Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan (n2_18_09_07_1[1].exe & 148235233.exe)


  • This topic is locked This topic is locked
12 replies to this topic

#1 milkx77

milkx77

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 02 November 2007 - 09:44 AM

hello! i need some help :-)
when i scan my computer with AVG it finds trojan n2_18_09_07_1[1].exe in Temp int files and trojan 148235233.exe in windows/temp...after that avg deletes them....
the problem is they keep coming back every time i start my computer or little time afterwards (when i go to internet) ...i noticed svchost.exe and explorer.exe ask for internet acces which i deny with zone alarm...
...
please help :-)

my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:47:24, on 2.11.2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\NetLimiter 2 Pro\nlsvc.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193929773106
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193930256138
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8D24AC8-755B-4991-942F-9C7E43C3534A}: NameServer = 195.29.149.197 195.29.149.196
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MS Internet Countermeasures Framework (ICF) - Unknown owner - F:\WINDOWS\System32\svchost.exe:exe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - F:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:02 AM

Posted 04 November 2007 - 03:08 PM

Hello milkx77,

We can definitely help you, but first you need to help us.

The first step in this process is to apply Service Pack 1a for Windows XP.

Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click HERE.

Apply the update, reboot, and post a fresh Hijack This log.

Install all critical updates except Service Pack 2.
Some hijacks interfere with the installation of Service Pack 2, so please wait until your computer is clean before installing it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 milkx77

milkx77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 09 November 2007 - 01:02 PM

thank you :-)
i was little inpatient so i tried to fix it by myself :-)
i dont' have any probems now but please see if everything is ok:

HTL:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:59:34, on 9.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\NetLimiter 2 Pro\nlsvc.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193929773106
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193930256138
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8D24AC8-755B-4991-942F-9C7E43C3534A}: NameServer = 195.29.149.196 195.29.149.197
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - F:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by milkx77, 09 November 2007 - 01:04 PM.


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:02 AM

Posted 09 November 2007 - 01:29 PM

Hi milkx77,

i was little inpatient so i tried to fix it by myself



What does this mean? Are you using Hijackthis without guidenece? :thumbsup:

If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program. HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.

Edited by SifuMike, 09 November 2007 - 02:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 milkx77

milkx77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 09 November 2007 - 08:19 PM

Hi milkx77,

i was little inpatient so i tried to fix it by myself


What does this mean? Are you using Hijackthis without guidenece? :thumbsup:
If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program. HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.


hello, no i didn't use HJT at all :-)

Edited by milkx77, 09 November 2007 - 08:21 PM.


#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:02 AM

Posted 09 November 2007 - 10:31 PM

hello, no i didn't use HJT at all


Then what tool did you use?
There is a service removed from your log. Services do not vanish by itself, so I know you either used Hijackthis or some special tool.

Also, I see you double posted
http://forums.spywareinfo.com/lofiversion/...hp/t107878.html

Double posting wastes helper time and creates back logs.
If you want help here, then tell Spywareinfo forum you are reciving help here and ask them to close your log.

Edited by SifuMike, 09 November 2007 - 10:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 milkx77

milkx77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 10 November 2007 - 08:14 AM

i tried to fix things before you answered to my post cause i looked up on internet for answers and tried to fix problem...i deleted all that AVG, trojan hunter, stinger and all other programs found, i deleted ICF service directly without any tool and i downloaded all the updates for my windows...thats all i did...
and yes i also put the same post on the other forum waiting where i'll get answer first...and i didn't waste anybodies time on that forum since noone replied to me on that other forum for 7 days...
if i'm bothering you or this is a big drag for you here you don't have to do it and i apologize and thank you for your time spent on my problem:-)

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:02 AM

Posted 10 November 2007 - 11:50 AM

Lets run ComboFix.

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 milkx77

milkx77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 10 November 2007 - 12:19 PM

ot, this is combo log:

ComboFix 07-11-08.1 - mlijeko 2007-11-10 18:08:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.131 [GMT 1:00]
Running from: F:\Documents and Settings\mlijeko\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\mywinsys.ini
F:\WINDOWS\system32\death.sishen

