Skip to main content

Bugbatter

3 Apprentice

 • 

20.5K Posts

January 27th, 2008 22:00

Welcome. Thank you for using Dell Community Forums.
I am reviewing your log.
In the meantime, you can help me by doing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

** We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

Open AVG Anti-Spyware. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right-click on AVG AS in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
Press "OK".
In Services, click the "Extended tab" and scroll down the list to find AVG Anti-Spyware Guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.

To enable when we are COMPLETELY finished with all of your fixes and we have confirmed that your issue has been resolved:
Open AVG Anti-Spyware. The main "Status" menu will appear. Select "Change state" to activate 'Resident Shield' and 'Automatic Updates'. Right-click on AVG As in the system tray and check "Start with Windows".
Go to Start > Control Panel > Administrative Tools >Services
In Services, click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Start" button.
From the drop-down menu next to "Startup Type", click on "Automatic".
Now click "Apply", then "OK" and close the Services window.

Please download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1]
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser Click Firefox at
the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please
click No at the prompt.
If you use Opera browser Click Opera at the
top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please
click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located
at the bottom of each menu.

Please open HijackThis. Go into the Config option when you start HijackThis, and click on the Misc Tools button at the top.
You will then click on the button labeled "Generate StartupList Log"
Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into your next reply here.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

Duchovnysfan

26 Posts

January 28th, 2008 02:00

Thank you for your help, I am going to respond to each of your questions then post the hijackthis file at the bottom......

* Have you have posted this issue on another forum? If so, please provide a link to the topic. yes (http://www.dellcommunity.com/supportforums/board/message?board.id=si_virus&message.id=65875#M65875)

* If you are using any cracked software, please remove it : No

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
Yes, removed Limewire

* If this computer belongs to someone else, do you have authority to apply the fixes we will use? This is my personal computer, so yes

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.
I don't think so

*Open AVG Anti-Spyware. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right-click on AVG AS in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
Press "OK".
In Services, click the "Extended tab" and scroll down the list to find AVG Anti-Spyware Guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
.......................When I stopped the service and opened the AVG AS, it actually said there was an error and I had to reinstall it. .....................


*******************************************************************************


StartupList report, 1/27/2008, 8:51:39 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16574)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Dell QuickSet = C:\Program Files\Dell\QuickSet\Quickset.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

drwtsn64 = C:\WINDOWS\system32\drwtsn64.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
EasyShare Registration Task.job

--------------------------------------------------

Enumerating Download Program Files:

[Installation Support]
InProcServer32 = C:\Program Files\Yahoo!\Common\Yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\Yinsthelper.dll

[Facebook Photo Uploader 4 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader4.1.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145133387607

[OmniForm Form Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ofmctl.dll
CODEBASE = https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab

[IWinAmpActiveX Class]
InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.6\AmpX.dll
CODEBASE = http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Owner\LOCALS~1\Temp\A~NSISu_.exe||C:\Documents and Settings\Owner\Local Settings\temp\~DF734B.tmp||C:\Documents and Settings\Owner\Cookies\index.dat||C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\LocalService\cookies\index.dat||C:\Documents and Settings\Owner\Local Settings\temp\~DF734B.tmp||C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Owner\cookies\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 5,646 bytes
Report generated in 0.020 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Bugbatter

3 Apprentice

 • 

20.5K Posts

January 28th, 2008 04:00

After you stop the service, do not open AVG again.
Try disabling AVG once more. It will interfere with our tools, so we need to stop the AVG Guard.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".

  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Include a fresh Hijackthis log, and let me know if you are still having a problem with LOP.

Duchovnysfan

26 Posts

January 28th, 2008 06:00

I won't really know what's up with the Lop situation b/c the resident shield does it at random times when I am browsing on Firefox. I'll take a look closely for a week and if it pops up I'll post to this thread.

I have a question for you, what is this Lop "virus" and based on all the data I have given you what is going with it????

