Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page XP Infected with malware ProgDav and AntiVir XP 2008 fake program
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-04-2008, 11:32 AM   #1 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


XP Infected with malware ProgDav and AntiVir XP 2008 fake program
I have a client who opened a fake email attachment from UPS, which caused quite some havoc with her PC. Popups claiming that the PC had 12 00 spyware infections and a fake security center would come up with spyware information. Also an ad saying to buy AntiVirus XP 2008 and then after letting the PC idle for a good bit of time a screensaver with a BSOD followed by a Windows is restarting screen.
I have run a number of malware scans including Hitman Pro and the spyware doctor found numerous problems, but could not fix. The spysweeper found Trojan-Progdav and said it fixed, but still has the AntiVir XP 2008 in the Add remove Programs and also still get the screensaver coming up. I have tried to remove the AntiVir Xp 2008 from add remove programs, but doesn't remove. I have followed the 5 steps in the HiJack This Help forum and have run Active Scan followed by DSS and have attached the logs for some ones viewing pleasure. Thanks!

Here is the Main log"

Deckard's System Scanner v20071014.68
Run by bthrasher on 2008-08-04 06:47:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-04 11:47:20 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as bthrasher.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:14 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\bthrasher\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\bthrasher.exe
C:\WINDOWS\system32\HPBPRO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.111.*
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Support\SymLnch\SymLnch.exe" "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Setup.exe" "/SCANUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail1/ConnectComputer/nshelp.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1121454892203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWLAW.local
O17 - HKLM\Software\..\Telephony: DomainName = SWLAW.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6BCB16E-816D-4A01-9073-9B0132D8B32F}: NameServer = 192.168.111.10,12.166.24.72,12.166.24.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWLAW.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat??h?5.1,avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 9084 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 COH_Mon - c:\windows\system32\drivers\coh_mon.sys (file missing)
S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
R2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-03 17:47:46 0 d-------- C:\Program Files\SpywareBlaster
2008-08-03 16:18:34 0 d-------- C:\Program Files\Panda Security
2008-08-03 16:00:07 0 d-------- C:\Program Files\Trend Micro
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\proberts\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\kwalls\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\bthrasher\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\bthrasher.BETH\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\All Users\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\administrator.SWLAW\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\__sbs_netsetup__\Recent
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\proberts\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\kwalls\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\bthrasher.BETH\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\All Users\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\administrator.SWLAW\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\__sbs_netsetup__\Cookies
2008-07-29 19:00:11 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Lavasoft
2008-07-29 18:52:07 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 18:48:54 164 --a------ C:\install.dat
2008-07-29 18:48:24 0 d-------- C:\Program Files\Lavasoft
2008-07-29 18:35:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-07-29 18:35:16 0 d-------- C:\Temp
2008-07-29 18:11:40 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-29 18:11:18 0 d-------- C:\Program Files\Hitman Pro
2008-07-25 09:34:22 0 d--h----- C:\$AVG8.VAULT$
2008-07-25 08:58:38 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-25 08:58:24 0 d-------- C:\Program Files\AVG
