Trojan/Virus - Prework done :)

Solved
Thread Status:
Not open for further replies.
  1. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    Hi Everyone

    I have contracted a trojan/virus. I was looking for the latest graphics card drivers for my no longer supported APG card and in desperation downloaded a number of "driver fix" programs, one of them must have had some malware in it.

    My main anti virus is AVG 2011 and it detected PDFUPD.EXE, which attempted to run a number of .RAM scripts from various websites which I cancelled in my firefox browser. I then ran a complete system scan with AVG which quarantined PDFUPD.EXE and prompted me to reboot.

    Immediately after the reboot I ran Malwarebytes AntiMalware program which detected a few cookies and 1 trojan backdoor, the name of which was GRAHN[1] something, sorry I didn't write it down.

    I then ran Sophos antiroot kit ( lots of false positives but nothing I could see as a genuine error ), followed by a complete AVG scan and Malwarebytes, both of which came up clean.

    I thought I had caught it, but a few hours later AVG rang alarm bells again with PDFUPD.EXE so I repeated the procedure above, rebooted into safe mode and deleted the source of the infection as reported by AVG C:\Documents and settings\...\Local Setting\Temp and got rid of everything in there. I also ran REGEDIT and looked for instances of PDFUPD but none were found.

    Although I haven't had any specific virus/trojan warning in the last 24 hours there is definately something wrong.

    My wireless network connection keeps crashing for no apparent reason

    SVCHOST.EXE keeps reporting "Generic host process for win32 server has encountered an error..."

    I disabled my AVG and tried to run COMBOFIX.EXE but it wouldn't run, even tho I had followed your helpful link on how to disable it ( this may be a red herring )

    I decided to install Google Chrome as a change of browser but it just wont run ( again maybe another red herring )

    Anyway here are the logs you require, hope you can help

    OTL logfile created on: 08/11/2010 20:09:58 - Run 2
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Grey\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2000 2300 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.04 Gb Total Space | 16.58 Gb Free Space | 11.12% Space Free | Partition Type: NTFS
    Drive D: | 5.15 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

    Computer Name: WOW | User Name: Grey | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/11/08 19:07:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Grey\Desktop\OTL.exe
    PRC - [2010/10/29 15:25:28 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
    PRC - [2010/10/29 15:25:24 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2010/10/11 11:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    PRC - [2010/10/11 11:58:12 | 000,725,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    PRC - [2010/10/08 10:39:31 | 001,704,448 | ---- | M] (Curse) -- C:\Documents and Settings\Grey\Local Settings\Apps\2.0\6YB47VJD.OWM\RNDB2K9W.ZK8\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\CurseClient.exe
    PRC - [2010/10/06 16:24:38 | 000,652,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
    PRC - [2010/10/06 16:24:36 | 001,065,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
    PRC - [2010/10/06 16:24:08 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
    PRC - [2010/10/06 16:24:08 | 000,647,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
    PRC - [2010/09/16 20:04:06 | 001,164,584 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    PRC - [2010/09/15 04:29:10 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
    PRC - [2010/09/10 00:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
    PRC - [2010/09/07 02:50:22 | 001,047,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
    PRC - [2010/04/01 09:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
    PRC - [2010/01/15 12:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/06/26 12:22:42 | 000,081,997 | ---- | M] () -- C:\Program Files\USB TV\EM28XX\BDARemote.exe
    PRC - [2007/03/05 19:58:16 | 004,554,752 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    PRC - [2006/11/13 12:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    PRC - [2003/07/30 08:08:58 | 000,143,360 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/11/08 19:07:30 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Grey\Desktop\OTL.exe
    MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Prevx\prevx.exe -- (CSIScanner)
    SRV - [2010/10/11 11:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
    SRV - [2010/10/06 10:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
    SRV - [2010/09/10 00:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
    SRV - [2010/03/18 15:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
    SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
    SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
    SRV - [2010/01/15 12:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
    SRV - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
    SRV - [2007/03/05 19:58:16 | 004,554,752 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
    SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\usbser_lowerflt.sys -- (upperdev)
    DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\Drivers\Scutum50.sys -- (Scutum50)
    DRV - File not found [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\pxscan.sys -- (pxscan)
    DRV - File not found [File_System | System | Running] -- C:\WINDOWS\System32\drivers\pxrts.sys -- (pxrts)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pxkbf.sys -- (pxkbf)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\19.tmp -- (MEMSWEEP2)
    DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaInfo.sys -- (LMIInfo)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Grey\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys -- (cpuz132)
    DRV - [2010/09/13 15:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
    DRV - [2010/09/07 02:49:00 | 000,298,448 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
    DRV - [2010/09/07 02:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
    DRV - [2010/09/07 02:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
    DRV - [2010/09/07 02:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
    DRV - [2010/08/19 20:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
    DRV - [2010/08/19 20:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
    DRV - [2010/08/19 20:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
    DRV - [2010/05/11 11:00:34 | 000,020,072 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz133_x32.sys -- (cpuz133)
    DRV - [2010/04/14 14:59:14 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
    DRV - [2009/10/01 18:20:12 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
    DRV - [2008/07/24 18:46:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2007/06/27 01:58:17 | 002,303,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2005/08/16 13:50:50 | 000,278,016 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ZD1211U.sys -- (WLAN(WLAN)) XPC 802.11b/g Wireless Kit Driver(WLAN)
    DRV - [2005/02/21 14:32:04 | 000,010,326 | ---- | M] (ULi Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AliGP.sys -- (aligp)
    DRV - [2005/02/21 14:12:24 | 000,005,331 | ---- | M] (ULi Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AliRtHub.sys -- (aliroothub)
    DRV - [2005/02/21 14:09:28 | 000,083,596 | ---- | M] (ULi Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AliEhci.sys -- (ALIEHCD)
    DRV - [2004/12/31 14:24:16 | 000,028,160 | ---- | M] (ULi Electronics Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ULILAN.SYS -- (ULI5261)
    DRV - [2004/12/01 09:49:18 | 000,051,840 | ---- | M] (ULi Electronics Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\m5289.sys -- (m5289)
    DRV - [2004/10/25 12:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZDPSp50.sys -- (ZDPSp50)
    DRV - [2004/10/11 10:28:18 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
    DRV - [2004/07/08 14:58:50 | 000,044,928 | ---- | M] (ULi Electronics Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\agpkx.sys -- (uliagpkx)
    DRV - [2004/05/08 09:21:44 | 000,035,840 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
    DRV - [2001/12/19 11:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\VCdRom.sys -- (vcdrom)
    DRV - [2001/11/05 19:33:38 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.7.1.3
    FF - prefs.js..extensions.enabledItems: avg@igeared:6.010.006.004
    FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1151
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..network.proxy.type: 0


    FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/10/25 13:43:36 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared [2010/10/22 11:44:08 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/29 15:25:35 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/02 21:20:15 | 000,000,000 | ---D | M]

    [2010/09/25 23:40:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Grey\Application Data\Mozilla\Extensions
    [2010/11/06 00:16:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Grey\Application Data\Mozilla\Firefox\Profiles\czpp3cwu.default\extensions
    [2010/10/25 09:39:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Grey\Application Data\Mozilla\Firefox\Profiles\czpp3cwu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/10/11 23:07:35 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Grey\Application Data\Mozilla\Firefox\Profiles\czpp3cwu.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    [2010/11/07 00:26:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/11/02 21:20:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2010/09/14 21:09:10 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2010/09/14 21:09:10 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2010/09/14 21:09:10 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2010/09/14 21:09:10 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    Hosts file not found
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
    O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
    O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe File not found
    O4 - HKLM..\Run: [Nokia FastStart] C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe File not found
    O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
    O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
    O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
    O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (Microsoft Corporation)
    O4 - HKCU..\Run: [Spanish] C:\Program Files\Learn To Speak German Demo V2.8\Study Conversation.exe File not found
    O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\utorrent.exe File not found
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BDARemote.lnk = C:\Program Files\USB TV\EM28XX\BDARemote.exe ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
    O4 - Startup: C:\Documents and Settings\Grey\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
    O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - File not found
    O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
    O9 - Extra Button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBack
  2. vger

    vger Posts: 74000 back in the VB days.... Staff Member Moderator Elite Member

    Joined:
    Oct 29, 2007
    Posts:
    18,878
    Likes Received:
    1,752
    Location:
    North Carolina
    Local time:
    17:55
    My System
    Loading...

    Hello Greywarlock and welcome to the PCHF..

    Our security staff will be with you ASAP.....
  3. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    I am sorry I am being disconnected so often I am having trouble getting the rest of the logs posted
  4. Crush

    Crush Tech Member Tech Member Elite Member mvp

    Joined:
    Sep 28, 2008
    Posts:
    42,177
    Likes Received:
    4,381
    Location:
    New Jersey
    Local time:
    17:55
    My System
    Loading...

    Hi,

    Do you have the MBRCheck log? It also looks like the OTL log was cut off. Can you please post the who log? Was Extas.txt generated?

