Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan And Popups


  • Please log in to reply
17 replies to this topic

#1 templarzz

templarzz

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 14 November 2007 - 08:51 AM

Good day,

I recently found out there are trojans in my new com... Might be came with the com itself...

Everytime i startup Windows, I get this error message: "Error loading C:\WINDOWS\system32\tx27jc8dn.dll, Access is denied."

And AVG finds 'Trojan.Small' under 'C:\Program Files\OCINS\cnprovh.dll' everytime it startups as well.. My Internet Homepage has been changed automatically and popups randomly occur.

As I ran a HiJackThis scan, AVG detects 'Trojan horse BackDoor.Generic9.ZY' under 'C:\WINDOWS\system32\drivers\mqt5.sys'

Can't seem to get this problems off no matter what...

I have both AVG and AVG Anti-Spyware 7.5 installed and updated.

Here is the HiJackThis Log,
Any help would be greatly appreciated =) Thanks in advance.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:02 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\com\services.exe
c:\program files\common files\microsoft shared\vgx\smss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\OCINS\idnsvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ppfilm\jfCacheMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.kzxf.net/?c
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [IdnSvr] C:\Program Files\OCINS\idnsvr.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [ATICheck] C:\WINDOWS\system32\aticheck.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5393 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 November 2007 - 04:50 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum templarzz :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 templarzz

templarzz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 15 November 2007 - 12:56 AM

Good day Richie, thanks for your reply and your time... There is still an error message when i startup Windows "Error loading C:\WINDOWS\system32\tx27jc8dn.dll, Access is denied." And Trojan BackDoor.Generic9.ZY when I startup Hijackthis.

Here are the logs you requested:

SDFix report

SDFix: Version 1.114

Run by Low on Thu 11/15/2007 at 01:16 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 13:21:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002728199cb]
"0012d26e9487"=hex:bf,c0,93,d0,7e,b8,e0,3e,1c,ae,a9,9b,20,c5,d9,f2
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0002728199cb]
"0012d26e9487"=hex:bf,c0,93,d0,7e,b8,e0,3e,1c,ae,a9,9b,20,c5,d9,f2

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\nederay@hotmail.com\DFSR\Staging\CS{588F4A03-5C67-0CAA-4AB3-B45657EAC9F1}\01\12-{588F4A03-5C67-0CAA-4AB3-B45657EAC9F1}-v1-{C185C31A-6166-4A09-94AD-72CE8CE0196B}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\rebirth_jay@hotmail.com\DFSR\Staging\CS{AB328A4D-2357-42C2-A3B1-BB826CBD665B}\01\11-{AB328A4D-2357-42C2-A3B1-BB826CBD665B}-v1-{C185C31A-6166-4A09-94AD-72CE8CE0196B}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\steven80fong@hotmail.com\DFSR\Staging\CS{870DAF45-A7A4-95A3-F942-A0079E6E0D6A}\01\10-{870DAF45-A7A4-95A3-F942-A0079E6E0D6A}-v1-{C185C31A-6166-4A09-94AD-72CE8CE0196B}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:ζTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\ppfilm\\jfCacheMgr.exe"="C:\\Program Files\\ppfilm\\jfCacheMgr.exe:*:Enabled:jfCacheMgr(http://www.ppfilm.cn)"
"C:\\Program Files\\ppfilm\\KmLiveUpdate.exe"="C:\\Program Files\\ppfilm\\KmLiveUpdate.exe:*:Enabled:KmLiveUpdate(http://www.ppfilm.cn)"
"C:\\Program Files\\ppfilm\\ppFilmPlayer.exe"="C:\\Program Files\\ppfilm\\ppFilmPlayer.exe:*:Enabled:ppFilmPlayer"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Sun 11 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 16 Sep 2006 4,348 A..H. --- "C:\Documents and Settings\My Documents\My Music\License Backup\drmv1key.bak"
Mon 9 Oct 2006 20 A..H. --- "C:\Documents and Settings\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 9 Sep 2006 312 A.SH. --- "C:\Documents and Settings\My Documents\My Music\License Backup\drmv2key.bak"
Thu 27 Mar 2003 9,728 ...H. --- "C:\Program Files\Common Files\Microsoft Shared\VGX\smss.exe"
Mon 12 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT7.tmp"

Finished!


