Re: New/Rare Trojan Re-spawning and AVG not working?

Question

bear38 0 Light Poster

15 Years Ago

Hi, just surfed this site (and only this thread) since this morning because I have the same Trojan problem. It's really frustrating and, yes, lots of anti-virus and malware removal tools can't detect it (I'm using AVG 8.5). However, I just tried out Combofix, the latest solution provided by member 'crunchie' and it worked! It could detect the \hjgruixxxxxxxxx.dll things and cleaned them. Combofix asked me to turn off AVG anti-virus and anti-spyware but I couldn't find a way to disable them. Well, I proceeded with Combofix nevertheless.

It seems that my computer is back to normal but I don't know whether there will be any system instability due to the active AVG during the Combofix scanning process.

Here's the log:

ComboFix 09-07-05.03 - Teddy 7/2009 Mon 23:34.1 - NTFSx86
Running from: c:\users\Teddy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
    /wow section - STAGE 3
The syntax of the command is incorrect.

PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: StartUpFile

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1373282975-3817935305-1639791119-500
c:\$recycle.bin\S-1-5-21-4250835916-1544608186-4155006228-500
C:\resycled
c:\windows\Installer\f584a6e.msi
c:\windows\system32\drivers\hjgruiljqpcxnp.sys
c:\windows\system32\hjgruidwxdenom.dll
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruipipekudb.dat
c:\windows\system32\hjgruirwgbmxbt.dat
c:\windows\system32\hjgruitfiuqour.dll
D:\resycled

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruinkvcfyxe
-------\Service_Windows Tribute Service


(((((((((((((((((((((((((   Files Created from 2009-06-06 to 2009-07-06  )))))))))))))))))))))))))))))))
.