2008-07-25 08:58:24 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-25 08:07:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 08:04:50 0 d-------- C:\WINDOWS\pss
2008-07-25 08:03:27 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\U3
2008-07-24 19:48:58 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-24 18:31:28 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Macromedia
2008-07-24 18:13:39 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\rhc5scj0e96j
2008-07-24 16:51:31 0 d-------- C:\Program Files\rhc5scj0e96j
2008-07-24 16:49:09 60928 --a------ C:\WINDOWS\system32\blphc1scj0e96j.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-24 11:05:24 14772 --a------ C:\WINDOWS\otedody.sys
2008-07-24 11:05:24 18165 --a------ C:\WINDOWS\hazupexory.dat
2008-07-24 11:05:24 17564 --a------ C:\Program Files\Common Files\lupynuhum.scr
2008-07-24 11:05:24 19041 --a------ C:\Program Files\Common Files\juhufema.dll
2008-07-24 11:05:24 17878 --a------ C:\Documents and Settings\bthrasher\Application Data\synedere.dat
2008-07-24 11:05:24 10767 --a------ C:\Documents and Settings\bthrasher\Application Data\otisunehe.reg
2008-07-24 11:05:24 10643 --a------ C:\Documents and Settings\bthrasher\Application Data\okypuga.sys
2008-07-24 11:05:24 18494 --a------ C:\Documents and Settings\bthrasher\Application Data\kuwy.com
2008-07-24 11:05:24 19041 --a------ C:\Documents and Settings\All Users\Application Data\yvunezas.sys
2008-07-24 11:05:24 12451 --a------ C:\Documents and Settings\All Users\Application Data\yrovekyq.reg
2008-07-24 11:05:24 12813 --a------ C:\Documents and Settings\All Users\Application Data\yhik.exe
2008-07-24 11:05:24 17374 --a------ C:\Documents and Settings\All Users\Application Data\witicuz.scr
2008-07-24 11:05:24 14175 --a------ C:\Documents and Settings\All Users\Application Data\lovo.com
2008-07-24 11:05:24 14872 --a------ C:\Documents and Settings\All Users\Application Data\kicysuqa.scr
2008-07-15 15:09:21 0 d-------- C:\Program Files\Sun
2008-07-09 17:54:39 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Adobe
2008-07-09 17:49:19 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Windows Desktop Search
2008-07-09 17:48:08 0 d--h----- C:\Documents and Settings\administrator.SWLAW\Templates
2008-07-09 17:48:08 0 dr------- C:\Documents and Settings\administrator.SWLAW\Start Menu
2008-07-09 17:48:08 0 dr-h----- C:\Documents and Settings\administrator.SWLAW\SendTo
2008-07-09 17:48:08 0 d--h----- C:\Documents and Settings\administrator.SWLAW\PrintHood
2008-07-09 17:48:08 4718592 --ah----- C:\Documents and Settings\administrator.SWLAW\NTUSER.DAT
2008-07-09 17:48:08 0 d--h----- C:\Documents and Settings\administrator.SWLAW\NetHood
2008-07-09 17:48:08 0 dr------- C:\Documents and Settings\administrator.SWLAW\My Documents
2008-07-09 17:48:08 0 d--h----- C:\Documents and Settings\administrator.SWLAW\Local Settings
2008-07-09 17:48:08 0 dr------- C:\Documents and Settings\administrator.SWLAW\Favorites
2008-07-09 17:48:08 0 d-------- C:\Documents and Settings\administrator.SWLAW\Desktop
2008-07-09 17:48:08 0 dr-h----- C:\Documents and Settings\administrator.SWLAW\Application Data
2008-07-09 17:48:08 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Symantec
2008-07-09 17:48:08 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Sun
2008-07-09 17:48:08 0 d---s---- C:\Documents and Settings\administrator.SWLAW\Application Data\Microsoft
2008-07-09 17:48:08 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Identities


-- Find3M Report ---------------------------------------------------------------

2008-07-29 18:48:13 0 d-------- C:\Program Files\Common Files
2008-07-28 11:45:40 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-25 08:09:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-24 11:05:24 10923 --a------ C:\Documents and Settings\bthrasher\Application Data\yneco.ban
2008-07-24 11:05:24 15559 --a------ C:\Documents and Settings\bthrasher\Application Data\rymibyd.dl
2008-07-24 11:05:24 11243 --a------ C:\Documents and Settings\bthrasher\Application Data\javofojix.ban
2008-07-23 13:15:08 0 d-------- C:\Documents and Settings\bthrasher\Application Data\Wal-Mart Digital Photo Manager
2008-07-15 15:08:25 0 d-------- C:\Program Files\Java
2008-06-05 13:37:21 2528 --a------ C:\Documents and Settings\bthrasher\Application Data\$_hpcst$.hpc
2008-06-05 13:34:05 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-15 12:09:57 501438 --a------ C:\Documents and Settings\bthrasher\Application Data\fontlst2.opf


