Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Online Analyzers


  • This topic is locked This topic is locked
9 replies to this topic

#1 technophobe

technophobe

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:24 PM

Posted 17 August 2007 - 06:47 PM

Hi Guys
I have just got over a Trojan infection thanks to Buddy215 in the virus forum, so rather than bother you I thought id try an online HJT analyzer.
It told me to, as well as other things,, to fix ctfmon.exe :thumbsup: this cant be right can it ? I thought this was a legit process.

Edited by technophobe, 17 August 2007 - 06:53 PM.


BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 17 August 2007 - 06:56 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum technophobe :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

You obviously need help,please read and follow the imformation in the link below.
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Once you've completed the above steps and you still require help,post a Hijackthis log into this topic.
Posted Image
Posted Image

#3 technophobe

technophobe
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:24 PM

Posted 17 August 2007 - 10:41 PM

Thanks for the reply Richie.
I think im up todate now but infected again :thumbsup: im sure it was ok a couple of days ago.
I now have installed........
AVG 7.5
Adaware 2007
spyware blaster
Super antispyware
Spybot S&D
Zonealarm pro

AVG found nothing
adaware only found tracking cookies

I ran Bit defender on line scan and it found 2 instances of a virus
it said...
detected
disinfection failed
Deleted.
When it had finished it said your computer is still infected :flowers:
here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:37:57 AM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Vinny\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183176874106
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183178428062
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by technophobe, 17 August 2007 - 10:43 PM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 August 2007 - 10:08 AM

I don't see anything malicious in your log,its clean,lets try the following:

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

----------------------------------------------------------

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

----------------------------------------------------------

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Posted Image
Posted Image

#5 technophobe

technophobe
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:24 PM

Posted 18 August 2007 - 08:12 PM

Thanks Richie.
WOW that clean up program was scary, 92mb and 4,893 files cleaned up (mostly from a previous user profile).
I am the only user on the computer now and multiple loggins were giving me a lot of grief.

Here is the Combofix result that opened at the end of the scan.

ComboFix 07-08-17.2 - "Vinny" 2007-08-18 23:08:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.178 [GMT 1:00]


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2


((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))