2009-07-06 15:44 . 2009-07-06 15:46 --------    d-----w-    c:\users\Teddy\AppData\Local\temp
2009-07-05 15:25 . 2009-07-05 15:26 289343794   ----a-w-    c:\users\Teddy\registrybackup.reg
2009-07-04 17:19 . 2009-07-05 00:47 --------    d-----w-    c:\users\Teddy\AppData\Roaming\DMCache
2009-07-03 07:50 . 2009-07-03 07:50 390664  ----a-w-    c:\users\Teddy\AppData\Roaming\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-27 03:00 . 2009-06-27 03:00 --------    d-----w-    c:\users\Teddy\AppData\Local\AVG Security Toolbar
2009-06-27 00:16 . 2009-06-27 00:14 832144  ----a-w-    c:\programdata\avg8\update\backup\AVGToolbarInstall.exe
2009-06-27 00:16 . 2009-06-27 00:16 --------    d-----w-    c:\programdata\AVG Security Toolbar
2009-06-23 06:20 . 2008-03-17 03:05 101632  ----a-w-    c:\windows\system32\drivers\ewusbmdm.sys
2009-06-23 06:19 . 2009-06-26 17:30 --------    d-----w-    c:\program files\BroadBand on Mobile
2009-06-14 10:27 . 2009-05-09 05:34 71680   ----a-w-    c:\windows\system32\iesetup.dll
2009-06-14 10:27 . 2009-05-09 05:50 915456  ----a-w-    c:\windows\system32\wininet.dll
2009-06-14 09:58 . 2009-04-30 12:37 428544  ----a-w-    c:\windows\system32\EncDec.dll
2009-06-14 09:58 . 2009-04-30 12:37 293376  ----a-w-    c:\windows\system32\psisdecd.dll
2009-06-10 12:15 . 2009-04-21 11:55 2033152 ----a-w-    c:\windows\system32\win32k.sys
2009-06-10 12:15 . 2009-04-23 12:42 636928  ----a-w-    c:\windows\system32\localspl.dll
2009-06-10 12:15 . 2009-04-23 12:43 784896  ----a-w-    c:\windows\system32\rpcrt4.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 15:45 . 2007-07-14 02:06 2484    ----a-w-    c:\windows\bthservsdp.dat
2009-07-06 14:42 . 2008-09-02 16:30 --------    d-----w-    c:\programdata\avg8
2009-07-05 03:47 . 2008-02-29 09:14 1356    ----a-w-    c:\users\Teddy\AppData\Local\d3d9caps.dat
2009-07-03 07:20 . 2007-08-27 13:47 --------    d-----w-    c:\program files\iTunes
2009-07-03 07:20 . 2007-08-26 15:03 --------    d-----w-    c:\program files\Common Files\Apple
2009-07-03 07:18 . 2007-08-25 17:21 --------    d-----w-    c:\program files\QuickTime
2009-06-27 00:15 . 2008-09-02 16:30 11952   ----a-w-    c:\windows\system32\avgrsstx.dll
2009-06-27 00:15 . 2008-09-02 16:30 327688  ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2009-06-27 00:15 . 2008-09-02 16:30 27784   ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2009-06-10 19:08 . 2007-06-27 11:36 --------    d-----w-    c:\program files\Microsoft Works
2009-05-23 18:59 . 2009-05-23 18:59 --------    d-----w-    c:\program files\Common Files\xing shared
2009-05-23 18:59 . 2007-08-22 18:41 --------    d-----w-    c:\program files\Common Files\Real
2009-05-13 19:01 . 2006-11-02 11:18 --------    d-----w-    c:\program files\Windows Mail
2009-04-25 12:58 . 2009-04-25 12:57 794624  ----a-w-    c:\users\Teddy\fairPLAYLite.exe
2007-08-10 02:43 . 2007-08-10 02:43 22  --sha-w-    c:\windows\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 08:07    1004800 ----a-w-    c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"VMCL"="c:\program files\vodafone\vmclite\DongleEnumerator.exe" [2007-09-20 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"MSConfig"="c:\windows\system32\msconfig.exe" [2008-01-19 227840]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-23 198160]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-27 1948440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Teddy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MediaRing Talk.lnk]
backup=c:\windows\pss\MediaRing Talk.lnk.Startup
backupExtension=.Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QPService"="c:\program files\HP\QuickPlay\QPService.exe"
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1E1A9575-8314-4898-AE26-3C28669DFB1C}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{EC60616E-B239-4B2D-9CB6-F3CCB2A1B6EC}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{84B81911-214E-4D82-97DC-4C0A47797021}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E2F53BC3-060F-4B97-A66F-0419DBA12F4B}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7541F28C-8678-448F-BBE0-E5C58FCB5DD2}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CB2E8E58-2F7A-43B9-BBB5-763F5D0E8494}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{781F17D9-33AF-4DC7-AB05-E51C3F6B1FBC}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{4A237335-AE1D-4636-B06D-75D785A0B05F}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{C6D24359-B26B-4BA9-AEEB-CA066A35FFB9}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{2D61D60E-E700-4CCC-965A-F6A13943C241}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{0218F6EA-6DF2-4D76-A41F-2D770C6B14E2}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{4553DAEB-4238-416C-89A1-77935FCBDE7C}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{F61F0608-DA68-41A5-89EF-A19DE4C3EDE5}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{49291827-DE44-436B-9B82-3C5AD1DEAF52}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{5335C147-2958-4699-96BD-7E58E2E6A1E9}c:\\program files\\wizet\\maplestory\\maplestory.exe"= UDP:c:\program files\wizet\maplestory\maplestory.exe:MapleStory
