\Application Data\Ansys
2009-11-15 13:04 . 2009-11-15 13:04   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-11-15 13:04 . 2008-06-07 08:13   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-11-15 13:04 . 2008-06-07 08:13   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-11-15 13:04 . 2006-12-05 14:57   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-11-15 13:04 . 2008-06-07 08:13   --------   d-----w-   c:\program files\AVG
2009-11-14 13:38 . 2009-11-14 13:38   --------   d-----w-   c:\program files\Ares
2009-11-14 13:19 . 2009-11-14 13:00   --------   d-----w-   c:\program files\LimeWire
2009-11-12 18:36 . 2008-05-21 20:49   --------   d-----w-   c:\program files\Windows Live
2009-11-11 20:07 . 2009-11-11 20:07   --------   d-----w-   c:\program files\Microsoft Office Outlook Connector
2009-11-11 20:02 . 2009-11-11 20:02   --------   d-----w-   c:\program files\Microsoft
2009-11-09 18:38 . 2006-09-21 15:00   --------   d-----w-   c:\program files\Java
2009-11-04 19:38 . 2009-11-04 19:38   152576   ----a-w-   c:\documents and settings\Steven\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-29 07:46 . 2004-08-04 12:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 12:00   17408   ------w-   c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 12:00   75776   ----a-w-   c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00   25088   ----a-w-   c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00   265728   ----a-w-   c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 12:00   270336   ----a-w-   c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00   149504   ----a-w-   c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00   79872   ----a-w-   c:\windows\system32\raschap.dll
2009-10-11 03:17 . 2009-03-07 16:16   411368   ----a-w-   c:\windows\system32\deploytk.dll
2007-09-16 18:25 . 2007-09-16 18:25   12256128   ----a-w-   c:\program files\Ares.bin
2007-04-12 08:40 . 2007-04-12 08:40   2621952   ----a-w-   c:\program files\tp70.exe
2004-03-15 16:51 . 2004-03-15 16:51   114688   ----a-w-   c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2007-07-24 17:03 . 2007-07-24 17:03   118784   ----a-w-   c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2008-05-29 00:33 . 2008-08-07 21:21   80   --sha-w-   c:\windows\system32\indata.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-16 14565376]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2009-03-08 73728]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-16 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Steven\Start Menu\Programs\Startup\
procexp.exe [2009-12-21 3549552]
todo.txt [2009-12-28 51]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-15 13:04   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-05-31 21:46   110592   ----a-w-   c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ares"="c:\program files\Ares\ares.exe" -h
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KTPWare"=c:\program files\Elantech\Ktp.exe
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"VVSN"=c:\program files\VVSN\VVSN.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ans_admin.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970_DP.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\lsprepostd.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitest.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitestmpich.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\sxpost.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYS\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYSMPICH\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\catia\\Intel\\ac4catia.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ac4catia5.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\para\\Intel\\ac4para.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\pro\\Intel\\ac4pro.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\sat\\Intel\\ac4sat.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug10\\Intel\\ansconug10.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug20\\Intel\\ansconug20.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug30\\Intel\\ansconug30.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Nexon\\NEXON_EU_Downloader\\NEXON_EU_Downloader_Engine.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms EU\CombatArms.exe"= c:\nexon\Combat Arms EU\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms EU\Engine.exe"= c:\nexon\Combat Arms EU\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms EU\\NMService.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/06/2008 09:13 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [15/11/2009 14:04 360584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [25/09/2009 20:12 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [25/09/2009 20:12 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15/09/2009 10:42 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/09/2009 10:42 74480]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [30/03/2007 08:56 909312]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/11/2009 14:04 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 12:29 133104]
S3 Brndis;External USB Cable Modem;c:\windows\system32\drivers\Brndis.sys [09/10/2007 16:37 16512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/09/2009 10:42 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ     hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} - hxxp://www.techsmith.com/codec/tsccinst.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-VVSN - c:\program files\VVSN\VVSN.exe
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
Notify-!SASWinLogon - (no file)
AddRemove-Spybot - Search & Destroy_is1 - c:\windows\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 23:08
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-583907252-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B81852FE-22D9-50ED-FF35-7ADC15B5E173}*]
"hajjiceidhhfillk"=hex:6b,61,6f,69,63,6f,63,63,62,6c,66,68,6c,68,6f,67,61,6b,
66,6a,61,69,00,00
"iadgcecikpimeplfbk"=hex:6b,61,6f,69,63,6f,63,63,62,6c,66,68,6c,68,6f,67,61,6b,
66,6a,61,69,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\guard32.dll
.
Completion time: 2009-12-28 23:13:23
ComboFix-quarantined-files.txt 2009-12-28 22:13