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/26/2004 09:04 AM]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [02/27/2004 12:29 PM]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [05/20/2004 11:40 AM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [01/07/2004 02:02 PM]
"IndexTray"="C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" [09/14/2004 03:53 PM]
"Indexer"="C:\Program Files\Sharp\Sharpdesk\Indexer.exe" [09/14/2004 03:54 PM]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [09/14/2004 04:02 PM]
"TypeRegChecker"="C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe" [09/14/2004 03:55 PM]
"FtpServer.exe"="C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" [09/13/2004 06:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/17/2005 08:31 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 03:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 03:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 03:50 PM]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [06/18/2006 02:56 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 06:00 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/25/2008 08:58 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TSTimer"="C:\Program Files\Timeslips\TSTimer.exe" [11/01/2004 04:55 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/18/2007 09:44 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SymLnch"="C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Support\SymLnch\SymLnch.exe" "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Setup.exe" "/SCANUPREBOOT /temp /patched"

C:\Documents and Settings\bthrasher\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 6:15:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 6:15:06 PM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat??h?5.1,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rxd38.sys]
@="Driver"

*Newly Created Service* - PAVBOOT



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8910 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-04 06:49:56 ------------
Attached Files
File Type: txt ActiveScan.txt (5.6 KB, 2 views)
File Type: txt extra.txt (21.8 KB, 2 views)
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-07-2008, 10:14 AM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,283
OS: XP SP3


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

You actually attached main.txt instead of extra.txt to your last post. If you still need help and are not receiving help elsewhere, please do the following:

Run dss.exe again, but use these instructions(this assumes dss.exe is on your desktop):
  • Click Start >> Run then copy/paste the following text into the Run box & click OK
    "%userprofile%\desktop\dss.exe" /config
  • Click Run
  • Click Check All
  • Click Uncheck All
  • Under the Extra Log heading, check all the boxes.
  • Click Scan!
  • Please attach extra.txt to your post.
To attach a file to a new post, simply
  • Click the Manage Attachments button under Additional Options > Attach Files on the post composition page, and
  • Copy and Paste the following into the Upload File from your Computer box:
    C:\Deckard\System Scanner\extra.txt
  • Click Upload
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-13-2008, 06:49 PM   #3 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
I have attached the extra.txt to this reply!
Attached Files
File Type: txt extra.txt (16.8 KB, 6 views)
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-13-2008, 07:11 PM   #4 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,283
OS: XP SP3


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Since it has been awhile:

Run dss.exe again by double-clicking and post a new main.txt here.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-14-2008, 06:02 AM   #5 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Here is the main.txt file.

Deckard's System Scanner v20071014.68
Run by bthrasher on 2008-08-14 06:57:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 91% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as bthrasher.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:00 AM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\bthrasher\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BTHRAS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.111.*
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Support\SymLnch\SymLnch.exe" "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Setup.exe" "/SCANUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail1/ConnectComputer/nshelp.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1121454892203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWLAW.local
O17 - HKLM\Software\..\Telephony: DomainName = SWLAW.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6BCB16E-816D-4A01-9073-9B0132D8B32F}: NameServer = 192.168.111.10,12.166.24.72,12.166.24.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWLAW.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat??h?5.1,avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 9185 bytes