ComboFix report

ComboFix 07-11-08.3 - Low 2007-11-15 13:37:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1513 [GMT 8:00]
Running from: C:\Documents and Settings\Low\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\microsoft\pctools
C:\Documents and Settings\Low\Favorites\7BFA~1.URL
C:\Program Files\gpya\mveg.dll
C:\Program Files\gpya\qzik.dll
C:\Program Files\gpya\tcln.dll
C:\Program Files\gpya\venp.dll
C:\Program Files\gpya\yhqs.dll
C:\Program Files\OCINS\austr.dll
C:\Program Files\OCINS\cndsv.dll
C:\Program Files\OCINS\cnprovh.dll
C:\Program Files\OCINS\cnstc.ini
C:\Program Files\OCINS\config.exe
C:\Program Files\OCINS\convf.dll
C:\Program Files\OCINS\ctrcfg.ini
C:\Program Files\OCINS\cuscfg.dat
C:\Program Files\OCINS\idnsvr.dll
C:\Program Files\OCINS\idnsvr.exe
C:\Program Files\OCINS\ieaux.dll
C:\Program Files\OCINS\kwacs.dat
C:\Program Files\OCINS\kwrep.dat
C:\Program Files\OCINS\uninstall.exe
C:\Program Files\OCINS\update\update.exe
C:\Program Files\OCINS\update\version.dat
C:\Program Files\OCINS\usrcfg.ini
C:\Program Files\OCINS\version.dat
C:\WINDOWS\KB611311.log
C:\WINDOWS\ocinfo.dat
C:\WINDOWS\system32\cnprov.dat
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\drivers\cnprov.sys
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ACPIDISK
-------\LEGACY_CNPROV
-------\LEGACY_LUDF
-------\acpidisk
-------\cnprov
-------\ludf