Pre-Run: 19,581,095,936 bytes free
Post-Run: 19,716,173,824 bytes free

- - End Of File - - CB4133A9848EBC6EEB5EFDF4796C5FFB

HJT:

Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:17:51, on 28/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steven\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: procexp.exe
O4 - Startup: todo.txt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - https://secure.storegate.com/User/Files/Cabs/ImageUploader4.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\SYSTEM32\OpcEnum.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 9023 bytes

SuperDave · « **Reply #13 on:** December 29, 2009, 07:03:02 AM »

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Malwarebytes Anti-Malware (reboot)"="-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VVSN"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Two-eyes · « **Reply #14 on:** December 29, 2009, 12:27:07 PM »

Here it is:

Quote

ComboFix 09-12-27.04 - Steven 29/12/2009 19:44:10.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.463 [GMT 1:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-28 21:20 . 2009-12-28 21:20   --------   d-----w-   c:\documents and settings\Steven\Application Data\AVG9
2009-12-22 18:36 . 2009-12-16 14:43   4043032   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 18:36 . 2009-12-16 14:43   3776280   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-22 18:36 . 2009-12-19 17:20   294656   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-22 18:36 . 2009-12-16 14:42   3967256   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-20 20:35 . 2009-12-20 20:35   --------   d-----w-   c:\program files\Trend Micro
2009-12-19 22:13 . 2009-12-19 22:14   52224   ----a-w-   c:\documents and settings\Steven\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-19 19:52 . 2009-12-19 19:52   4844296   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-19 17:21 . 2009-12-16 14:42   2352920   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-18 21:40 . 2009-12-18 21:40   98304   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\nxgameeu.dll
2009-12-18 21:40 . 2009-12-18 21:40   258352   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\unicows.dll
2009-12-18 21:40 . 2009-12-18 21:40   331776   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\NGMResource.dll
2009-12-18 21:39 . 2009-12-19 20:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\NexonEU
2009-12-18 21:39 . 2009-12-18 21:39   532480   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\NGMDll.dll
2009-12-18 21:39 . 2009-12-18 21:39   155648   ----a-w-   c:\documents and settings\All Users\Application Data\NexonEU\NGM\NGM.exe
2009-12-18 21:00 . 2009-12-18 21:00   --------   d-----w-   c:\windows\system32\Adobe
2009-12-18 20:26 . 2009-12-18 21:50   --------   d-----w-   C:\Download
2009-12-18 20:25 . 2009-12-18 21:40   --------   d-----w-   C:\Nexon
2009-12-18 20:24 . 2009-12-18 20:24   421888   ----a-w-   c:\windows\NEXON_EU_DownloaderUpdater.exe
2009-12-05 08:46 . 2009-12-05 08:59   --------   d-----w-   c:\program files\SpeedFan
2009-12-05 08:30 . 2009-12-05 08:45   --------   d-----w-   C:\Rain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 15:52 . 2009-11-27 17:01   --------   d-----w-   c:\documents and settings\Steven\Application Data\mIRC
2009-12-29 15:51 . 2006-11-09 10:28   --------   d-----w-   c:\program files\mIRC
2009-12-28 21:54 . 2009-11-15 13:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2009-12-28 21:40 . 2007-09-20 17:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-27 10:32 . 2009-09-13 17:11   --------   d-----w-   c:\documents and settings\Steven\Application Data\Folding@home-x86
2009-12-19 22:14 . 2009-09-20 09:58   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-19 22:13 . 2009-09-20 10:00   117760   ----a-w-   c:\documents and settings\Steven\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-19 19:52 . 2009-09-20 12:39   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-19 19:36 . 2009-03-07 13:30   --------   d-----w-   c:\documents and settings\Steven\Application Data\HP
2009-12-16 15:45 . 2009-09-21 09:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-16 15:10 . 2007-10-02 17:26   --------   d-----w-   c:\program files\Common Files\HP