-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-03 17:47:46 0 d-------- C:\Program Files\SpywareBlaster
2008-08-03 16:18:34 0 d-------- C:\Program Files\Panda Security
2008-08-03 16:00:07 0 d-------- C:\Program Files\Trend Micro
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\proberts\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\kwalls\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\bthrasher\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\bthrasher.BETH\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\All Users\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\administrator.SWLAW\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\__sbs_netsetup__\Recent
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\proberts\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\kwalls\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\bthrasher.BETH\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\All Users\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\administrator.SWLAW\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\__sbs_netsetup__\Cookies
2008-07-29 19:00:11 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Lavasoft
2008-07-29 18:52:07 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 18:48:54 164 --a------ C:\install.dat
2008-07-29 18:48:24 0 d-------- C:\Program Files\Lavasoft
2008-07-29 18:35:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-07-29 18:35:16 0 d-------- C:\Temp
2008-07-29 18:11:40 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-29 18:11:18 0 d-------- C:\Program Files\Hitman Pro
2008-07-25 09:34:22 0 d--h----- C:\$AVG8.VAULT$
2008-07-25 08:58:38 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-25 08:58:24 0 d-------- C:\Program Files\AVG
2008-07-25 08:58:24 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-25 08:07:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 08:04:50 0 d-------- C:\WINDOWS\pss
2008-07-25 08:03:27 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\U3
2008-07-24 19:48:58 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-24 18:31:28 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Macromedia
2008-07-24 18:13:39 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\rhc5scj0e96j
2008-07-24 16:51:31 0 d-------- C:\Program Files\rhc5scj0e96j
2008-07-24 16:49:09 60928 --a------ C:\WINDOWS\system32\blphc1scj0e96j.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-24 11:05:24 14772 --a------ C:\WINDOWS\otedody.sys
2008-07-24 11:05:24 18165 --a------ C:\WINDOWS\hazupexory.dat
2008-07-24 11:05:24 17564 --a------ C:\Program Files\Common Files\lupynuhum.scr
2008-07-24 11:05:24 19041 --a------ C:\Program Files\Common Files\juhufema.dll
2008-07-24 11:05:24 17878 --a------ C:\Documents and Settings\bthrasher\Application Data\synedere.dat
2008-07-24 11:05:24 10767 --a------ C:\Documents and Settings\bthrasher\Application Data\otisunehe.reg
2008-07-24 11:05:24 10643 --a------ C:\Documents and Settings\bthrasher\Application Data\okypuga.sys
2008-07-24 11:05:24 18494 --a------ C:\Documents and Settings\bthrasher\Application Data\kuwy.com
2008-07-24 11:05:24 19041 --a------ C:\Documents and Settings\All Users\Application Data\yvunezas.sys
2008-07-24 11:05:24 12451 --a------ C:\Documents and Settings\All Users\Application Data\yrovekyq.reg
2008-07-24 11:05:24 12813 --a------ C:\Documents and Settings\All Users\Application Data\yhik.exe
2008-07-24 11:05:24 17374 --a------ C:\Documents and Settings\All Users\Application Data\witicuz.scr
2008-07-24 11:05:24 14175 --a------ C:\Documents and Settings\All Users\Application Data\lovo.com
2008-07-24 11:05:24 14872 --a------ C:\Documents and Settings\All Users\Application Data\kicysuqa.scr
2008-07-15 15:09:21 0 d-------- C:\Program Files\Sun


-- Find3M Report ---------------------------------------------------------------

2008-08-13 17:33:36 0 d-------- C:\Program Files\Messenger
2008-08-12 09:50:45 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-07 12:56:10 0 d-------- C:\Documents and Settings\bthrasher\Application Data\Wal-Mart Digital Photo Manager
2008-07-29 18:48:13 0 d-------- C:\Program Files\Common Files
2008-07-25 08:09:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-24 11:05:24 10923 --a------ C:\Documents and Settings\bthrasher\Application Data\yneco.ban
2008-07-24 11:05:24 15559 --a------ C:\Documents and Settings\bthrasher\Application Data\rymibyd.dl
2008-07-24 11:05:24 11243 --a------ C:\Documents and Settings\bthrasher\Application Data\javofojix.ban
2008-07-15 15:08:25 0 d-------- C:\Program Files\Java
2008-06-05 13:37:21 2528 --a------ C:\Documents and Settings\bthrasher\Application Data\$_hpcst$.hpc
2008-05-15 12:09:57 501438 --a------ C:\Documents and Settings\bthrasher\Application Data\fontlst2.opf