"UDP Query User{593955A0-9A57-4B0D-9335-BFC0427FFC06}c:\\program files\\wizet\\maplestory\\maplestory.exe"= TCP:c:\program files\wizet\maplestory\maplestory.exe:MapleStory
"TCP Query User{DCB0C1FF-2BBF-48EB-8151-A9FDC5F13DAC}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{3655E783-B70D-4552-BF39-192EDCB73F1A}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"{C581AD42-04A6-4970-AE4F-9165990238FF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5C189397-16E9-4FD0-A3C6-61D607ADDC8B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{2781D9B1-547B-42C8-B495-B86BBC66E60A}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{4F7726E8-CA12-42F2-B80F-CDED188E3DEA}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{00ADC9B6-E235-4BD2-BB48-035FE467AB93}c:\\program files\\softnyx\\gunboundwc\\gunbound.gme"= UDP:c:\program files\softnyx\gunboundwc\gunbound.gme:GunBound
"UDP Query User{C2BD1CDA-07C7-4764-8B8B-A5FF763E6733}c:\\program files\\softnyx\\gunboundwc\\gunbound.gme"= TCP:c:\program files\softnyx\gunboundwc\gunbound.gme:GunBound
"TCP Query User{EF6408B3-5E12-430C-B950-3511FA713958}c:\\program files\\softnyx\\gunboundwc\\gunbound.gme"= UDP:c:\program files\softnyx\gunboundwc\gunbound.gme:GunBound
"UDP Query User{32A5EC90-CFF9-4086-ACC3-A908BCB58910}c:\\program files\\softnyx\\gunboundwc\\gunbound.gme"= TCP:c:\program files\softnyx\gunboundwc\gunbound.gme:GunBound
"TCP Query User{27131598-B8D2-40B4-99BA-776E66C37013}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{4EB0BFBC-2723-436D-9820-42C9CCDFBAD3}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{4B869771-8E6F-4571-A82B-A040714C8132}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{9E439FE5-4A83-4B0F-9825-DD8A8E222C2B}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{DA2C4879-54BA-4BEF-809F-08CC19E7302D}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{AFA950A8-0ACC-4D4C-956C-7943AAF7B5D3}"= TCP:c:\program files\DNA\btdna.exe:DNA
"TCP Query User{CC00A38D-CABB-4113-88E0-A79D9ED09908}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{E21F0D21-F4AB-442E-8BA5-8938D00C22E8}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{2694E5E8-5AC1-457D-B480-3A24A6416CF5}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{441002C2-52D7-429C-861A-6411CAE9E75B}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{6922DF0A-A030-4703-AA95-A0485EAB0FB8}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{10F9BFDD-6BB7-491B-B893-4D5C7AC7B7D3}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6D0C4FD7-5DD4-4944-B439-420AB4D1BD78}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{F270D1CE-477D-411C-B2B2-2F0F01D85C99}c:\\program files\\free music zilla\\fmzilla.exe"= UDP:c:\program files\free music zilla\fmzilla.exe:FMZilla Module
"UDP Query User{0DBDAC8F-3E7B-4225-8F57-1EF3603A2B7F}c:\\program files\\free music zilla\\fmzilla.exe"= TCP:c:\program files\free music zilla\fmzilla.exe:FMZilla Module
"TCP Query User{B8256F91-E1C7-4E03-9265-86A26EE1EBF7}c:\\program files\\free music zilla\\fmzilla.exe"= UDP:c:\program files\free music zilla\fmzilla.exe:FMZilla Module
"UDP Query User{EE195CD3-3583-4DAD-AF77-CF0BE550E79E}c:\\program files\\free music zilla\\fmzilla.exe"= TCP:c:\program files\free music zilla\fmzilla.exe:FMZilla Module
"TCP Query User{0FE41BFE-5409-4DEA-B0C9-683A0BFBC2B1}c:\\program files\\guilty gear xx #reload\\ggxx.exe"= UDP:c:\program files\guilty gear xx #reload\ggxx.exe:GUILTYGEAR XX #RELOAD
"UDP Query User{6AFDA57E-88D5-46EC-A836-6BBCDD42BDED}c:\\program files\\guilty gear xx #reload\\ggxx.exe"= TCP:c:\program files\guilty gear xx #reload\ggxx.exe:GUILTYGEAR XX #RELOAD
"{6504F4AB-A88A-4B15-94E6-FDB72C16D0D2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9BB40EF3-CE45-47A0-942B-55779D020E55}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B0C5D66E-7D29-40C2-8726-728D290CF70A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C9B4F44F-F3EE-4082-BB05-7947C7D353B8}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [3/9/2008 12:30 AM 327688]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/9/2008 12:30 AM 298776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ    BthServ
WindowsMobile   REG_MULTI_SZ    wcescomm rapimgr
LocalServiceRestricted  REG_MULTI_SZ    WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\User_Feed_Synchronization-{FF3D8B9D-A567-477B-B85E-A156E47C90B1}.job
- c:\windows\system32\msfeedssync.exe [2009-06-14 11:31]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*[url]http://www.yahoo.com/ext/search/search.html[/url]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*[url]http://www.yahoo.com[/url]
IE: Download all links using BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Download all videos using BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Download link using &BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Teddy\AppData\Roaming\Mozilla\Firefox\Profiles\c4ga0obx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2009-07-06 23:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2320)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\conime.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-07-06 23:54 - machine was rebooted
ComboFix-quarantined-files.txt  2009-07-06 15:54

