smythsit
asked on
Spyware problem on PC - XP anitvirus (spyware) - Cannot remove - Attached hijackthis log
I have tried this guide to remove but it did not work http://www.bleepingcomputer.com/forums/topic111715.html
The reason I know it did not work is some sites I go into get this error saying "blocked - activate xp antivirus for secure internet surfing" Because of this I could not complete the last step on the guide which was to run the panda scan.
I'm hoping somebody can tell what exactly what's going on here as I cannot get to the bottom of this and have tried spybot and ad-aware.... Look forward to your reply.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16:43, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgamsv r.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgcc.e xe
C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_S 4I0T1.EXE
C:\Program Files\MarkAny\ContentSafer \MAAgent.e xe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\PocketCam 3Mega\ICON.EXE
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgupsv c.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgemc. exe
C:\WINDOWS\system32\lxddco ms.exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.ex e
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-C C05FCB5032 8} - C:\WINDOWS\system32\winsrc .dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-E DD6AC9525F 0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C 6B60AAEBA6 D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgcc.e xe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\LXD Dtime.dll, _RunDLLEnt ry@16
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_S 4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB003" /M "Stylus C46"
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer \MAAgent.e xe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupd ates.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgw.ex e /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgw.ex e /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'Default user')
O4 - Global Startup: PocketCam 3Mega Monitor.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-9 5D19186969 6} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a 82270ac449 e} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgamsv r.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgupsv c.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgemc. exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddco ms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
--
End of file - 4663 bytes
The reason I know it did not work is some sites I go into get this error saying "blocked - activate xp antivirus for secure internet surfing" Because of this I could not complete the last step on the guide which was to run the panda scan.
I'm hoping somebody can tell what exactly what's going on here as I cannot get to the bottom of this and have tried spybot and ad-aware.... Look forward to your reply.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16:43, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\WINDOWS\System32\spool\
C:\Program Files\MarkAny\ContentSafer
C:\WINDOWS\system32\ctfmon
C:\Program Files\PocketCam 3Mega\ICON.EXE
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\WINDOWS\system32\lxddco
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.ex
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-C
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-E
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupd
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - Global Startup: PocketCam 3Mega Monitor.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {138E6DC9-722B-4F4B-B09D-9
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddco
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
--
End of file - 4663 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys...the sdfix seems to have done the job.
Here is a copy of the sdfix log and another hijackthis log.
[b]SDFix: Version 1.192 [/b]
Run by Administrator on 31/12/2001 at 23:26
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\ieupda tes.exe - Deleted
C:\WINDOWS\system32\winsrc .dll - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2001-12-31 23:35:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\s ervices\sh aredaccess \parameter s\firewall policy\sta ndardprofi le\authori zedapplica tions\list ]
"%windir%\\system32\\sessm gr.exe"="% windir%\\s ystem32\\s essmgr.exe :*:enabled :@xpsp2res .dll,-2201 9"
"C:\\Program Files\\iTunes\\iTunes.exe" ="C:\\Prog ram Files\\iTunes\\iTunes.exe: *:Enabled: iTunes"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Pr ogram Files\\Grisoft\\AVG Free\\avginet.exe:*:Enable d:avginet. exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\P rogram Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabl ed:avgamsv r.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Prog ram Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled: avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Pro gram Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled :avgemc.ex e"
"%windir%\\Network Diagnostic\\xpnetdiag.exe" ="%windir% \\Network Diagnostic\\xpnetdiag.exe: *:Enabled: @xpsp3res. dll,-20000 "
"C:\\WINDOWS\\system32\\lx ddcoms.exe "="C:\\WIN DOWS\\syst em32\\lxdd coms.exe:* :Enabled:L exmark Communications System"
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"="C:\ \Program Files\\Lexmark 2500 Series\\lxddamon.exe:*:Ena bled:Lexma rk Device Monitor"
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"="C:\\Pr ogram Files\\Lexmark 2500 Series\\App4R.exe:*:Enable d:Lexmark Imaging Studio"
"C:\\WINDOWS\\system32\\sp ool\\drive rs\\w32x86 \\3\\SAGEN T4.EXE"="C :\\WINDOWS \\system32 \\spool\\d rivers\\w3 2x86\\3\\S AGENT4.EXE :*:Enabled :SAgent4"
