Fake XP Virus Scan and other issues.

[Mandi329]

New HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:44 PM, on 4/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H 1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\NetworkService\Local Settings\Application Data\nhrebhewb\siqxbiotssd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5E72E207-C43B-4F98-AC87-6B99DC6F8989} - C:\WINDOWS\system32\efcCsRlk.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H 1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H 1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [fxcxefrl] C:\Documents and Settings\NetworkService\Local Settings\Application Data\nhrebhewb\siqxbiotssd.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [tvypgtlh] C:\Documents and Settings\LocalService\Local Settings\Application Data\nbkdkuwmq\ijoaisbtssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [orpgdlyo] C:\Documents and Settings\NetworkService\Local Settings\Application Data\ggvflnqop\ojwrnvetssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ilktrfss] C:\Documents and Settings\NetworkService\Local Settings\Application Data\ojpqpetkx\oorvfkctssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fxcxefrl] C:\Documents and Settings\NetworkService\Local Settings\Application Data\nhrebhewb\siqxbiotssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tvypgtlh] C:\Documents and Settings\LocalService\Local Settings\Application Data\nbkdkuwmq\ijoaisbtssd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service dmadminRpcLocator (dmadminRpcLocator) - Unknown owner - C:\WINDOWS\system32\advpackr.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NetMeeting Remote Desktop Sharing mnmsrvcwscsvc (mnmsrvcwscsvc) - Unknown owner - C:\WINDOWS\system32\1041v.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5806 bytes


I assume you mean to just post the other 3 previous logs? If I am wrong, please clarify for me. I thank you very much for what you are doing for me. =)

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4000

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/17/2010 8:56:45 AM
mbam-log-2010-04-17 (08-56-45).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 162500
Time elapsed: 24 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\secfile\shell\open\command\(defa ult) (Rogue.MultipleAV) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\av.exe" /START "C:\Program Files\Intern) Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\windirpath.exe (Trojan.Zbot) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.
C:\Documents and Settings\Rob\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.

ESET
C:\Documents and Settings\Rob\Local Settings\Temp\pdfupd.exe probably a variant of Win32/PSW.Ceda trojan
C:\Program Files\Mozilla Firefox\Shadow.sys probably a variant of Win32/PSW.WOW.FCE trojan
C:\WINDOWS\system32\fmxqgdra.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\klRsCcfe.ini Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\klRsCcfe.ini2 Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\Temp\senY.exe a variant of Win32/Kryptik.DSW trojan


Uninstall List
Adobe Flash Player 10 Plugin
Adobe Reader 8
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
CCleaner
CDisplayEx 1.4
Critical Update for Windows Media Player 11 (KB959772)
EPSON Printer Software
FlashMenu
GIMP 2.6.8
Guitar Pro 5.0
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Java(TM) 6 Update 18
LimeWire 5.1.2
Malwarebytes' Anti-Malware