jthm103355

This is my second thread, the first did not provide the needed scans.
Symptoms; Clicking sounds in the background, IE popups, Low bandwidth. Avg catches several Trojans, after removal they reappear several hours later. I can not find the root cause. Please help.

Requested scans have been included.

DDS (Ver_09-06-26.01) - NTFSx86
Run by cbf at 9:30:57.73 on Thu 07/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1563 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\cbf\LOCALS~1\Temp\C.tmp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\msa.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cbf\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 193.30.164.3:80
mSearchAssistant = hxxp://www.google.com/ie
BHO: {3BB81EB7-CF3F-4EAB-9EB1-E0BD1968713F} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Cognac] c:\docume~1\cbf\locals~1\temp\C.tmp.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189598651937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: Antiwpa - antiwpa.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: efcAqoNd - efcAqoNd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGxWmjJ

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cbf\applic~1\mozilla\firefox\profiles\fz2y91ro.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: network.proxy.http - 200.88.114.166
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-29 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-29 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-29 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-10-23 269824]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-07-15 17:51 138,752 a------- c:\windows\msa.exe
2009-07-15 17:51 141,828 a------- c:\windows\system32\msxml71.dll
2009-07-14 19:16 118 a------- c:\windows\system32\MRT.INI
2009-07-14 19:10 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-07-14 19:10 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-07-14 19:10 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-07-14 19:10 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-07-14 19:10 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-07-14 19:10 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-07-14 19:10 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-07-14 19:10 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-07-14 19:10 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-14 19:10 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-07-14 19:10 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-14 19:10 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-07-05 14:39 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-07-05 14:39 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-07-05 14:39 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-07-05 14:39 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-07-05 14:39 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-07-05 14:39 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-06-26 16:53 <DIR> --dsh--- C:\found.000
2009-06-24 21:06 <DIR> --d----- c:\program files\thinkorswim
2009-06-16 10:36 119,808 -c------ c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -c------ c:\windows\system32\dllcache\fontsub.dll

==================== Find3M ====================

2009-06-28 09:35 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 09:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-08 18:07 17,144 a------- c:\docume~1\cbf\applic~1\GDIPFONTCACHEV1.DAT
2008-01-20 15:18 87,608 a------- c:\docume~1\cbf\applic~1\inst.exe
2008-01-20 15:18 47,360 a------- c:\docume~1\cbf\applic~1\pcouffin.sys
2006-06-23 02:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2008-11-10 20:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111020081111\index.dat

============= FINISH: 9:31:16.65 ===============

Attached Files

ark,attach.rar (5.6 KB, 1 views)

jthm103355

Bump, Please I seriously need help. There is now CF.tmp.exe. I believe this is a back door Trojan.

jthm103355

Thanks, great help here on this forum.