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-10 18:07 51,200 --a------ F:\WINDOWS\NirCmd.exe
2007-11-06 23:26 128,896 -----c--- F:\WINDOWS\system32\dllcache\fltmgr.sys
2007-11-06 23:26 23,040 -----c--- F:\WINDOWS\system32\dllcache\fltmc.exe
2007-11-06 23:26 16,896 -----c--- F:\WINDOWS\system32\dllcache\fltlib.dll
2007-11-06 23:06 584,192 -----c--- F:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-05 18:06 221,184 --a------ F:\WINDOWS\system32\wmpns.dll
2007-11-05 18:04 <DIR> d-------- F:\WINDOWS\provisioning
2007-11-05 18:04 <DIR> d-------- F:\WINDOWS\peernet
2007-11-05 18:01 <DIR> d-------- F:\WINDOWS\ServicePackFiles
2007-11-05 17:58 22,752 --a------ F:\WINDOWS\system32\spupdsvc.exe
2007-11-05 17:56 <DIR> d-------- F:\WINDOWS\EHome
2007-11-05 12:00 313,856 --a------ F:\WINDOWS\system32\dx3j.dll
2007-11-05 12:00 171,280 --a------ F:\WINDOWS\system32\jit.dll
2007-11-05 12:00 139,536 --a------ F:\WINDOWS\system32\javaee.dll
2007-11-05 12:00 46,352 --a------ F:\WINDOWS\setdebug.exe
2007-11-05 12:00 6,550 --a------ F:\WINDOWS\jautoexp.dat
2007-11-05 11:52 271,224 --a------ F:\WINDOWS\system32\mucltui.dll
2007-11-04 13:20 <DIR> d-------- F:\Documents and Settings\mlijeko\Application Data\Uniblue
2007-11-04 13:19 <DIR> d-------- F:\Program Files\Uniblue
2007-11-03 19:25 <DIR> d-------- F:\Documents and Settings\mlijeko\Application Data\Grisoft
2007-11-03 19:24 10,872 --a------ F:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-03 19:22 <DIR> d-------- F:\Documents and Settings\mlijeko\Application Data\TrojanHunter
2007-11-03 18:41 <DIR> d-------- F:\Program Files\TrojanHunter 5.0
2007-11-03 17:58 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-11-03 17:58 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-01 12:19 <DIR> d-------- F:\Program Files\Trend Micro
2007-10-11 16:16 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 17:07 --------- d-----w F:\Documents and Settings\mlijeko\Application Data\AVG7
2007-11-10 01:39 --------- d-----w F:\Documents and Settings\mlijeko\Application Data\uTorrent
2007-11-10 01:12 --------- d-----w F:\Program Files\uTorrent
2007-11-05 17:23 --------- d-----w F:\Documents and Settings\All Users\Application Data\AVG7
2007-11-03 18:24 --------- d-----w F:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-11 15:16 --------- d-----w F:\Program Files\Apple Software Update
2007-10-07 11:40 --------- d-----w F:\Program Files\EA GAMES
2007-08-21 06:15 683,520 ----a-w F:\WINDOWS\system32\inetcomm.dll
2006-03-14 19:37 2,418,426 ----a-w F:\Program Files\j2eesdk-1_4_03-windows.exe
2005-10-18 16:52 243,512 ----a-w F:\Program Files\jre-1_5_0_05-windows-i586-p-iftw.exe
2004-11-27 20:27 811 ----a-w F:\Program Files\INSTALL.LOG
2001-11-26 01:24 22,744,483 ----a-w F:\Program Files\PartitionMagic70.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe" [2004-04-01 09:30]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-22 23:02]
"!AVG Anti-Spyware"="F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" [2007-06-11 10:25]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="F:\Program Files\Messenger\msmsgs.exe" /background
"CTFMON.EXE"=F:\WINDOWS\System32\ctfmon.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
"updateMgr"=F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
"SpybotSD TeaTimer"=F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"NetLimiter 2 Client"=F:\Program Files\NetLimiter 2 Pro\NLClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"=F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"=F:\Program Files\iTunes\iTunesHelper.exe
"SunJavaUpdateSched"=F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
"TkBellExe"="F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ICQ Lite"="F:\Program Files\ICQLite\ICQLite.exe" -minimize
"PWRISOVM.EXE"=F:\Program Files\PowerISO\PWRISOVM.EXE
"PCSuiteTrayApplication"=F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"THGuard"="F:\Program Files\TrojanHunter 5.0\THGuard.exe"
"NeroFilterCheck"=F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

R1 nltdi;nltdi;\??\F:\WINDOWS\System32\drivers\nltdi.sys
R2 SVKP;SVKP;\??\F:\WINDOWS\System32\SVKP.sys
R2 UxTuneUp;TuneUp Design Expansion;F:\WINDOWS\System32\svchost.exe -k netsvcs
R3 Intels51;Intel® 536EP Modem;F:\WINDOWS\system32\DRIVERS\Intels51.sys
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);F:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 16:16:16 F:\WINDOWS\Tasks\1-Click Maintenance.job"
- F:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-10-11 15:16:50 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 18:11:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 18:12:12
.
--- E O F ---

an this is HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:52, on 10.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\NetLimiter 2 Pro\nlsvc.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193929773106
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193930256138
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8D24AC8-755B-4991-942F-9C7E43C3534A}: NameServer = 195.29.149.197 195.29.149.196
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - F:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4799 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:02 AM

Posted 10 November 2007 - 01:51 PM

Your log looks clean! :thumbsup:

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 milkx77

milkx77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 10 November 2007 - 02:32 PM

Your log looks clean! :blink:
Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.


thanx for links and taking your time to help :thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:02 AM

Posted 10 November 2007 - 02:39 PM

You're most welcome. :thumbsup: And I thank you for taking the time to say thank you! It's amazing just how far those two little words go. :blink:
Regards,
SifuMike
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:02 AM

Posted 14 November 2007 - 10:50 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users