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 13:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 13:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-15 03:15 <DIR> d-------- C:\Documents and Settings\Low\Phone Browser
2007-11-15 03:15 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2007-11-15 03:15 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2007-11-15 03:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-15 03:04 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-11-15 03:04 <DIR> d-------- C:\Program Files\Nokia
2007-11-15 03:04 <DIR> d-------- C:\Program Files\DIFX
2007-11-15 03:04 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-15 03:04 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-15 03:04 <DIR> d-------- C:\Documents and Settings\Low\Application Data\PC Suite
2007-11-15 03:04 <DIR> d-------- C:\Documents and Settings\Low\Application Data\Nokia
2007-11-15 03:04 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-11-15 03:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-11-15 02:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-15 02:55 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-14 14:28 <DIR> d-------- C:\Program Files\iTunes
2007-11-14 14:28 <DIR> d-------- C:\Program Files\iPod
2007-11-14 14:28 <DIR> d-------- C:\Documents and Settings\Low\Application Data\Apple Computer
2007-11-14 14:27 <DIR> d-------- C:\Program Files\QuickTime
2007-11-14 14:27 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-14 14:27 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-14 14:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-14 14:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-14 10:59 <DIR> d-------- C:\Documents and Settings\Low\Application Data\AVG7
2007-11-14 10:59 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-14 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-14 03:06 <DIR> d-------- C:\Program Files\ppfilm
2007-11-14 01:01 812,344 --a------ C:\HJTInstall.exe
2007-11-14 00:47 15,196,440 --a------ C:\sdsetup.exe
2007-11-13 22:09 <DIR> d-------- C:\WINDOWS\Cache
2007-11-13 17:46 <DIR> d-------- C:\Documents and Settings\Low\Application Data\vlc
2007-11-13 16:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2007-11-13 16:34 <DIR> d-------- C:\Program Files\VOB
2007-11-13 16:34 611,840 --a------ C:\WINDOWS\system32\vobhw.dll
2007-11-13 16:34 153,088 --a------ C:\WINDOWS\system32\IWUninstall.exe
2007-11-13 16:34 19,456 --a------ C:\WINDOWS\system32\asapi.dll
2007-11-13 16:34 11,264 --a------ C:\WINDOWS\system32\drivers\asapi.sys
2007-11-13 16:33 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-11-13 16:32 <DIR> d-------- C:\Documents and Settings\Low\WINDOWS
2007-11-13 16:03 30,422,984 --a------ C:\avg75free_503a1171.exe
2007-11-13 10:59 <DIR> d-------- C:\Documents and Settings\Low\Application Data\Grisoft
2007-11-13 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 10:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 23:18 <DIR> d---s---- C:\Documents and Settings\Low\UserData
2007-11-12 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-11-12 19:27 <DIR> d-------- C:\Program Files\CDRWIN
2007-11-12 19:26 <DIR> d-------- C:\Program Files\theme hospital
2007-11-12 19:25 <DIR> d-------- C:\Program Files\mIRC
2007-11-12 19:17 <DIR> d-------- C:\Program Files\Activision
2007-11-12 08:35 20,480 --a------ C:\execmain.exe
2007-11-12 04:06 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-11-12 04:05 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-11-12 04:05 74,240 --a--c--- C:\WINDOWS\system32\dllcache\usbui.dll
2007-11-12 04:05 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-11-12 04:04 <DIR> dr------- C:\Program Files
2007-11-12 04:03 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-11-12 04:03 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-11-12 04:03 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-11-12 04:02 <DIR> d-------- C:\Documents and Settings
2007-11-12 01:14 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-11-12 00:05 <DIR> d-------- C:\Downloads
2007-11-11 23:57 <DIR> d-------- C:\Documents and Settings\Low\Contacts
2007-11-11 23:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-11 23:02 <DIR> d-------- C:\Documents and Settings\Low\Application Data\SopCast
2007-11-11 22:57 <DIR> d-------- C:\Program Files\gpya
2007-11-11 22:57 24,832 --ahs---- C:\WINDOWS\system32\system.dat
2007-11-11 22:57 182 --a------ C:\IdRmSelf.bat
2007-11-11 22:47 <DIR> d-------- C:\Program Files\nullDC
2007-11-11 22:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-11 22:25 <DIR> d-------- C:\Documents and Settings\Low\Application Data\uTorrent
2007-11-11 22:24 <DIR> d-------- C:\Documents and Settings\Low\Application Data\Hamachi
2007-11-11 22:14 <DIR> d-a------ C:\Program Files\Magic
2007-11-11 22:12 <DIR> d-------- C:\Program Files\VideoLAN
2007-11-11 22:12 <DIR> d-------- C:\Program Files\uTorrent
2007-11-11 22:12 <DIR> d-------- C:\Program Files\TVAnts
2007-11-11 22:11 <DIR> d-------- C:\Program Files\TVUPlayer
2007-11-11 22:11 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-11-11 22:09 <DIR> d-------- C:\Program Files\WinAVI MP4 Converter
2007-11-11 22:09 <DIR> d-------- C:\Program Files\THQ
2007-11-11 22:09 <DIR> d-------- C:\Program Files\pspvideo9
2007-11-11 22:08 <DIR> d-------- C:\Program Files\Steinberg
2007-11-11 22:08 <DIR> d-------- C:\Program Files\Macromedia
2007-11-11 22:07 <DIR> d-------- C:\Program Files\Warcraft III
2007-11-11 22:07 <DIR> d-------- C:\Program Files\SopCast
2007-11-11 22:06 <DIR> d-------- C:\Program Files\WIZET
2007-11-11 21:58 <DIR> d-------- C:\Program Files\Counter-Strike Source
2007-11-11 21:41 <DIR> d-------- C:\psp stuff
2007-11-11 21:41 <DIR> d-------- C:\PSP
2007-11-11 21:25 <DIR> dr------- C:\Documents and Settings\My Documents\My Music
2007-11-11 21:25 <DIR> d-------- C:\Documents and Settings\My Documents\My Games
2007-11-11 21:25 <DIR> d-------- C:\Documents and Settings\My Documents\My eBooks
2007-11-11 21:25 <DIR> d-------- C:\Documents and Settings\My Documents\AdobeStockPhotos
2007-11-11 21:24 <DIR> d-------- C:\Documents and Settings\My Documents\youtube movies
2007-11-11 21:24 <DIR> d-------- C:\Documents and Settings\My Documents\Updater
2007-11-11 21:24 <DIR> dr------- C:\Documents and Settings\My Documents\My Videos
2007-11-11 21:24 <DIR> d-------- C:\Documents and Settings\My Documents\My Received Files
2007-11-11 21:21 <DIR> dr------- C:\Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 04:42 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2007-11-11 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-11-11 12:59 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-11 12:50 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-11 12:50 --------- d-----w C:\Documents and Settings\Low\Application Data\Microsoft Web Folders
2007-11-11 12:46 --------- d-----w C:\Program Files\My Company Name
2007-11-11 12:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 12:45 --------- d-----w C:\Program Files\ASUS
2007-11-11 12:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-11 12:38 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-11 12:38 --------- d-----w C:\Program Files\Realtek
2007-11-11 12:36 --------- d-----w C:\Program Files\Intel
2007-08-18 11:16 12,754,672 ----a-w C:\Documents and Settings\My Documents\MP10Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2005-01-04 08:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2005-01-04 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-01-04 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-01-04 08:00]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 23:28 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-05 01:22 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 10:03]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25]
"jfproc"="C:\Program Files\ppfilm\jfCacheMgr.exe" [2007-08-13 10:53]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-14 10:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2005-01-04 08:00 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-04 08:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{ACADABAF-1000-0010-8000-10AA006D2EA4}"= C:\WINDOWS\system32\system.dat [2007-11-11 22:57 24832]

