Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem With Malware/trojan Switching Off Windows Firewall


  • Please log in to reply
8 replies to this topic

#1 Mexygen

Mexygen

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 18 November 2007 - 03:23 PM

Im having a problem with a Trojan virus that seems to have infected my computer. Every time the computer is booted up I receive a pop-up message informing me that the windows firewall has been turned off, which is swiftly followed by a pop-up from my anti virus software (Avast 4.7) with the following message:

C:/windows/sqlservell.dll contains malware win32:maha-I (Trojan)

It then quarantines the offending item allowing me to delete it from the computer & turn on the firewall, however as soon as the computer is shut down & restarted the exact same problem occurs again, in that the windows firewall is switched off and the infected file that was previously removed has reappeared.

I have followed the advice given in this topic on what to do before creating a HJT log. I was able to run the spybot, stinger & bit defender applications without a problem but every time I tried to run ad-aware it crashed at around 70% completion status. The HJT log I have taken after following the advice given is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17:31, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\ScanPanel\ScnPanel.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B348CA56-31FE-499B-8973-C24A5075C57C} - C:\Program Files\Windows NT\mevoxuC:\WINDOWS\system32\m2\caws83122.exe.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [b5700x drive] C:\WINDOWS\cnssr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [algchk.exe] C:\WINDOWS\system32\algchk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us//h...ALStreaming.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.25/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C80AB78C-7F80-480E-8E3A-644FACC3DD40}: NameServer = 62.241.163.200 62.241.162.201
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10593 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 29 November 2007 - 04:15 PM

Mexyqen

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 Mexygen

Mexygen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 30 November 2007 - 08:46 AM

Hi,

Copy of the combofix log is below:

ComboFix 07-11-30.7 - Scott Ferguson 2007-11-30 13:40:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.652 [GMT 0:00]
Running from: C:\Documents and Settings\Scott Ferguson\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Scott Ferguson\Application Data\macromedia\Flash Player\#SharedObjects\CGKPD3C5\www.broadcaster.com
C:\Documents and Settings\Scott Ferguson\Application Data\macromedia\Flash Player\#SharedObjects\CGKPD3C5\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Scott Ferguson\Application Data\macromedia\Flash Player\#SharedObjects\CGKPD3C5\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Scott Ferguson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Scott Ferguson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\WinAble
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b147.exe
C:\WINDOWS\system32\c3
C:\WINDOWS\system32\m2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\w5