Pre-Run: 36,306,673,664 bytes free
Post-Run: 36,196,237,312 bytes free

308 --- E O F ---   2009-07-01 06:18

Thanks a lot for crunchie. Keep up the good work.

windows-virus

Edited 11 Years Ago by mike_2000_17 because: Fixed formatting

4 Contributors
16 Replies
252 Views
1 Week Discussion Span
Latest Post 15 Years Ago Latest Post by crunchie

jholland1964 650 Posting Expert

15 Years Ago

I just tried out Combofix, the latest solution provided by member 'crunchie' and it worked

First of all ComboFix is not the "latest solution" it has been around a long time but because of the power of the program it is not recommended often and then only for very specific problems.

It is a VERY DANGEROUS thing to do...run Combofix without FIRST PERSONALLY being instructed to do so. We NEVER, EVER recommend Combofix as a first step here. We must see all logs FIRST from HJT, MBA-M, online anti-virus scans before we even consider having a person try ComboFix.
Note this warning on one of the download sites of ComboFix:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

I also see by your comments that you knowingly ran Combofix Incorrectly and allowed your AVG, Windows Defender and AdAware to remain enabled. Running Combofix while the anti-virus program is turned on may interfere with the proper running of ComboFix.
If you had run this program under instruction you would have been told how to turn off these programs.
In order to further assist we would need all other logs from other programs you have run and what was removed by each program.

jholland1964 650 Posting Expert

15 Years Ago

You know I am somewhat confused here, you site a thread here, yet you don't not link to it, I know which one you mean, THIS ONE
However, as near as I can see, the only two tools you have used which are even mentioned in that thread are AVG and Combofix. You didn't attempt anything else. Did you even attempt to use MBA-M? You used this Trend Micro SysClean program, ok program but no mention if you ran it in SAFE MODE as it requires.
We have seen no HiJackThis log from you. Also, if you had read the entire thread you noted you would have seen the poster did not complete the running of ComboFix but elected to reformat. I cannot even see what operating system you have or what version of IE you are running.

jholland1964 650 Posting Expert

15 Years Ago

If you had read all the way through the thread you noted then you would have seen a HiJackThis log.
You cannot assume because you exhibit the same symptoms which show in some other thread that you have exactly the same problem. Even if all is identical, you should never assume what DIDN'T work for another wouldn't work for you. Each system is different, each computer generally is NOT running the exact same software.
I WOULD like you to attempt to run Malwarebytes' Anti-Malware.
Please follow these directions:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the Computer

Next do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

AVG 8.5
Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
* Click on Open AVG Interface.
* Double click on Resident Shield
* Deselect the option to "Enable Resident Shield."
* Save changes, and exit the application.

* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Again, REBOOT the COMPUTER.
Run a Full Scan with HiJackThis and save the log. Post it here with the MBA-M log, the ESET log.

jholland1964 650 Posting Expert

15 Years Ago

Will wait for the HJT log. Since you cannot do these things quickly, HJT takes only a few seconds by the way, be sure the computer is not powered up waiting for the next step. That way you will be sure there is nothing on there "working on it's own" when you are not around.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

bear38 0 Light Poster · Answer 1 · 2009-07-07T09:56:24+00:00

By the way, I mentioned Combofix as the latest because it is the latest tool advised in the thread. Nevermind, not a big issue here.

No instruction on how to switch off AVG. But I tried to switch it off manually. AVG Resident Shield was switched off, but the anti-virus was still on and there is no button or checklist or anything to disable the anti-virus (and anti-spyware) in the User Interface. In addition, I tried to boot in Safe Mode also, and disabled AVG Watchdog service through task manager, but Combofix still detected that AVG was active. Hence, I decided to take the risk to continue.

I have only used AVG, Sysclean, and Combofix in troubleshooting this problem. Here's the Sysclean log:

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2009-07-06, 00:07:16, Auto-clean mode specified.
2009-07-06, 00:07:18, Failed to initialize Rootkit Driver.
2009-07-06, 00:07:18, Running scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\TSC.BIN"...
2009-07-06, 00:07:40, Scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\TSC.BIN" has finished running.
2009-07-06, 00:07:40, TSC Log:

D a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : D r i v e r n o t r e a d y ! )

W i n d o w s V i s t a ( B u i l d 6 0 0 1 : S e r v i c e P a c k 1 )