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/26/2004 09:04 AM]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [02/27/2004 12:29 PM]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [05/20/2004 11:40 AM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [01/07/2004 02:02 PM]
"IndexTray"="C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" [09/14/2004 03:53 PM]
"Indexer"="C:\Program Files\Sharp\Sharpdesk\Indexer.exe" [09/14/2004 03:54 PM]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [09/14/2004 04:02 PM]
"TypeRegChecker"="C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe" [09/14/2004 03:55 PM]
"FtpServer.exe"="C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" [09/13/2004 06:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/17/2005 08:31 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 03:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 03:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 03:50 PM]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [06/18/2006 02:56 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 06:00 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/25/2008 08:58 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TSTimer"="C:\Program Files\Timeslips\TSTimer.exe" [11/01/2004 04:55 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/18/2007 09:44 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SymLnch"="C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Support\SymLnch\SymLnch.exe" "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Setup.exe" "/SCANUPREBOOT /temp /patched"

C:\Documents and Settings\bthrasher\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 6:15:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 6:15:06 PM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat??h?5.1,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rxd38.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-08-14 06:58:45 ------------
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-14-2008, 07:11 AM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,283
OS: XP SP3


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Hello j_sollars.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

You have remnants of Norton(symantec) on your system.

Please uninstall the following via the Add or Remove Programs section of your Control Panel if they still exist:

LiveUpdate (Symantec Corporation)

Please download the Norton Removal Tool and Save it to your Desktop.
  • Close all programs and double-click the Norton_Removal_Tool.exe then click Run
  • Follow the on-screen instructions.
  • Restart the computer if asked.
  • Then delete Norton_Removal_Tool.exe from your desktop.
------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

One thing you need to do differently. This is important! When you download ComboFix, you must rename it before it is saved.





First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

http://www.microsoft.com/downloads/d...displaylang=en

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto Combo-Fix.exe and drop it. Follow the prompts to start Combo-Fix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, Combo-Fix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
When the tool is finished, it will produce a log for you.

Please post that log, ComboFix.txt along with a new HijackThis log so we may continue cleansing the system.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
new HijackThis log

If you have any questions along the way...STOP and ask them before proceeding.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-15-2008, 06:54 AM   #7 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Here ar the logs for ComboFix and HiHack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:49, on 2008-08-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\DOCUME~1\BTHRAS~1\LOCALS~1\Temp\applnch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPBPRO.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.111.*
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Support\SymLnch\SymLnch.exe" "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Setup.exe" "/SCANUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/ser...00097.000001cf
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail1/ConnectComputer/nshelp.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1121454892203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWLAW.local
O17 - HKLM\Software\..\Telephony: DomainName = SWLAW.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6BCB16E-816D-4A01-9073-9B0132D8B32F}: NameServer = 192.168.111.10,12.166.24.72,12.166.24.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWLAW.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat??h?5.1,avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 9556 bytes
Attached Files
File Type: txt ComboFix.txt (15.1 KB, 12 views)
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-15-2008, 11:11 AM   #8 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,283
OS: XP SP3


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Hello again, j_sollars. We have quite a bit of work to do.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please do not attach ComboFix.txt as it is harder to read. Thanks.

------------------------------------------------------

Please delete dss.exe from your desktop or wherever it is located. Please read >> http://www.techsupportforum.com/secu...r-dss-exe.html

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any)

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/ser...00097.000001cf
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

Please remember to close all other windows, including browsers then click Fix checked.