Scan Log Results from SuperAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/28/2008 at 00:15 AM

Application Version : 3.9.1008

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 01:32:43

Memory items scanned : 322
Memory threats detected : 1
Registry items scanned : 5899
Registry threats detected : 9
File items scanned : 63695
File threats detected : 1

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\OPNOL.DLL
C:\WINDOWS\SYSTEM32\OPNOL.DLL

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0EA6F50-D941-4415-8721-E8E5F49FF19D}
HKCR\CLSID\{F0EA6F50-D941-4415-8721-E8E5F49FF19D}
HKCR\CLSID\{F0EA6F50-D941-4415-8721-E8E5F49FF19D}\InprocServer32
HKCR\CLSID\{F0EA6F50-D941-4415-8721-E8E5F49FF19D}\InprocServer32#ThreadingModel

Trojan.Winm64/32
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\msupdate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\msupdate#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\msupdate#Startup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\msupdate#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\msupdate#Asynchronous



******************************************************************************

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:54 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5E85C971-F9E7-4F4D-A059-14FA00220C7A} - C:\WINDOWS\system32\hggdbxu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [drwtsn64] C:\WINDOWS\system32\drwtsn64.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.lsac.org
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145133387607
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hggdbxu - C:\WINDOWS\SYSTEM32\hggdbxu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 6852 bytes


*************************************************************************************

HijackThis Startup List Log

StartupList report, 1/28/2008, 12:22:44 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16574)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Dell QuickSet = C:\Program Files\Dell\QuickSet\Quickset.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

drwtsn64 = C:\WINDOWS\system32\drwtsn64.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Ask Search Assistant BHO - (no file) - {0A94B111-4504-4e26-AB05-E61E474AA38B}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\WINDOWS\system32\hggdbxu.dll - {5E85C971-F9E7-4F4D-A059-14FA00220C7A}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Ask Toolbar BHO - (no file) - {F4D76F01-7896-458a-890F-E1F05C46069F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
EasyShare Registration Task.job

--------------------------------------------------

Enumerating Download Program Files:

[Installation Support]
InProcServer32 = C:\Program Files\Yahoo!\Common\Yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\Yinsthelper.dll

[Facebook Photo Uploader 4 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader4.1.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145133387607

[OmniForm Form Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ofmctl.dll
CODEBASE = https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab

[IWinAmpActiveX Class]
InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.6\AmpX.dll
CODEBASE = http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 5,452 bytes
Report generated in 0.020 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Bugbatter

3 Apprentice

 • 

20.5K Posts

January 28th, 2008 13:00

LOP is not a virus or trojan. It is a direct-marketing adware application. I have not seen evidence of LOP in your reports, however, and without seeing the exact message from AVG, I cannot tell you exactly what it is referring to as LOP.

You have, however, added some new malware since you posted your prior logs. If you have been doing online at other websites during our fix, that is what the problem is. If you have not been on the internet except to post here, then it is something that was hiding and has just surfaced.
We will have to run another tool to take care of that new malware.
Please print these instructions and refer to them for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. (I will not need another Startup List.)

Note: The above instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.

Duchovnysfan

26 Posts

January 29th, 2008 07:00

Yes, I have been using the internet b/c I need to check my mail from work, school and other things. I just cannot stop going on the internet since the layoff time b/w my post and yours can be long.

I found a screenshot of the notification of Lop, it appeared again just now, I'll post a link of the screenshot

http://img521.imageshack.us/img521/6293/avglopbp1.png

I just wanted to get out of the way now since I ran into it before I did anymore fixes. Maybe then I'll have a more definitive answer b/c I am so frustrated with this Lop thing and I feel like everything I am doing, these fixes aren't really doing much :(

Bugbatter

3 Apprentice

 • 

20.5K Posts

January 29th, 2008 13:00

I am unable to read the text on your screenshot, so that doesn't help. There is no sense running LOP removal tools because at this point the LOP is not located in its usual directories, and that's were those specialized tools will look for it.

Let's fix what we can see in HijackThis and keep looking.
You still have Vundo in there as well. I'm wondering if AVG is calling Vundo "LOP" virus?

Check your mail or whatever before you start this. Any surfing before you are clean will regenerate the infection, and may add new malware, so we will be getting nowhere.

Launch Hijackthis and place a checkmark next to the following:

R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {5E85C971-F9E7-4F4D-A059-14FA00220C7A} - C:\WINDOWS\system32\hggdbxu.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O20 - Winlogon Notify: hggdbxu - C:\WINDOWS\SYSTEM32\hggdbxu.dll

Fix this as well. There is no reason anything needs to be in your "Trusted Zone". It's like leaving your front door unlocked!
O15 - Trusted Zone: *.lsac.org

Close all windows except HijackThis and click "Fix Checked"
Close Hijackthis and reboot.