R0 mqt5;mqt;C:\WINDOWS\system32\DRIVERS\mqt5.sys
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys
R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys
S0 ahcbeeci;ahcbeeci;C:\WINDOWS\system32\drivers\ahcbeeci.sys
S0 kgkvfcry;kgkvfcry;C:\WINDOWS\system32\drivers\kgkvfcry.sys
S2 5ntbn3u;5ntbn3u;\??\C:\WINDOWS\system32\drivers\5ntbn3u.sys
S2 nkserv;NetWork Service;c:\program files\common files\system\serv.exe -system

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61b6683c-90b7-11dc-b5ca-0018c08d65af}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-14 06:27:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 13:41:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 13:42:11 - machine was rebooted
.
--- E O F ---


HijackThis Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:10 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ppfilm\jfCacheMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetWork Service (nkserv) - Unknown owner - c:\program files\common files\system\serv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5481 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 15 November 2007 - 08:51 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop nkserv
sc delete nkserv

Restart your pc.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following if present, by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: NetWork Service (nkserv) - Unknown owner - c:\program files\common files\system\serv.exe (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Copy and paste the contents of that report in your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#5 templarzz

templarzz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 16 November 2007 - 12:12 AM

Thanks for your reply... After deleting some of the files using SuperAntispyware... my internet connection got lost in the next restart and only I restarted the computer again then it has a connection. Is this normal? I'm on cable btw. I think there are still trojans lurking around somewhere... Internet Explorer doesn't have popups anymore and homepage restored. Thanks!

And I couldn't find this line
O23 - Service: NetWork Service (nkserv) - Unknown owner - c:\program files\common files\system\serv.exe (file missing)
so I didn't do a fix check on it using Hijackthis.

AVG still detects a few trojans while i had the Activescan going...

Not sure why but I can't seem to align the Activescan words properly...


Here are the logs:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/16/2007 at 12:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3345
Trace Rules Database Version: 1346

Scan type : Complete Scan
Total Scan Time : 00:16:51

Memory items scanned : 427
Memory threats detected : 0
Registry items scanned : 4323
Registry threats detected : 0
File items scanned : 32384
File threats detected : 46