2009-12-16 15:10 . 2007-09-26 18:23   --------   d-----w-   c:\program files\HP
2009-12-03 15:14 . 2009-09-20 12:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2009-09-20 12:39   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-27 19:49 . 2007-01-20 18:45   --------   d-----w-   c:\program files\Google
2009-11-25 16:08 . 2009-09-25 19:12   171552   ----a-w-   c:\windows\system32\guard32.dll
2009-11-25 16:08 . 2009-09-25 19:12   133064   ----a-w-   c:\windows\system32\drivers\cmdguard.sys
2009-11-19 21:21 . 2005-12-09 08:58   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-19 19:30 . 2009-08-19 09:58   --------   d-----w-   c:\documents and settings\Steven\Application Data\HpUpdate
2009-11-17 18:28 . 2009-09-25 19:12   87104   ----a-w-   c:\windows\system32\drivers\inspect.sys
2009-11-17 18:27 . 2009-09-25 19:12   25160   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
2009-11-17 18:16 . 2007-09-20 17:08   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-11-15 18:16 . 2009-11-15 18:16   --------   d-----w-   c:\documents and settings\Steven\Application Data\Ansys
2009-11-15 13:04 . 2009-11-15 13:04   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-11-15 13:04 . 2008-06-07 08:13   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-11-15 13:04 . 2008-06-07 08:13   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-11-15 13:04 . 2006-12-05 14:57   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-11-15 13:04 . 2008-06-07 08:13   --------   d-----w-   c:\program files\AVG
2009-11-14 13:38 . 2009-11-14 13:38   --------   d-----w-   c:\program files\Ares
2009-11-14 13:19 . 2009-11-14 13:00   --------   d-----w-   c:\program files\LimeWire
2009-11-12 18:36 . 2008-05-21 20:49   --------   d-----w-   c:\program files\Windows Live
2009-11-11 20:07 . 2009-11-11 20:07   --------   d-----w-   c:\program files\Microsoft Office Outlook Connector
2009-11-11 20:02 . 2009-11-11 20:02   --------   d-----w-   c:\program files\Microsoft
2009-11-09 18:38 . 2006-09-21 15:00   --------   d-----w-   c:\program files\Java
2009-11-04 19:38 . 2009-11-04 19:38   152576   ----a-w-   c:\documents and settings\Steven\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-29 07:46 . 2004-08-04 12:00   832512   ------w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 12:00   17408   ------w-   c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 12:00   75776   ----a-w-   c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00   25088   ----a-w-   c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00   265728   ----a-w-   c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 12:00   270336   ----a-w-   c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00   149504   ----a-w-   c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00   79872   ----a-w-   c:\windows\system32\raschap.dll
2009-10-11 03:17 . 2009-03-07 16:16   411368   ----a-w-   c:\windows\system32\deploytk.dll
2007-09-16 18:25 . 2007-09-16 18:25   12256128   ----a-w-   c:\program files\Ares.bin
2007-04-12 08:40 . 2007-04-12 08:40   2621952   ----a-w-   c:\program files\tp70.exe
2004-03-15 16:51 . 2004-03-15 16:51   114688   ----a-w-   c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2007-07-24 17:03 . 2007-07-24 17:03   118784   ----a-w-   c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2008-05-29 00:33 . 2008-08-07 21:21   80   --sha-w-   c:\windows\system32\indata.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-16 14565376]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2009-03-08 73728]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-16 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-17 1800464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Steven\Start Menu\Programs\Startup\
Shortcut to procexp.exe.lnk - c:\documents and settings\Steven\Desktop\utilities\ProcessExplorer\procexp.exe [2008-11-18 3549552]
todo.txt [2009-12-29 424]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-15 13:04   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-05-31 21:46   110592   ----a-w-   c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ares"="c:\program files\Ares\ares.exe" -h
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KTPWare"=c:\program files\Elantech\Ktp.exe