Please close HijackThis now.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
http://www.techsupportforum.com/security-center/hijackthis-log-help/276790-xp-infected-malware-progdav-antivir-xp-2008-fake-program.html#post1650421

Collect::
C:\Program Files\Common Files\juhufema.dll
C:\Documents and Settings\All Users\Application Data\yvunezas.sys
C:\Documents and Settings\bthrasher\Application Data\kuwy.com
C:\WINDOWS\hazupexory.dat
C:\Documents and Settings\bthrasher\Application Data\synedere.dat
C:\Program Files\Common Files\lupynuhum.scr
C:\Documents and Settings\All Users\Application Data\witicuz.scr
C:\WINDOWS\ulic.lib
C:\Documents and Settings\All Users\Application Data\kicysuqa.scr
C:\WINDOWS\otedody.sys
C:\Documents and Settings\All Users\Application Data\lovo.com
C:\Documents and Settings\All Users\Application Data\yhik.exe
C:\Documents and Settings\All Users\Application Data\yrovekyq.reg
C:\Documents and Settings\bthrasher\Application Data\otisunehe.reg
C:\Documents and Settings\bthrasher\Application Data\okypuga.sys

File::
C:\WINDOWS\wininit.ini

Folder::
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rxd38.sys]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"=-
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed.

With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Please let your helper know you successfully submitted the file.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the quotebox below into Notepad:

Quote:
regedit /e peek.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows"
start notepad peek.txt
Save this as peek.bat Choose to Save type as - All Files then close the Notepad file.
It should look like this:

Double-click on peek.bat & allow it to run. A Notepad file will open. Please attach the log produced by peek.bat

To attach a file to a post, simply
  • Click the Manage Attachments button under Additional Options > Attach Files on the post composition page, and
  • Copy and Paste the following into the Upload File from your Computer box:
    C:\Documents and Settings\bthrasher\Desktop\peek.txt
  • Click Upload.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
new HijackThis log
an attached peek.txt
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-15-2008, 05:09 PM   #9 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
I had a problem with the Combofix submit and when I told IE to allow popup it lost it's connection. I do however have the combofix.txt
Should I continue without the submit to bleepingcomputer.com?