Please print these instructions and refer to them for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note: The above instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.

Duchovnysfan

26 Posts

January 29th, 2008 16:00

Hmm..... The screesnhot to me looks fine, I am able to read it and on the browser I have an option of zooming in b/ cit is scaled. Here's another screenshot, I am sure this is better b/c it's the the dialog prompt that is detecting the "virus"

http://img170.imageshack.us/img170/982/avgscreenshotln0.jpg

Where I would go in HijackThis to do the following

Launch Hijackthis and place a checkmark next to the following:

R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {5E85C971-F9E7-4F4D-A059-14FA00220C7A} - C:\WINDOWS\system32\hggdbxu.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O20 - Winlogon Notify: hggdbxu - C:\WINDOWS\SYSTEM32\hggdbxu.dll

Message Edited by Duchovnysfan on 01-29-2008 12:42 PM

Duchovnysfan

26 Posts

January 29th, 2008 17:00

That's so strange b/c every time the AVG shield pops up of the virus, it's on a site that I have gone on for years and I never had problems with that site until the virus popped up.

Currently I am not at the computer that's infected, but I'll those scans and Combofix and post the logs.

Bugbatter

3 Apprentice

 • 

20.5K Posts

January 29th, 2008 17:00

That one, I can see. Thanks. It looks like it is on a webpage that you are visiting, so it keeps coming back.

"Where I would go in HijackThis to do the following"

Open Hijackthis. Run a scan. You will see a little box on the left of each entry. Place a checkmark in the boxes next to these:

R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {5E85C971-F9E7-4F4D-A059-14FA00220C7A} - C:\WINDOWS\system32\hggdbxu.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O20 - Winlogon Notify: hggdbxu - C:\WINDOWS\SYSTEM32\hggdbxu.dll

Bugbatter

3 Apprentice

 • 

20.5K Posts

January 29th, 2008 17:00

Each day I hear of sites that are hacked -- either the code on the page, or by means of code in an advertisement.

Duchovnysfan

26 Posts

January 30th, 2008 01:00

So I did a combo fix and this what came up. Before the log I was wondering since I downloaded ComboFix and the Windows Recovery thing, everytime I boot the computer, there's an option for me to choose to start in Windows XP or Windows Recovery how I do get rid of that, after I fix this situation.