Adware.Tracking Cookie
C:\Documents and Settings\Low\Cookies\low@msnportal.112.2o7[1].txt
C:\Documents and Settings\Low\Cookies\low@burstnet[2].txt
C:\Documents and Settings\Low\Cookies\low@fastclick[1].txt
C:\Documents and Settings\Low\Cookies\low@advertising[1].txt
C:\Documents and Settings\Low\Cookies\low@softonic.112.2o7[1].txt
C:\Documents and Settings\Low\Cookies\low@cgi-bin[2].txt
C:\Documents and Settings\Low\Cookies\low@ehg-nokiafin.hitbox[1].txt
C:\Documents and Settings\Low\Cookies\low@bs.serving-sys[1].txt
C:\Documents and Settings\Low\Cookies\low@ad1.clickhype[1].txt
C:\Documents and Settings\Low\Cookies\low@statcounter[1].txt
C:\Documents and Settings\Low\Cookies\low@eyewonder[1].txt
C:\Documents and Settings\Low\Cookies\low@tase[1].txt
C:\Documents and Settings\Low\Cookies\low@clickaider[1].txt
C:\Documents and Settings\Low\Cookies\low@lstat.youku[1].txt
C:\Documents and Settings\Low\Cookies\low@serving-sys[1].txt
C:\Documents and Settings\Low\Cookies\low@atdmt[1].txt
C:\Documents and Settings\Low\Cookies\low@3.adbrite[1].txt
C:\Documents and Settings\Low\Cookies\low@adbrite[1].txt
C:\Documents and Settings\Low\Cookies\low@rocku.adbureau[1].txt
C:\Documents and Settings\Low\Cookies\low@microsoftwlmessengermkt.112.2o7[1].txt
C:\Documents and Settings\Low\Cookies\low@ads.pointroll[2].txt
C:\Documents and Settings\Low\Cookies\low@doubleclick[1].txt
C:\Documents and Settings\Low\Cookies\low@bedroommedia[1].txt
C:\Documents and Settings\Low\Cookies\low@statse.webtrendslive[1].txt
C:\Documents and Settings\Low\Cookies\low@ad.yieldmanager[2].txt
C:\Documents and Settings\Low\Cookies\low@hitbox[1].txt
C:\Documents and Settings\Low\Cookies\low@ad1.soundpedia[2].txt
C:\Documents and Settings\Low\Cookies\low@mediaplex[1].txt
C:\Documents and Settings\Low\Cookies\low@cgi-bin[3].txt
C:\Documents and Settings\Low\Cookies\low@clicksor[1].txt
C:\Documents and Settings\Low\Cookies\low@zedo[1].txt
C:\Documents and Settings\Low\Cookies\low@2o7[2].txt
C:\Documents and Settings\Low\Cookies\low@revsci[2].txt
C:\Documents and Settings\Low\Cookies\low@media.adrevolver[1].txt
C:\Documents and Settings\Low\Cookies\low@tribalfusion[1].txt
C:\Documents and Settings\Low\Cookies\low@tacoda[1].txt
C:\Documents and Settings\Low\Cookies\low@www.burstnet[1].txt
C:\Documents and Settings\Low\Cookies\low@ads.hitsquad[2].txt

Trojan.CNNIC/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP15\A0000662.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP15\A0000670.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP17\A0000706.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP17\A0000724.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP17\A0000778.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP17\A0000790.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP17\A0000804.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP17\A0000806.SYS




ActiveScan Log

Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Low\Cookies\low@com[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Low\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Low\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Low\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/Borlander Not disinfected C:\qoobox\Quarantine\C\ProgramFiles\gpya\qzik.dll.vir
Adware:Adware/Borlander Not disinfected C:\qoobox\Quarantine\C\Program Files\gpya\venp.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\OCINS\cndsv.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\OCINS\cnprovh.dll.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\OCINS\convf.dll.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:44 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ppfilm\jfCacheMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5564 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 November 2007 - 04:29 AM

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#7 templarzz

templarzz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 17 November 2007 - 02:29 AM

Thanks Richie, I followed as per your instructions... now both SDfix and Combofix and some other folders that were inside are in my recycled bin, is it safe to delete them? The startup Window error message still persists... Kaspersky found 2 trojans... Regards.