S t a r t t i m e : M o n J u l 0 6 2 0 0 9 0 0 : 0 7 : 1 8

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ U s e r s \ T e d d y \ A p p l i c a t i o N s \ S y s c l e a n \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ U s e r s \ T e d d y \ A p p l i c a t i o N s \ S y s c l e a n \ t s c . p t n " ( v e r s i o n 1 0 4 8 ) [ s u c c e s s ]

C o m p l e t e t i m e : M o n J u l 0 6 2 0 0 9 0 0 : 0 7 : 4 0

E x e c u t e p a t t e r n c o u n t ( 3 0 6 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )

2009-07-06, 00:07:40, Running scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN"...
2009-07-06, 01:40:13, Scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN" has finished running.
2009-07-06, 01:40:13, VSCANTM Log:

2009-07-06, 01:40:13, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 00:07:40
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

215206 files have been read.
215206 files have been checked.
214917 files have been scanned.
406558 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 01:40:13 1 hour 32 minutes 32 seconds (5552.28 seconds) has elapsed.(25.800 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 01:40:13, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 00:07:40
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

215206 files have been read.
215206 files have been checked.
214917 files have been scanned.
406558 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 01:40:13 1 hour 32 minutes 32 seconds (5552.28 seconds) has elapsed.(25.800 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 01:40:13, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 00:07:40
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

215206 files have been read.
215206 files have been checked.
214917 files have been scanned.
406558 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 01:40:13 1 hour 32 minutes 32 seconds (5552.28 seconds) has elapsed.(25.800 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 01:40:13, Running scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN"...
2009-07-06, 01:40:16, Scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN" has finished running.
2009-07-06, 01:40:16, VSCANTM Log:

2009-07-06, 01:40:16, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 01:40:14
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

88 files have been read.
88 files have been checked.
88 files have been scanned.
88 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 01:40:16 1 second (1.34 seconds) has elapsed.(15.261 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 01:40:16, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 01:40:14
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

88 files have been read.
88 files have been checked.
88 files have been scanned.
88 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 01:40:16 1 second (1.34 seconds) has elapsed.(15.261 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 01:40:16, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 01:40:14
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

88 files have been read.
88 files have been checked.
88 files have been scanned.
88 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 01:40:16 1 second (1.34 seconds) has elapsed.(15.261 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2009-07-06, 11:34:03, Auto-clean mode specified.
2009-07-06, 11:34:03, Failed to initialize Rootkit Driver.
2009-07-06, 11:34:03, Running scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\TSC.BIN"...
2009-07-06, 11:34:27, Scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\TSC.BIN" has finished running.
2009-07-06, 11:34:27, TSC Log:

D a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : D r i v e r n o t r e a d y ! )

W i n d o w s V i s t a ( B u i l d 6 0 0 1 : S e r v i c e P a c k 1 )

S t a r t t i m e : M o n J u l 0 6 2 0 0 9 1 1 : 3 4 : 0 6

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ U s e r s \ T e d d y \ A p p l i c a t i o N s \ S y s c l e a n \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ U s e r s \ T e d d y \ A p p l i c a t i o N s \ S y s c l e a n \ t s c . p t n " ( v e r s i o n 1 0 4 8 ) [ s u c c e s s ]

C o m p l e t e t i m e : M o n J u l 0 6 2 0 0 9 1 1 : 3 4 : 2 7

E x e c u t e p a t t e r n c o u n t ( 3 0 6 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )

2009-07-06, 11:34:27, Running scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN"...
2009-07-06, 13:44:18, Scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN" has finished running.
2009-07-06, 13:44:18, VSCANTM Log:

2009-07-06, 13:44:18, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 11:34:27
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

210304 files have been read.
210304 files have been checked.
209955 files have been scanned.
395607 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 13:44:17 2 hours 9 minutes 49 seconds (7788.54 seconds) has elapsed.(37.035 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 13:44:18, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 11:34:27
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

210304 files have been read.
210304 files have been checked.
209955 files have been scanned.
395607 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 13:44:17 2 hours 9 minutes 49 seconds (7788.54 seconds) has elapsed.(37.035 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 13:44:18, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 11:34:27
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

210304 files have been read.
210304 files have been checked.
209955 files have been scanned.
395607 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 13:44:17 2 hours 9 minutes 49 seconds (7788.54 seconds) has elapsed.(37.035 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 13:44:18, Running scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN"...
2009-07-06, 13:44:24, Scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN" has finished running.
2009-07-06, 13:44:24, VSCANTM Log:

2009-07-06, 13:44:24, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 13:44:22
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

88 files have been read.
88 files have been checked.
88 files have been scanned.
88 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 13:44:24 1 second (1.50 seconds) has elapsed.(17.057 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 13:44:24, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 13:44:22
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

88 files have been read.
88 files have been checked.
88 files have been scanned.
88 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 13:44:24 1 second (1.50 seconds) has elapsed.(17.057 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-06, 13:44:24, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 13:44:22
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

88 files have been read.
88 files have been checked.
88 files have been scanned.
88 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/6/2009 13:44:24 1 second (1.50 seconds) has elapsed.(17.057 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2009-07-06, 13:57:30, Auto-clean mode specified.
2009-07-06, 13:57:30, Failed to initialize Rootkit Driver.
2009-07-06, 13:57:30, Running scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\TSC.BIN"...
2009-07-06, 13:57:59, Scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\TSC.BIN" has finished running.
2009-07-06, 13:57:59, TSC Log:

D a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : D r i v e r n o t r e a d y ! )

W i n d o w s V i s t a ( B u i l d 6 0 0 1 : S e r v i c e P a c k 1 )

S t a r t t i m e : M o n J u l 0 6 2 0 0 9 1 3 : 5 7 : 3 2

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ U s e r s \ T e d d y \ A p p l i c a t i o N s \ S y s c l e a n \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ U s e r s \ T e d d y \ A p p l i c a t i o N s \ S y s c l e a n \ t s c . p t n " ( v e r s i o n 1 0 4 8 ) [ s u c c e s s ]

C o m p l e t e t i m e : M o n J u l 0 6 2 0 0 9 1 3 : 5 7 : 5 9

E x e c u t e p a t t e r n c o u n t ( 3 0 6 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )

2009-07-06, 13:57:59, Running scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN"...
2009-07-06, 14:03:32, Scanner "C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN" has finished running.
2009-07-06, 14:03:32, VSCANTM Log:

2009-07-06, 14:03:32, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 13:57:59
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\Windows\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

2009-07-06, 14:03:32, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 13:57:59
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\Windows\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

2009-07-06, 14:03:32, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 7/6/2009 13:57:59
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 247 (446785/446785 Patterns) (2009/07/05) (624700)

Command Line: C:\Users\Teddy\ApplicatioNs\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\Windows\*.* /P=C:\Users\Teddy\ApplicatioNs\Sysclean\lpt$vpn.247

2009-07-06, 14:03:32, The user stopped the operation.

bear38 0 Light Poster · Answer 2 · 2009-07-07T11:05:57+00:00

Well, sorry for the confusion but I really just dropped down to this forum because I had the same problem as 'Stormie' here: http://www.daniweb.com/forums/thread201672.html

Anyway, here's the chronology:
1. I got the virus. Tried to clean them using my Free AVG8.5. The virus was not detected at all even though AVG Resident Shield kept reporting them. Tried to scan in Safe Mode, no result also.
2. Found this site, especially the thread posted by 'Stormie', who has the same problem as me. I've been following his thread, but I hadn't joined as a member here at that time.
3. I have no idea what's HiJackThis. Hence, I don't have it's log and so do not post it. I also didn't try any programs advised by crunchie, as Stormie reported that none of them have been successful.
4. [Sorry for the confusion, it seems that I used Sysclean because it was advised in another forum]. Sysclean also didn't detect the trojan. I'm sure I ran it in Safe Mode, at least twice. But then I ran it in Normal Mode once. Sorry, I don't know whether it's OK to run in Normal Mode or not.
5. In this forum, crunchie advised Combofix, but Stormie haven't replied. So this time I tried Combofix, following the instructions given as much as I can. And it worked. So I decided to report that this works, and hence joined as a member and posted a reply.
6. It seems that during the time I was using Combofix, Stormie had posted a reply stating that he decided to reformat his computer, so my reply was a tad later than his.
7. Some time after that, crunchie moved my post to THIS thread. So, that's how I got here. Sorry but I really have no idea what's going on.