ComboFix 08-08-14.01 - bthrasher 2008-08-15 17:51:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.148 [GMT -5:00]
Running from: C:\Documents and Settings\bthrasher\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\bthrasher\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\kicysuqa.scr
C:\Documents and Settings\All Users\Application Data\lovo.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec\ErrLogs\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}95d3f5eb.zip
C:\Documents and Settings\All Users\Application Data\Symantec\ErrLogs\{B24E05CC-46FF-4787-BBB8-5CD516AFB118}9ea9ab05.zip
C:\Documents and Settings\All Users\Application Data\Symantec\ErrLogs\{B24E05CC-46FF-4787-BBB8-5CD516AFB118}9ea9ab05.zip.log
C:\Documents and Settings\All Users\Application Data\witicuz.scr
C:\Documents and Settings\All Users\Application Data\yhik.exe
C:\Documents and Settings\All Users\Application Data\yrovekyq.reg
C:\Documents and Settings\All Users\Application Data\yvunezas.sys
C:\Documents and Settings\bthrasher\Application Data\kuwy.com
C:\Documents and Settings\bthrasher\Application Data\okypuga.sys
C:\Documents and Settings\bthrasher\Application Data\otisunehe.reg
C:\Documents and Settings\bthrasher\Application Data\synedere.dat
C:\Program Files\Common Files\juhufema.dll
C:\Program Files\Common Files\lupynuhum.scr
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\00100029.TKN
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
C:\Program Files\Common Files\Symantec Shared\Support Controls\ssCmdTar.ini
C:\Program Files\Common Files\Symantec Shared\Support Controls\ssctlbr.dll
C:\Program Files\Common Files\Symantec Shared\Support Controls\ssctlln.dll
C:\Program Files\Common Files\Symantec Shared\Support Controls\ssctlwmi.dll
C:\Program Files\Common Files\Symantec Shared\Support Controls\sshelper.exe
C:\Program Files\Common Files\Symantec Shared\Support Controls\sshelper.exe.manifest
C:\Program Files\Common Files\Symantec Shared\Support Controls\SymSupCC.dll
C:\Program Files\Common Files\Symantec Shared\Support Controls\tgctlcm.dll
C:\WINDOWS\hazupexory.dat
C:\WINDOWS\otedody.sys
C:\WINDOWS\ulic.lib
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-14 07:04 . 2008-08-14 07:04 <DIR> d-------- C:\Documents and Settings\__sbs_netsetup__\Recent
2008-08-14 07:04 . 2008-08-14 07:04 <DIR> d-------- C:\Documents and Settings\__sbs_netsetup__\Cookies
2008-08-13 12:40 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-03 17:51 . 2008-08-03 17:51 <DIR> d-------- C:\Deckard
2008-08-03 17:47 . 2008-08-03 17:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-03 16:18 . 2008-08-03 16:18 <DIR> d-------- C:\Program Files\Panda Security
2008-08-03 16:18 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-08-03 16:00 . 2008-08-03 16:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-29 19:00 . 2008-07-29 19:00 <DIR> d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Lavasoft
2008-07-29 18:52 . 2008-08-03 17:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 18:48 . 2008-07-29 18:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-29 18:48 . 2008-07-29 18:48 164 --a------ C:\install.dat
2008-07-29 18:44 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX
2008-07-29 18:35 . 2008-07-29 18:44 <DIR> d-------- C:\Temp
2008-07-29 18:35 . 2008-07-29 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-07-29 18:11 . 2008-07-29 18:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\GroupPolicy
2008-07-29 18:11 . 2008-08-03 17:28 <DIR> d-------- C:\Program Files\Hitman Pro
2008-07-25 09:34 . 2008-08-14 13:33 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-25 08:58 . 2008-08-15 16:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-07-25 08:58 . 2008-07-25 08:58 <DIR> d-------- C:\Program Files\AVG
2008-07-25 08:58 . 2008-07-25 08:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-25 08:58 . 2008-07-25 08:58 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-07-25 08:58 . 2008-07-25 08:58 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-07-25 08:07 . 2008-07-25 08:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 08:03 . 2008-07-25 08:12 <DIR> d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\U3
2008-07-16 12:43 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2008-07-16 12:43 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
2008-07-16 12:43 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbscan.sys
2008-07-16 12:43 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
2008-07-15 15:09 . 2008-07-15 15:09 <DIR> d-------- C:\Program Files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 17:49 --------- d-----w C:\Documents and Settings\bthrasher\Application Data\Wal-Mart Digital Photo Manager
2008-08-13 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-30 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 01:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-25 00:42 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-25 00:42 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-24 23:50 --------- d-----w C:\Documents and Settings\administrator.SWLAW\Application Data\Symantec
2008-07-15 20:08 --------- d-----w C:\Program Files\Java
2008-07-09 22:49 --------- d-----w C:\Documents and Settings\administrator.SWLAW\Application Data\Windows Desktop Search
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TSTimer"="C:\Program Files\Timeslips\TSTimer.exe" [2004-11-01 16:55 2382416]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 09:44 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 09:04 53248]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 12:29 61440]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 11:40 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 14:02 49152]
"IndexTray"="C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" [2004-09-14 15:53 106496]
"Indexer"="C:\Program Files\Sharp\Sharpdesk\Indexer.exe" [2004-09-14 15:54 184320]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [2004-09-14 16:02 32768]
"TypeRegChecker"="C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe" [2004-09-14 15:55 57344]
"FtpServer.exe"="C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" [2004-09-13 18:07 626688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-17 08:31 98304]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50 114688]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2006-06-18 14:56 712704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-25 08:58 1232152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cru629.dat??h?5.1,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-25 08:58]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-25 08:58]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 17:56:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\BAsfIpM.exe
C:\WINDOWS\SYSTEM32\searchindexer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\SYSTEM32\searchprotocolhost.exe
C:\WINDOWS\SYSTEM32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-08-15 18:01:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-15 23:01:21
ComboFix2.txt 2008-08-15 12:45:00

Pre-Run: 64,864,366,592 bytes free
Post-Run: 64,860,352,512 bytes free

186
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-15-2008, 07:22 PM   #10 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,283
OS: XP SP3