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ans_admin.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970_DP.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\lsprepostd.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitest.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitestmpich.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\sxpost.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYS\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYSMPICH\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\catia\\Intel\\ac4catia.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ac4catia5.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\para\\Intel\\ac4para.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\pro\\Intel\\ac4pro.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\sat\\Intel\\ac4sat.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug10\\Intel\\ansconug10.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug20\\Intel\\ansconug20.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug30\\Intel\\ansconug30.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Nexon\\NEXON_EU_Downloader\\NEXON_EU_Downloader_Engine.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms EU\CombatArms.exe"= c:\nexon\Combat Arms EU\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms EU\Engine.exe"= c:\nexon\Combat Arms EU\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms EU\\NMService.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/06/2008 09:13 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [15/11/2009 14:04 360584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [25/09/2009 20:12 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [25/09/2009 20:12 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15/09/2009 10:42 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/09/2009 10:42 74480]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [30/03/2007 08:56 909312]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/11/2009 14:04 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 12:29 133104]
S3 Brndis;External USB Cable Modem;c:\windows\system32\drivers\Brndis.sys [09/10/2007 16:37 16512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/09/2009 10:42 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ     hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} - hxxp://www.techsmith.com/codec/tsccinst.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-583907252-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B81852FE-22D9-50ED-FF35-7ADC15B5E173}*]
"hajjiceidhhfillk"=hex:6b,61,6f,69,63,6f,63,63,62,6c,66,68,6c,68,6f,67,61,6b,
66,6a,61,69,00,00
"iadgcecikpimeplfbk"=hex:6b,61,6f,69,63,6f,63,63,62,6c,66,68,6c,68,6f,67,61,6b,
66,6a,61,69,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(560)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\National Instruments\MAX\nimxs.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\National Instruments\Shared\Tagger\tagsrv.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\NOTEPAD.EXE
c:\windows\system32\msiexec.exe
c:\program files\Folding@home\Folding@home-x86\[email protected]
c:\documents and settings\Steven\Application Data\Folding@home-x86\FahCore_78.exe
.
**************************************************************************
.
Completion time: 2009-12-29 20:08:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 19:07
ComboFix2.txt 2009-12-28 22:13

Pre-Run: 19,627,606,016 bytes free
Post-Run: 19,576,676,352 bytes free

- - End Of File - - B5BE8B834ACE7F58AFFB77E26B84514A

Computer Hope Forum

News:

Author Topic: A few suspicious items (Read 10463 times)

Two-eyes

A few suspicious items

BC_Programmer

Re: A few suspicious items

Two-eyes

Re: A few suspicious items

BC_Programmer

Re: A few suspicious items

Two-eyes

Re: A few suspicious items

SuperDave

Re: A few suspicious items

Two-eyes

Re: A few suspicious items

SuperDave

Re: A few suspicious items

Two-eyes

Re: A few suspicious items

SuperDave

Re: A few suspicious items

Two-eyes

Re: A few suspicious items

SuperDave

Re: A few suspicious items

Two-eyes

Re: A few suspicious items

SuperDave

Re: A few suspicious items

Two-eyes

Re: A few suspicious items