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-27 23:58 . 2007-11-27 23:58 <DIR> d-------- C:\TIM_VINE_LIVE
2007-11-27 13:29 . 2007-11-27 13:29 812,344 --a------ C:\HJTInstall.exe
2007-11-26 21:42 . 2007-11-26 22:20 4,681,455,616 --a------ C:\TIM_VINE_LIVE.ISO
2007-11-22 19:57 . 2007-11-22 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-22 19:56 . 2007-11-23 18:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-22 19:56 . 2007-11-23 18:17 <DIR> d-------- C:\Documents and Settings\Scott Ferguson\Application Data\SUPERAntiSpyware.com
2007-11-21 22:53 . 2007-11-21 22:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-21 22:42 . 2007-11-21 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-21 21:40 . 2007-11-21 21:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-21 21:40 . 2007-11-21 21:40 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-21 21:40 . 2007-11-21 21:40 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-21 21:40 . 2007-11-21 21:40 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-21 18:53 . 2007-11-21 18:53 50,688 --a------ C:\ATF_Cleaner.exe
2007-11-18 20:17 . 2007-11-18 20:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-18 16:38 . 2007-11-18 18:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-13 08:49 . 2007-11-21 23:42 <DIR> d-------- C:\WINDOWS\system32\Mz16r
2007-11-13 08:49 . 2007-11-13 08:49 <DIR> d-------- C:\Temp\mZOr
2007-11-13 08:49 . 2007-11-13 08:49 702,464 --a------ C:\WINDOWS\opeC.exe
2007-11-13 08:49 . 2007-11-13 08:49 702,464 --a------ C:\WINDOWS\cnssr.exe
2007-11-13 08:49 . 2007-11-13 08:49 352,410 --a------ C:\WINDOWS\system32\opeD.exe
2007-11-13 08:49 . 2007-11-13 08:49 0 --a------ C:\WINDOWS\system32\opeD.tmp
2007-11-13 08:49 . 2007-11-13 08:49 0 --a------ C:\WINDOWS\opeC.tmp
2007-11-13 08:46 . 2007-11-30 13:42 <DIR> d-------- C:\Temp
2007-11-11 14:44 . 2007-11-11 14:44 245,760 --------- C:\WINDOWS\Setup1.exe
2007-11-11 14:44 . 2007-11-11 14:44 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-11 14:35 . 2007-11-11 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 11:25 . 2007-11-30 13:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-10 11:25 . 2007-11-10 11:25 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-10 11:23 . 2007-11-10 11:24 <DIR> d-------- C:\Program Files\iTunes
2007-11-10 11:20 . 2007-11-10 11:21 <DIR> d-------- C:\Program Files\QuickTime
2007-10-26 17:21 . 2007-10-26 17:21 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-10-26 17:21 . 2007-10-26 17:16 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-10-26 17:21 . 2007-10-26 17:16 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-10-26 17:21 . 2007-10-26 17:16 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-10-26 17:21 . 2007-10-26 17:16 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-10-25 10:26 . 2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-25 10:26 . 2007-10-25 10:26 453 --a------ C:\WINDOWS\bdoscandellang.ini
2007-10-24 20:52 . 2007-11-21 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-24 19:56 . 2007-10-28 15:51 <DIR> d-------- C:\Documents and Settings\Scott Ferguson\Application Data\Lavasoft
2007-10-19 20:16 . 2007-10-19 20:16 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-10-19 20:16 . 2007-10-19 20:16 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-10-08 17:50 . 2007-10-08 17:50 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-08 17:49 . 2007-10-08 17:49 <DIR> d-------- C:\Program Files\Red Kawa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-15 08:47 --------- d-----w C:\Program Files\AutoCAD 2006
2007-11-15 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-11-13 18:14 --------- d-----w C:\Documents and Settings\Scott Ferguson\Application Data\Azureus
2007-11-10 11:24 --------- d-----w C:\Program Files\iPod
2007-11-02 08:28 --------- d-----w C:\Program Files\Java
2007-10-31 14:09 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2006-08-12 09:56 24,192 ----a-w C:\Documents and Settings\Scott Ferguson\usbsermptxp.sys
2006-08-12 09:56 22,768 ----a-w C:\Documents and Settings\Scott Ferguson\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B348CA56-31FE-499B-8973-C24A5075C57C}]
C:\Program Files\Windows NT\mevoxuC:\WINDOWS\system32\m2\caws83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"algchk.exe"="C:\WINDOWS\system32\algchk.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-06-24 16:32 C:\WINDOWS\system32\nwiz.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 16:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [2005-10-16 01:15]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-27 21:38]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [2000-04-06 12:26]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 09:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"b5700x drive"="C:\WINDOWS\cnssr.exe" [2007-11-13 08:49]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 09:42]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-04-29 17:08:39]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-29 17:16:14]
ScanPanel.lnk - C:\ScanPanel\ScnPanel.exe [2007-06-19 07:39:27]

S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b5700x drive]
C:\WINDOWS\cnssr.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 20:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 13:42:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 13:43:48
.
--- E O F ---

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 30 November 2007 - 09:04 AM

Mexyqen

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)
File::
C:\WINDOWS\cnssr.exe

Folder::
C:\WINDOWS\system32\Mz16r
C:\Temp\mZOr

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B348CA56-31FE-499B-8973-C24A5075C57C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"algchk.exe"="
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b5700x drive"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b5700x drive]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#5 Mexygen

Mexygen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 30 November 2007 - 01:07 PM

Have followed your instructions as detailed in your last post, new combofix log below:

ComboFix 07-11-30.7 - Scott Ferguson 2007-11-30 17:55:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.648 [GMT 0:00]
Running from: C:\Documents and Settings\Scott Ferguson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scott Ferguson\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\cnssr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\mZOr
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\cnssr.exe
C:\WINDOWS\system32\Mz16r