"C:\\WINDOWS\\system32\\mu zapp.exe"= "C:\\WINDO WS\\system 32\\muzapp .exe:*:Ena bled:MUZ AOD APP player"
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\s ervices\sh aredaccess \parameter s\firewall policy\dom ainprofile \authorize dapplicati ons\list]
"%windir%\\system32\\sessm gr.exe"="% windir%\\s ystem32\\s essmgr.exe :*:enabled :@xpsp2res .dll,-2201 9"
"%windir%\\Network Diagnostic\\xpnetdiag.exe" ="%windir% \\Network Diagnostic\\xpnetdiag.exe: *:Enabled: @xpsp3res. dll,-20000 "
"C:\\Program Files\\Lexmark 2500 Series\\app4r.exe"="C:\\Pr ogram Files\\Lexmark 2500 Series\\App4R.exe:*:Enable d:BorgList ener"
[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.z ip
[b]Files with Hidden Attributes [/b]:
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistri bution\Dow nload\385c b67dda0ffd 4dea8c0d99 0dc65796\B IT1.tmp"
[b]Finished![/b]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37:39, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgamsv r.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgupsv c.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgemc. exe
C:\WINDOWS\system32\lxddco ms.exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\system32\svchos t.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgcc.e xe
C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_S 4I0T1.EXE
C:\Program Files\MarkAny\ContentSafer \MAAgent.e xe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\PocketCam 3Mega\ICON.EXE
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-E DD6AC9525F 0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C 6B60AAEBA6 D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgcc.e xe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\LXD Dtime.dll, _RunDLLEnt ry@16
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_S 4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB003" /M "Stylus C46"
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer \MAAgent.e xe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macrom ed\Flash\F lashUtil9e .exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgw.ex e /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgw.ex e /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'Default user')
O4 - Global Startup: PocketCam 3Mega Monitor.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-9 5D19186969 6} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a 82270ac449 e} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgamsv r.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgupsv c.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgemc. exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddco ms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
--
End of file - 4518 bytes
Here is a copy of the sdfix log and another hijackthis log.
[b]SDFix: Version 1.192 [/b]
Run by Administrator on 31/12/2001 at 23:26
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\ieupda
C:\WINDOWS\system32\winsrc
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2001-12-31 23:35:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system
"%windir%\\system32\\sessm
"C:\\Program Files\\iTunes\\iTunes.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Pr
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\P
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Prog
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Pro
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\WINDOWS\\system32\\lx
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"="C:\
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"="C:\\Pr
"C:\\WINDOWS\\system32\\sp
"C:\\WINDOWS\\system32\\mu
[HKEY_LOCAL_MACHINE\system
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\Program Files\\Lexmark 2500 Series\\app4r.exe"="C:\\Pr
[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.z
[b]Files with Hidden Attributes [/b]:
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistri
[b]Finished![/b]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37:39, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\WINDOWS\system32\lxddco
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\system32\svchos
C:\PROGRA~1\Grisoft\AVGFRE
C:\WINDOWS\System32\spool\
C:\Program Files\MarkAny\ContentSafer
C:\WINDOWS\system32\ctfmon
C:\Program Files\PocketCam 3Mega\ICON.EXE
C:\WINDOWS\system32\wuaucl
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-E
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macrom
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - Global Startup: PocketCam 3Mega Monitor.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {138E6DC9-722B-4F4B-B09D-9
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddco
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
--
End of file - 4518 bytes
You can fix this entry below in Hijackthis:
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a 82270ac449 e} - (no file)
C:\WINDOWS\system32\muzapp .exe <-- do you know this file, can you please rightclick on it and look at the properties? I'm just curious about it, It seems to belong to this --> MUZ AOD APP player
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a
C:\WINDOWS\system32\muzapp
Glad to know it seems to be resolved.
Thanks for the points and excellent grading!
Thanks for the points and excellent grading!
http://www.softpedia.com/get/Antivirus/RogueRemover.shtml
Also you should download & run Smitfraudfix which should finalize the issue
http://siri.geekstogo.com/SmitfraudFix.php
Now to analyze your log
All these are Malware related, if not cleaned up by the above tools , manually remove them using HJT / manual search & delete .
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-C
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupd
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a
Please post another hijack this log just to be sure .