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Yes, please continue with the rest of the instructions.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-16-2008, 04:31 PM   #11 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Here is the hijack this file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:20 PM, on 8/16/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\windows-kb890830-v2.1-delta.exe
c:\89ba9de6865e79ac29bc\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.111.*
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail1/ConnectComputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1121454892203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWLAW.local
O17 - HKLM\Software\..\Telephony: DomainName = SWLAW.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6BCB16E-816D-4A01-9073-9B0132D8B32F}: NameServer = 192.168.111.10,12.166.24.72,12.166.24.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWLAW.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat??h?5.1,avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 8496 bytes
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-16-2008, 04:34 PM   #12 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Here is the peek.txt file attached.
Attached Files
File Type: txt peek.txt (696 Bytes, 5 views)
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-16-2008, 06:38 PM   #13 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,283
OS: XP SP3


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Hello again, j_sollars.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

You have old versions of Java still installed. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and click on Add or Remove Programs
  • Click (highlight) the following items:
    • J2SE Runtime Environment 5.0 Update 10
    • J2SE Runtime Environment 5.0 Update 2
    • J2SE Runtime Environment 5.0 Update 4
    • J2SE Runtime Environment 5.0 Update 6
    • J2SE Runtime Environment 5.0 Update 8
    • Java 2 Runtime Environment, SE v1.4.2_03
    • Java(TM) 6 Update 2
    • Java(TM) 6 Update 3
    • Java(TM) 6 Update 5
    • Java(TM) 6 Update 3
    • Java(TM) SE Runtime Environment 6 Update 1
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
new HijackThis log
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 06:14 AM   #14 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Here is the kapersky report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 19, 2008 22:03:55
Records in database: 1111719
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
T:\
U:\

Scan statistics:
Files scanned: 116285
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:26:54


File name / Threat name / Threats count
C:\Program Files\UltraVNC\WinVNC.exe/C:\Program Files\UltraVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

The selected area was scanned.


Here is the HiJakc This Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:41 AM, on 8/20/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.111.*
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail1/ConnectComputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1121454892203
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWLAW.local
O17 - HKLM\Software\..\Telephony: DomainName = SWLAW.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6BCB16E-816D-4A01-9073-9B0132D8B32F}: NameServer = 192.168.111.10,12.166.24.72,12.166.24.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWLAW.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat??h?5.1,avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 8630 bytes
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 07:40 AM   #15 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,283
OS: XP SP3


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Hello j_sollars. Almost done. I noticed your Windows Firewall is disabled. At the least, enable that one, or install a third-party firewall. I will advise you of a good, free one when we are done.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. You may delete the file afterwards.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 04:58 PM   #16 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:48 PM, on 8/20/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPBPRO.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.111.*
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail1/ConnectComputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1121454892203
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWLAW.local
O17 - HKLM\Software\..\Telephony: DomainName = SWLAW.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6BCB16E-816D-4A01-9073-9B0132D8B32F}: NameServer = 192.168.111.10,12.166.24.72,12.166.24.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWLAW.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 8707 bytes
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 06:01 PM   #17 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,283
OS: XP SP3


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Congratulations. Well done! Your logs appear clean. You should be good to go.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK
combofix /u
This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

FIREWALL
Using a third-party Firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

Do not install more than one Firewall program as they will conflict with each other.SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  • SpywareGuard catches and blocks spyware installation and browser hijacking in real-time. See tutorial here
  • IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Spybot - Search & Destroy is an excellent spyware remover and also offers real-time protection against critical registry changes. Don't use the Immunize feature if you use SpywareBlaster. See tutorial here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2008, 07:37 PM   #18 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 14
OS: XP


Re: XP Infected with malware ProgDav and AntiVir XP 2008 fake program
Awsome! Thank You so much for all of your help! I will be sending a little token of my appreciation as soon as the client cuts me my next check.
Cheers!
j_sollars is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:33 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85