The online scanner report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 17, 2007 3:24:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/11/2007
Kaspersky Anti-Virus database records: 432041
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 84086
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:23:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Low\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\Working\database_EE68_24EA_6824_B2EF\dfsr.db Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\Working\database_EE68_24EA_6824_B2EF\fsr.log Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\Working\database_EE68_24EA_6824_B2EF\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Messenger\chin_heng55@hotmail.com\SharingMetadata\Working\database_EE68_24EA_6824_B2EF\tmp.edb Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Windows Live Contacts\chin_heng55@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Windows Live Contacts\chin_heng55@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Low\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Low\Local Settings\History\History.IE5\MSHist012007111720071118\index.dat Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Temp\~DF6B64.tmp Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Temp\~DF6B80.tmp Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Temp\~DF8FB3.tmp Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Temp\~DF8FE4.tmp Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Low\Local Settings\Temporary Internet Files\Content.IE5\OXS30JKR\get_video[1].com Object is locked skipped
C:\Documents and Settings\Low\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Low\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\execmain.exe Infected: Trojan.Win32.StartPage.atv skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0CAF91EB-4062-4967-976F-7F3CDAA4E74A}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{49278656-7A25-41EF-A310-642DB09D618A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\mqt5.sys Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\system.dat Infected: Trojan-Downloader.Win32.Satray.af skipped
C:\WINDOWS\system32\txz7jc8dn.dll Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 November 2007 - 04:51 AM

Enable the viewing of hidden files and folders,reverse the process when you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Find and delete:
C:\execmain.exe
C:\WINDOWS\system32\system.dat

Click on Start/Run,type cleanmgr into the 'Open:' space,then press Ok.
Let it scan your system for files to remove.
Make sure these 3 are checked and nothing else,then press Ok.
* Temporary Files
* Temporary Internet Files
* Recycle Bin


Restart your pc.
Post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#9 templarzz

templarzz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 17 November 2007 - 06:37 AM

Thanks for your reply but this problem still exists:

There is still an error message when i startup Windows "Error loading C:\WINDOWS\system32\tx27jc8dn.dll, Access is denied." And Trojan BackDoor.Generic9.ZY when I use Hijackthis.



Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:29 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ppfilm\jfCacheMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [jfproc] C:\Program Files\ppfilm\jfCacheMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5621 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 November 2007 - 08:33 AM

Download\unzip to your desktop AVG Anti-Rootkit:
http://free.grisoft.com/softw/70free/setup...up-1.1.0.42.exe

Double click avgarkt-setup-1.1.0.42.exe to install,by default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
Accept the license and follow the prompts to install.
You will be asked to reboot to finish the installation so click "Finish".
After rebooting,launch AVG by double clicking on the icon for AVG Anti-Rootkit on your desktop,click on the 'Search for Rootkits' tab.
Then click on 'Perform in-depth search'.
You will see the progress bar moving from left to right.
The scan will take some time so be patient and let it finish.
When the scan has finished, a small window will open so you can view the results.
Right click over those results and select "Save Result To File".
By default the file will be saved with a .csv extension. (You can use Notepad to open the .cvs file)
Copy and paste those results into your next reply.
If anything was found, click "Remove selected items"
Note:
Close all open windows,programs,DO NOT USE the computer while scanning.
If the scan is performed while the computer is in use,false positives may appear in the scan results.


Please download Rootchk.exe and save to your desktop:
Important:- Temporarily disable any real-time monitoring programs (see note below).
Disconnect from the Internet.
Double-click on rootchk.exe to run the program.
A command prompt window will open as the scan begins and then close.
When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
Copy and paste the contents of the log into your next reply.
Re-enable active protection on any program you temporarily disabled.
Note:
To avoid false positives,it is important that you temporarily disable ZoneAlarm Pro firewall,or any other security program that protects your registry (Spybot's Teatimer,Ad-Aware's Adwatch, Prevx, etc) before running the rootchk scan.
Click on this link to see a list of other programs that should be disabled.


Download RegSearch by Bobbi Flekman.
Right click on your desktop 'New',select 'Folder'.
Right click on that new folder and select 'Rename',rename it to RegSearch
Unzip/extract the contents of regsearch.zip to the RegSearch folder.
Open the RegSearch folder and double-click the icon RegSearch.exe to launch the program.
Copy and paste the following string to search for in the top space,then click "OK".
tx27jc8dn.dll
After completion Notepad will be opened with all the found instances of the string.
The resulting file is saved in the same location as RegSearch.exe.
Copy and paste the entire search results into your next reply.


Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Save it to the desktop and double-click on it.
If you get any kind of warning message about scripts,please choose to allow the script to run.
When the scan is finished it will create a logfile on your desktop.
Please post the entire contents of this logfile into your next reply.
Posted Image
Posted Image

#11 templarzz

templarzz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 18 November 2007 - 09:16 PM

Good day Richie, here are the results. AVG Anti-Rootkit found nothing thus there wasn't a report for me to save with.


Rootlog.txt
********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
Mon 11/19/2007 9:58:43.40

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 09:58:44
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002728199cb]
"0012d26e9487"=hex:bf,c0,93,d0,7e,b8,e0,3e,1c,ae,a9,9b,20,c5,d9,f2
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0002728199cb]
"0012d26e9487"=hex:bf,c0,93,d0,7e,b8,e0,3e,1c,ae,a9,9b,20,c5,d9,f2

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0



RegSearch
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 11/19/2007 10:04:21 AM for strings:
; 'tx27jc8dn.dll
'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...



Silent Runners
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"ASUSGamerOSD" = "C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" ["ASUSTeK Computer Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"jfproc" = "C:\Program Files\ppfilm\jfCacheMgr.exe" ["**********" (unwritable string)]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" ["Nokia"]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{ACADABAF-1000-0010-8000-10AA006D2EA4}" = "*i" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\system.dat" [file not found]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Low\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Low" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
ATK Keyboard Service, ATKKeyboardService, "C:\WINDOWS\ATKKBService.exe" ["ASUSTeK COMPUTER INC."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
Messenger Sharing Folders USN Journal Reader service, usnjsvc, ""C:\Program Files\MSN Messenger\usnsvc.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


---------- (launch time: 2007-11-19 10:08:01)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 27 seconds, including 17 seconds for message boxes)

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 19 November 2007 - 04:44 AM

First back up the registry by doing the following.
Click on Start>Run,copy and paste the following bold text into the 'Open:' space,then press Ok.
regedit /e c:\registrybackup.reg
It won't appear to be doing anything,that's normal.
Your mouse pointer may have an hour glass along side it for a minute or so.
Please be patient and continue when the hour glass disappears.

Download RegSeeker 1.55.zip
Right click on a blank area of your desktop,click 'New'>'Folder',rename it 'RegSeeker'.
Unzip/extract RegSeeker.zip to that new folder.
Open the 'RegSeeker' folder and double click on the RegSeeker.exe icon.
When the program opens click on/select 'Clean the Registry'.
Click on 'Auto Clean' at the bottom,then click on 'GO!' in the opening window.
Close the program when it's finished.

Click Start/Run,type win.ini then press Ok.
WIN.INI will open in Notepad.
Copy and paste the entire contents of win.ini into your next reply.
Posted Image
Posted Image

#13 templarzz

templarzz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 19 November 2007 - 09:53 PM

win.ini text file

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMC=1
CMCDLLNAME=mapi.dll
CMCDLLNAME32=mapi32.dll
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
m2v=MPEGVideo
mod=MPEGVideo
[ActiveScan]
ID = {6443B3DE-3970-49F6-A3D4-DF9A0560EE4D}

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 20 November 2007 - 07:50 AM

There is still an error message when i startup Windows "Error loading C:\WINDOWS\system32\tx27jc8dn.dll, Access is denied."

If you're still getting the above error,do the following:
Download Winpfind V2.0.2 and extract the contents to your desktop:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe
Open the WinPFind folder and double click on Winpfind.exe
Leave the configuation settings as they are and click on 'Run Scan'.
The scan will take some time to complete so please be patient.
Once complete close the program.
Open the WinPFind folder,then copy and paste the entire content of winpfind.txt into your next reply.
*NOTE*
It may take more than one reply to post the whole winpfind.txt.
Posted Image
Posted Image

#15 templarzz

templarzz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 22 November 2007 - 10:58 AM

I'll probably do the download the link and do the scan when I have time soon... Work's been super busy lately... What about the trojan in system32 folder? Thanks for the help thus far, Richie =)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users