    EDIT: Looks like we posted at the same time :mrgreen:. Looking forward to your reply. If you're having trouble posting you can attach them
  5. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    yes to all but I keep getting my connection reset :(
  6. Crush

    Crush Tech Member Tech Member Elite Member mvp

    Joined:
    Sep 28, 2008
    Posts:
    42,177
    Likes Received:
    4,381
    Location:
    New Jersey
    Local time:
    17:55
    My System
    Loading...

    Edited my post :). We posted at the same time. :)
  7. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    Hope this works :)

    Attached Files:

  8. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    Phew, it did work, thanks for your prompt replies :)
  9. Crush

    Crush Tech Member Tech Member Elite Member mvp

    Joined:
    Sep 28, 2008
    Posts:
    42,177
    Likes Received:
    4,381
    Location:
    New Jersey
    Local time:
    17:55
    My System
    Loading...

    Hi,

    Yup that worked! Welcome to PCHF by the way!

    I'm Crush but, you can call me Chris too [​IMG] and I will be helping you with your Malware issues. Please note, this may or may not solve other issues you’re having with your PC.

    A few things to keep in mind as we progress:

    1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

    2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

    3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

    4. Please do not run any tools or fixes unless asked to do so by myself or a member of the Security Team

    5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

    6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

    7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

    8. If you have any questions or issues please stop and ask! We are all here to help.


    IMPORTANT
    :
    Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

    Because of this, I advise you to backup any personal files and folders before you start.


    If you follow these instructions, everything should go smoothly [​IMG].

    Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

    To do so, when you click the [​IMG] scroll down until you see this:

    [​IMG]

    Make sure it is set to Instant Email Notification

    With that out of the way:

    There are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    Please note that as long as you are using any form of P2P networking to download files you can anticipate infestations of malware to occur.

    P2P file sharing used to be fairly safe. This is no longer true; continue to use P2P sharing at your own risk!

    Keep in mind that this practice may be the source of your current malware infestation.

    References... citing the risk factors, of using P2P programs:

    Malware: Help prevent the Infection
    IM And P2P Malware Threats Nearly Triple
    How to Prevent the Online Invasion of Spyware and Adware

    I strongly recommend that you uninstall:

    uTorrent


    You can do so using the Control Panel >> Add or Remove Programs function. However, that choice is up to you.

    As long as you have the P2P program(s) installed, per PCHF Policy, I can offer you no further assistance.

    If you choose to remove these programs, when finished: please generate a new OTL log and we'll go from there.
  10. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    That is wierd, I read your forum rules and ofc deleted uTorrent ( which I only used to download radio progs for my phone/mp3 player. Maybe I sent you an earlier log file cos according to my system it no longer exists on my PC.

    Give me a few mins Chris and I will get back to you

    Regards

    Graham
  11. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    OK it looks like an incomplete uninstall, next to the reg key it says "file not found" and it seems to have left a folder as well. Got rid of the folder, in REGEDIT now getting rid of the useless key :)
  12. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    Wow I must clean my registry, it's dirtier than my carpet :p

    Clean file attached

    Attached Files:

    • OTL.Txt
      File size:
      96.6 KB
      Views:
      1
  13. Crush

    Crush Tech Member Tech Member Elite Member mvp

    Joined:
    Sep 28, 2008
    Posts:
    42,177
    Likes Received:
    4,381
    Location:
    New Jersey
    Local time:
    17:55
    My System
    Loading...

    No worries Grahm. Just wanted to make sure it was uninstalled. Another issue I see is you have run ComboFix.

    ComboFix should not be run without the guidance of a helper!

    It is a powerful tool and is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private or regular use.

    See ComboFix's Disclaimer

    Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

    Please refer to this thread for more information on why you shouldn't use ComboFix without supervision of a trained expert: http://www.bleepingcomputer.com/forums/topic273628.html

    Please post the C:\ComboFix.txt here for review
  14. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    Yes I know, but it didn't run properly ( see my original header on my first post )

    It complained about AVG 2011

    Rest assured I will not touch the keyboard unless you tell me to from now on

    <respect>
  15. Greywarlock

    Greywarlock New Member Bronze Member

    Joined:
    Nov 8, 2010
    Posts:
    24
    Likes Received:
    1
    Local time:
    22:55
    My System
    Loading...

    Sorry I wasn't clear in my last post. It never generated a C:\Combofix.* log
Similar Threads
Forum Title Date
System Security Vista System Recovery Trojan/Virus Part Deux Jun 29, 2011
System Security Microsoft Vista Recovery Trojan/Virus Help Jun 2, 2011
System Security need help with file blinkx beat trojan/virus/spyware w.e May 28, 2011
System Security Dell desktop that won't stay running long enough to download prework Dec 9, 2013

Thread Status:
Not open for further replies.