2007-08-18 23:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 03:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-16 12:21 <DIR> d-------- C:\DOCUME~1\Kay\APPLIC~1\123 Free Solitaire
2007-08-16 01:51 <DIR> d-------- C:\DOCUME~1\Kay\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 00:09 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\ieSpell
2007-08-14 02:33 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\vlc
2007-08-13 23:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-13 23:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-13 23:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-13 23:17 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\SUPERAntiSpyware.com
2007-08-13 02:53 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-13 01:29 <DIR> d-------- C:\DOCUME~1\Vinny\Contacts
2007-08-12 04:13 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\123 Free Solitaire
2007-08-12 04:12 <DIR> d-------- C:\Program Files\123 Free Solitaire
2007-08-11 09:27 <DIR> d-------- C:\DOCUME~1\Kay\APPLIC~1\Yahoo!
2007-08-11 09:27 <DIR> d-------- C:\DOCUME~1\Kay\APPLIC~1\Google
2007-08-11 09:25 2,097,152 --ah----- C:\DOCUME~1\Kay\NTUSER.DAT
2007-08-11 08:34 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\Apple Computer
2007-08-11 08:32 <DIR> d-------- C:\Program Files\QuickTime
2007-08-11 08:31 <DIR> d-------- C:\Program Files\iTunes
2007-08-11 08:29 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-08-11 08:28 <DIR> d-------- C:\Program Files\iPod
2007-08-11 08:24 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-08-11 08:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-11 07:57 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\Yahoo!
2007-08-11 07:57 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\Google
2007-08-11 07:52 2,621,440 --ah----- C:\DOCUME~1\Vinny\NTUSER.DAT
2007-08-11 06:30 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-11 06:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-11 05:28 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2007-08-11 05:28 <DIR> d-------- C:\Program Files\Trisnap Technologies
2007-08-10 04:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-10 01:07 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-10 01:07 249,856 --------- C:\WINDOWS\Setup1.exe
2007-08-10 01:07 <DIR> d-------- C:\Program Files\ScreenPrint32 v3
2007-08-10 00:46 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-08-09 21:26 27,440 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-09 04:37 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-08-09 02:08 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-08-09 02:08 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-08-09 02:08 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-08-09 01:46 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-08-09 00:58 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-08-09 00:58 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-08-08 01:31 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-08-08 01:31 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-08-08 01:31 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-08-08 01:31 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-08-08 01:31 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-08-08 01:31 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-08-08 01:31 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-08-08 01:31 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-08-08 01:31 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-08-08 01:31 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-08-08 01:31 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-08-08 01:31 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-08-08 01:31 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-08-08 01:31 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-08-08 01:31 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-08-08 01:31 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-08-08 01:31 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-08-08 01:30 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-08-08 01:30 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-08-08 01:30 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-08-08 01:30 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-08-08 01:30 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-08-08 01:30 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-08-08 01:28 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-08-08 01:28 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-08-08 01:28 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-08-08 01:28 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-08-08 01:28 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-08-08 01:28 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-08-08 01:28 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-08-08 01:28 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-08-08 01:28 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-08-08 01:28 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-08-08 01:28 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-08-08 01:28 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-08-08 01:28 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2007-08-08 01:28 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-08-08 01:28 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-08-08 01:28 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-08-08 01:28 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-08-08 01:28 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-08-08 01:28 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-08-08 01:28 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-08-08 01:28 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-08-08 01:28 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-08-08 01:28 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-08-08 01:28 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-08-08 01:28 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-08-08 01:28 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-08-08 01:28 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-08-08 01:28 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-08-08 01:28 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-08-08 01:28 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-08-08 01:28 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-08-08 01:28 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-08-08 01:28 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-18 03:46 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-18 03:45 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-14 02:28 --------- d-------- C:\Program Files\ieSpell
2007-08-11 08:34 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-11 08:24 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-10 04:23 --------- d-------- C:\Program Files\Google
2007-08-10 04:19 --------- d-------- C:\Program Files\Messenger
2007-08-10 02:59 --------- d-------- C:\Program Files\SpywareBlaster
2007-08-10 02:42 --------- d-------- C:\Program Files\MSN Messenger
2007-08-10 00:46 --------- d-------- C:\Program Files\Movie Maker
2007-08-10 00:45 --------- d-------- C:\Program Files\Windows NT
2007-08-08 01:50 --------- d--h----- C:\Program Files\WindowsUpdate
2007-08-04 03:40 --------- d-------- C:\Program Files\Morpheus Ultra
2007-07-30 23:24 --------- d-------- C:\Program Files\PowerChallenge
2007-07-14 03:02 --------- d-------- C:\Program Files\Yahoo!
2007-07-10 00:01 --------- d-------- C:\Program Files\cdstomp
2007-07-05 07:57 --------- d-------- C:\Program Files\BearShare Applications
2007-07-05 04:49 --------- d-------- C:\Program Files\MGI
2007-07-05 04:49 --------- d-------- C:\Program Files\Common Files\MGI Shared
2007-07-02 10:36 --------- d-------- C:\Program Files\LimeWire
2007-07-02 06:37 --------- d-------- C:\Program Files\Ahead
2007-07-02 06:36 --------- d-------- C:\Program Files\CyberLink DVD Solution
2007-07-01 06:11 --------- d-------- C:\Program Files\321Studios
2007-07-01 06:09 33376 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-07-01 04:54 2676 --a------ C:\WINDOWS\pchealth\HelpCtr\PackageStore\SkuStore.bin
2007-07-01 04:51 8972 --a------ C:\WINDOWS\pchealth\HelpCtr\Config\Cntstore.bin
2007-06-30 05:50 --------- d-------- C:\Program Files\xp-AntiSpy
2007-06-30 04:26 --------- d-------- C:\Program Files\EPSON
2007-06-30 04:26 --------- d-------- C:\Program Files\Common Files\EPSON
2007-06-30 03:21 --------- d-------- C:\Program Files\Common Files\Ahead
2007-06-30 03:19 --------- d-------- C:\Program Files\CyberLink
2007-06-30 02:47 --------- d-------- C:\Program Files\PIXELA
2007-06-30 02:46 --------- d-------- C:\Program Files\FinePixViewer
2007-06-30 02:46 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-30 02:46 --------- d-------- C:\Program Files\Common Files\ODBC
2007-06-30 02:45 --------- d-------- C:\Program Files\REGSHAVE
2007-06-30 02:36 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-30 02:36 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-06-30 02:34 --------- d-------- C:\Program Files\VideoLAN
2007-06-30 02:31 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-30 02:08 --------- d-------- C:\Program Files\D-Link
2007-06-30 01:58 0 -rahs---- C:\MSDOS.SYS
2007-06-30 01:58 0 -rahs---- C:\IO.SYS
2007-06-30 01:58 0 --a------ C:\CONFIG.SYS
2007-06-30 01:58 0 --a------ C:\AUTOEXEC.BAT
2007-06-30 01:56 --------- d-------- C:\Program Files\Online Services
2007-06-30 01:55 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-06-30 01:53 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 23:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 09:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CyberDefender Early Detection Center]
"C:\Program Files\CyberDefender\AntiSpyware\cdas4.exe" /minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