I'm using Windows Vista Home Premium 32-bit and Mozilla Firefox 3.0.11, by the way.

bear38 0 Light Poster · Answer 3 · 2009-07-08T10:04:10+00:00

Hi. Since it's working days I cannot do all your queries fast. In the meantime, here is the MBA-M log:

Malwarebytes' Anti-Malware 1.38
Database version: 2384
Windows 6.0.6001 Service Pack 1

7/7/2009 4:40:49 PM
mbam-log-2009-07-07 (16-40-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 304725
Time elapsed: 2 hour(s), 9 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\Windows\System32\hjgruitfiuqour.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

bear38 0 Light Poster · Answer 4 · 2009-07-09T11:22:29+00:00

Okay, here's ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=110ed2702812ee4c858d2de9b2719279
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-09 05:32:09
# local_time=2009-07-09 01:32:09 (+0800, Malay Peninsula Standard Time)
# country="Singapore"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=1026 61 83 97 145699397958
# compatibility_mode=5889 61 66 100 463892102913466
# scanned=217339
# found=0
# cleaned=0
# scan_time=5956

bear38 0 Light Poster · Answer 5 · 2009-07-09T11:32:06+00:00

And, HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:48 PM, on 9/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [VMCL] C:\Program Files\vodafone\vmclite\DongleEnumerator.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6893 bytes

Is there any unwanted thing up there?

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 6 · 2009-07-09T19:29:59+00:00

Do you have items disabled using msconfig? If so, can you go back in and re-enable them, reboot and run another HJT scan and post the log?

bear38 0 Light Poster · Answer 7 · 2009-07-11T01:15:11+00:00

Okay here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:40 AM, on 11/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\unsecapp.exe
F:\PhoneConnectorVMC.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [VMCL] C:\Program Files\vodafone\vmclite\DongleEnumerator.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7638 bytes

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 8 · 2009-07-11T02:55:47+00:00

Can you please do the following.

===============

Can you disable Windows Defender as it may interfere with the removal process. Please leave it disabled until your PC has been given the all clear.

Open Windows Defender
Click Tools
Click General Settings
Scroll down to Real Time Protection Options
Uncheck Turn on Real Time Protection (recommended)
After you uncheck this, click on the Save button
Close Windows Defender

===============

Scan with HijackThis and then place a check next to all the following, if present:

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O13 - Gopher Prefix:

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

dantheavgman 0 Newbie Poster · Answer 9 · 2009-07-12T19:58:05+00:00

Hi the following i dont think will resolve your issue

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O13 - Gopher Prefix:

Please can you have a look if gmer still finds the following

c:\windows\system32\drivers\hjgruiljqpcxnp.sys

also the infection is coming from most porbably this registry entry

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\hjgruiljqpcxnp

as this has a injector to download the trojan again once you delete the service can you have a look :) look under controlset001 and 002 etc findng the key hjgruiljqpcxnp you need to set permissions again right click the key add "everyone" give it full control

and if you are a paid user of avg call us :D

Daniel :)

AVG Technical Support

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 10 · 2009-07-13T02:56:26+00:00

Hi the following i dont think will resolve your issue
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O13 - Gopher Prefix:

None the less they should be fixed.

Please can you have a look if gmer still finds the following
c:\windows\system32\drivers\hjgruiljqpcxnp.sys

also the infection is coming from most porbably this registry entry
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\hjgruiljqpcxnp
as this has a injector to download the trojan again once you delete the service can you have a look :) look under controlset001 and 002 etc findng the key hjgruiljqpcxnp you need to set permissions again right click the key add "everyone" give it full control
and if you are a paid user of avg call us :D
Daniel :)
AVG Technical Support

Combofix already removed it.
I do not see where the OP has said he is still having problems anyway.
Maybe he can let us know?

bear38 0 Light Poster · Answer 11 · 2009-07-14T09:42:23+00:00

Sorry, didn't notice that there are new posts here. So, here's the log after I disabled Windows Defender:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:58 AM, on 14/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [VMCL] C:\Program Files\vodafone\vmclite\DongleEnumerator.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7491 bytes

Then, removed the 3 files you mentioned, reboot, rescanned, and here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:17 AM, on 14/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [VMCL] C:\Program Files\vodafone\vmclite\DongleEnumerator.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7557 bytes

My PC seems to be running normally after ComboFix removed the trojan, but I don't know whether there will be upcoming problems or not.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 12 · 2009-07-14T10:32:22+00:00

Your log looks ok. Let us know in a couple of days how things are.

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.