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-27 23:58 . 2007-11-27 23:58 <DIR> d-------- C:\TIM_VINE_LIVE
2007-11-27 13:29 . 2007-11-27 13:29 812,344 --a------ C:\HJTInstall.exe
2007-11-26 21:42 . 2007-11-26 22:20 4,681,455,616 --a------ C:\TIM_VINE_LIVE.ISO
2007-11-22 19:57 . 2007-11-22 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-22 19:56 . 2007-11-23 18:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-22 19:56 . 2007-11-23 18:17 <DIR> d-------- C:\Documents and Settings\Scott Ferguson\Application Data\SUPERAntiSpyware.com
2007-11-21 22:53 . 2007-11-21 22:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-21 22:42 . 2007-11-21 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-21 21:40 . 2007-11-21 21:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-21 21:40 . 2007-11-21 21:40 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-21 21:40 . 2007-11-21 21:40 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-21 21:40 . 2007-11-21 21:40 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-21 18:53 . 2007-11-21 18:53 50,688 --a------ C:\ATF_Cleaner.exe
2007-11-18 20:17 . 2007-11-18 20:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-18 16:38 . 2007-11-18 18:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-13 08:49 . 2007-11-13 08:49 702,464 --a------ C:\WINDOWS\opeC.exe
2007-11-13 08:49 . 2007-11-13 08:49 352,410 --a------ C:\WINDOWS\system32\opeD.exe
2007-11-13 08:49 . 2007-11-13 08:49 0 --a------ C:\WINDOWS\system32\opeD.tmp
2007-11-13 08:49 . 2007-11-13 08:49 0 --a------ C:\WINDOWS\opeC.tmp
2007-11-13 08:46 . 2007-11-30 17:58 <DIR> d-------- C:\Temp
2007-11-11 14:44 . 2007-11-11 14:44 245,760 --------- C:\WINDOWS\Setup1.exe
2007-11-11 14:44 . 2007-11-11 14:44 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-11 14:35 . 2007-11-11 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 11:25 . 2007-11-30 17:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-10 11:25 . 2007-11-10 11:25 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-10 11:23 . 2007-11-10 11:24 <DIR> d-------- C:\Program Files\iTunes
2007-11-10 11:20 . 2007-11-10 11:21 <DIR> d-------- C:\Program Files\QuickTime
2007-10-26 17:21 . 2007-10-26 17:21 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-10-26 17:21 . 2007-10-26 17:16 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-10-26 17:21 . 2007-10-26 17:16 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-10-26 17:21 . 2007-10-26 17:16 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-10-26 17:21 . 2007-10-26 17:16 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-10-25 10:26 . 2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-25 10:26 . 2007-10-25 10:26 453 --a------ C:\WINDOWS\bdoscandellang.ini
2007-10-24 20:52 . 2007-11-21 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-24 19:56 . 2007-10-28 15:51 <DIR> d-------- C:\Documents and Settings\Scott Ferguson\Application Data\Lavasoft
2007-10-19 20:16 . 2007-10-19 20:16 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-10-19 20:16 . 2007-10-19 20:16 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-10-08 17:50 . 2007-10-08 17:50 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-08 17:49 . 2007-10-08 17:49 <DIR> d-------- C:\Program Files\Red Kawa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-15 08:47 --------- d-----w C:\Program Files\AutoCAD 2006
2007-11-15 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-11-13 18:14 --------- d-----w C:\Documents and Settings\Scott Ferguson\Application Data\Azureus
2007-11-10 11:24 --------- d-----w C:\Program Files\iPod
2007-11-02 08:28 --------- d-----w C:\Program Files\Java
2007-10-31 14:09 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2006-08-12 09:56 24,192 ----a-w C:\Documents and Settings\Scott Ferguson\usbsermptxp.sys
2006-08-12 09:56 22,768 ----a-w C:\Documents and Settings\Scott Ferguson\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-30_13.42.56.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-30 17:47:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_618.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B348CA56-31FE-499B-8973-C24A5075C57C}]
C:\Program Files\Windows NT\mevoxuC:\WINDOWS\system32\m2\caws83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"algchk.exe"="C:\WINDOWS\system32\algchk.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-06-24 16:32 C:\WINDOWS\system32\nwiz.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 16:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [2005-10-16 01:15]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-27 21:38]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [2000-04-06 12:26]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 09:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"b5700x drive"="C:\WINDOWS\cnssr.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 09:42]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-04-29 17:08:39]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-29 17:16:14]
ScanPanel.lnk - C:\ScanPanel\ScnPanel.exe [2007-06-19 07:39:27]

S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b5700x drive]
C:\WINDOWS\cnssr.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 20:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 17:58:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 17:59:21
C:\ComboFix2.txt ... 2007-11-30 13:43
.
--- E O F ---

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 30 November 2007 - 04:27 PM

Mexyqen

Good job. Post a fresh Hijackthis log.

And in your reply give me an update on how your PC is running now
Posted Image
Microsoft MVP - Windows Security

#7 Mexygen

Mexygen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 December 2007 - 04:09 AM

Hi,

At first glance my computer seems to be running a lot more smoothly when I first switched it on this morning: The windows firewall hadn't been switched off & there was no Avast pop-up message regarding an infected file. I had a quick look in the c:\windows folder and it looks as though the file "sqlservell.dll" has actually been deleted this time. I have also ran another Hijackthis log as you requested, copy is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04:48, on 01/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\ScanPanel\ScnPanel.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [algchk.exe] C:\WINDOWS\system32\algchk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us//h...ALStreaming.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.25/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C80AB78C-7F80-480E-8E3A-644FACC3DD40}: NameServer = 212.139.132.4 212.139.132.21
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 9429 bytes

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 02 December 2007 - 03:06 PM

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Update your Anti Virus Software

Use and maintain a Firewall There is a list HEREAll of which are free
Download and install SiteHound by Firetrust for protection against malicious websites.

Pick the version that matches your browser

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security

#9 Mexygen

Mexygen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 03 December 2007 - 03:40 PM

Much obliged, Thanks very much for all the help will make sure I follow the advice so this hopefully never happens again...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users