R2 CDRPDACC;Arrowkey Device Access;\??\C:\Program Files\321Studios\Shared\CDRPDACC.SYS
R3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys


Contents of the 'Scheduled Tasks' folder
2007-08-18 22:16:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-18 23:14:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-18 23:17:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-18 23:17

--- E O F ---

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 August 2007 - 08:45 PM

Copy and paste the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#7 technophobe

technophobe
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:24 PM

Posted 19 August 2007 - 01:45 AM

Kaspersky result
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 19, 2007 7:30:21 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 19/08/2007
Kaspersky Anti-Virus database records: 361200
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 42904
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:53:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-08102007-040641.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Config\desktop2.idf Object is locked skipped
C:\Documents and Settings\All Users\Documents\Fonts\SwUniNew.tff Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Vinny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Vinny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Vinny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Vinny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Vinny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vinny\Local Settings\Temp\~DF3BA7.tmp Object is locked skipped
C:\Documents and Settings\Vinny\Local Settings\Temp\~DF90BC.tmp Object is locked skipped
C:\Documents and Settings\Vinny\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Vinny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vinny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Vinny\NtUser.dat.LOG Object is locked skipped
C:\Program Files\321Studios\DVD X Rescue\CDG1C89.DAT Object is locked skipped
C:\Program Files\Trisnap Technologies\SSI\SysEnforce.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\HOME-JZP37MD01C.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT039ca.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT039d1.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\SYSTEM~1\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Hijack this
Logfile of HijackThis v1.99.1
Scan saved at 7:39:44 AM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Vinny\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183176874106
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183178428062
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

My PC seems to be running much better.

Edited by technophobe, 19 August 2007 - 01:46 AM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 19 August 2007 - 04:38 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
fix.reg

C:\Qoobox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

--------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 technophobe

technophobe
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:24 PM

Posted 19 August 2007 - 05:47 PM

Thank you very much for all your help Richie, I can hear my PC breathing a sigh of relief :thumbsup: All running pretty well now.
I have done all you suggested in your last post, all of your instructions have been spot on, practically idiot proof.
Just one question if you don't mind.
Could you tell me what the reg edit did.
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]

Excellent link above BTW it made very good reading.
I hope we never have to communicate again (and I mean that in the nicest possible way) :flowers:
Once again thank you for your help, you're a legend.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 19 August 2007 - 06:02 PM

You're most welcome :thumbsup:

Just one question if you don't mind.
Could you tell me what the reg edit did.
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]

That fix just removed a redundant startup entry from the registry.

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users