ComboFix 08-01-30.1 - Owner 2008-01-29 19:16:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.369 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hggdbxu.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\bin29a.log
C:\WINDOWS\system32\ddcdccb.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\efcaywx.dll
C:\WINDOWS\system32\hggdbxu.dll
C:\WINDOWS\system32\lonpo.ini
C:\WINDOWS\system32\lonpo.ini2
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini2
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtutqnl.dll
C:\WINDOWS\system32\vtuvust.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-29 19:12 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-29 19:12 . 2008-01-11 01:11 211 --a------ C:\Boot.bak
2008-01-27 22:39 . 2008-01-27 22:39 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 22:38 . 2008-01-28 00:23 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 22:38 . 2008-01-27 22:38 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-27 22:38 . 2008-01-27 22:38 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-27 22:38 . 2008-01-27 22:38 5,914,648 --a------ C:\Program Files\SUPERAntiSpyware.exe
2008-01-27 20:48 . 2008-01-27 20:48 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-01-27 14:39 . 2008-01-27 14:39 d-------- C:\Program Files\Trend Micro
2008-01-27 14:38 . 2008-01-27 14:38 812,344 --a------ C:\Program Files\HJTInstall.exe
2008-01-27 04:47 . 2008-01-27 04:47 162,304 --a------ C:\Program Files\rmbg3svx.exe
2008-01-26 18:27 . 2008-01-26 18:27 d-------- C:\Documents and Settings\Owner\Application Data\VSRevoGroup
2008-01-26 18:22 . 2008-01-26 18:22 d-------- C:\Program Files\VS Revo Group
2008-01-26 18:21 . 2008-01-26 18:21 1,528,418 --a------ C:\Program Files\revosetup.exe
2008-01-22 00:38 . 2008-01-22 00:39 5,636,048 --a------ C:\Program Files\wmvfirefoxpluginsetup.exe
2008-01-21 00:36 . 2008-01-21 00:36 d-------- C:\Program Files\Music Rescue
2008-01-21 00:34 . 2008-01-21 00:34 3,227,468 --a------ C:\Program Files\musicrescuesetup.exe
2008-01-18 16:49 . 2008-01-18 16:49 d-------- C:\Program Files\DVDVideoSoft
2008-01-18 16:49 . 2008-01-18 16:49 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-01-18 16:48 . 2008-01-18 16:47 4,257,652 --a------ C:\Program Files\FreeYouTubeToiPodConverter.exe
2007-12-01 16:53 . 2007-12-01 16:53 d-------- C:\TEMP\D--
2007-12-01 16:41 . 2007-12-01 16:41 d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2007-12-01 16:40 . 2007-12-01 16:40 d-------- C:\Program Files\Xilisoft
2007-12-01 16:40 . 2005-11-20 21:48 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-12-01 16:40 . 2005-11-20 21:48 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-12-01 16:39 . 2007-12-01 16:39 d-------- C:\Program Files\xilisoft_dvdripper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 12:47 348,672 ----a-w C:\Program Files\rmbg3svx.nt
2008-01-27 02:39 --------- d-----w C:\Program Files\Common Files\Real
2008-01-21 09:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-19 11:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-19 10:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-19 07:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-17 09:05 --------- d-----w C:\Program Files\America Online 9.0
2007-11-12 03:30 54,326,568 ----a-w C:\Program Files\iTunes75Setup.exe
2007-02-04 22:45 3,004,323 ----a-w C:\Program Files\podutilsetup.exe
2006-09-04 08:31 1,035,943 ----a-w C:\Program Files\myTunesReduxInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-10-05 20:11 421888]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-23 16:46 579072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"drwtsn64"="C:\WINDOWS\system32\drwtsn64.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-02 23:18 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^2Wire Wireless Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2Wire Wireless Client.lnk
backup=C:\WINDOWS\pss\2Wire Wireless Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-06 22:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 07:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-11 21:17 50776 C:\PROGRA~1\AMERIC~1.0A\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a--c--- 2004-10-18 16:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 04:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1145250444\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a--c--- 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a--c--- 2003-03-07 11:36 209800 C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
--a--c--- 2004-03-29 14:12 290816 C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2004-07-19 06:51 306688 C:\PROGRA~1\DELLSU~1\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2003-08-06 00:04 114741 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 16:52 50736 C:\Program Files\Common Files\AOL\1145743191\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 07:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 07:59 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 18:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\mcafee.com\antivirus\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
--a------ 2004-04-13 18:45 290905 C:\WINDOWS\System32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a------ 2004-04-05 13:33 99480 C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
C:\Program Files\Common Files\AOL\1145250444\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2003-02-13 00:01 155648 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2003-05-02 16:15 610304 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2003-05-02 16:21 110592 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"McShield"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOLService"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Spooler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)

S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys [2003-02-04 21:04]
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys [2003-02-04 21:04]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 03:36:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-27 06:05:03 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.25.1.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 19:26:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-01-29 19:29:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 03:29:48
.
2008-01-09 07:27:36 --- E O F ---

Duchovnysfan

26 Posts

January 30th, 2008 01:00

Hijack this log

************************************************************

Here's a Hijack This Log after all of that

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:29 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [drwtsn64] C:\WINDOWS\system32\drwtsn64.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145133387607
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 5621 bytes

Bugbatter

3 Apprentice

 • 

20.5K Posts

January 30th, 2008 03:00

This addition of the Recovery Console to your computer is actually an additional safety net, not to worry. Just allow Windows to start in the normal Windows XP installation which should be highlighted when you get to the boot menu.

I still don't see any LOP in there.

Run Disk Cleanup in each user's profile:
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure only the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u4 allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each of the Java versions.

  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

Official JAVA Installation Instructions if needed.

Let me know how things are running at that point.

Duchovnysfan

26 Posts

February 13th, 2008 04:00

Just checking in to follow with my Lop situation. It's been about a week or so and the computer is working perfectly! Thank you so much!!! Do you suggest any precautionary measures so I do not run into this in the future???

Thanks again for your help!!! :)

Was this post helpful?

View All

No Events found!

Top