Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vbs:malware-gen


  • This topic is locked This topic is locked
8 replies to this topic

#1 cequin

cequin

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 10 December 2007 - 09:31 AM

Hi there I am running win xp sp 2 Avast and Spyboot
and on boot up it picks up this virus (VBS:malware-gen) I have done a full scan
Avast warns me to remove file I do so but .. each time I boot comp I get a virus warning again
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.reg
VBS:Malware-gen
Visible symptoms of something working in background might be strange warning about IE script page -And I dont use IE at all .Firefox instead.And i am having problems with connecting to web - which did not happen recently.Please help me with advice because I finally got a computer job and reinstalling all within a week looks impossible task for me. Cheers. HJT follows.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:17:03, on 2007-12-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\WinUpdater.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://forums.shareaza.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Windows Updater] WinUpdater.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\RunServices: [Windows Updater] WinUpdater.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: LoopBe1 Monitor.lnk = C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 5834 bytes Thank You.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:54 PM

Posted 10 December 2007 - 06:36 PM

Hello cequin,

Welcome to Bleeping Computer :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

One of the features of TrojanHunter is the TrojanHunter Guard used for resident memory scanning. We need to temporarily disable this, as it may interfere with the changes that need to be made during the fix.

To disable this feature, go to the TrojanHunter Guard icon.
(A light blue magnifying glass icon in the lower right corner of the screen.)
Right click it and select: Settings
Uncheck:
-Load at startup
-Enabled

You can re-enable TrojanHunter Guard once we are finished.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 cequin

cequin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 11 December 2007 - 04:31 AM

Hi ! thanks for a reply. I have done all You have asked and here are new logs . Cheers.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:29, on 2007-12-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\WinUpdater.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://forums.shareaza.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Windows Updater] WinUpdater.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\RunServices: [Windows Updater] WinUpdater.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: LoopBe1 Monitor.lnk = C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 5610 bytes



ComboFix 07-12-10.2 - Administrator 2007-12-11 10:17:55.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.491 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-11 10:21 . 2007-12-11 10:21 5,894 --a------ C:\a.bat
2007-12-10 18:32 . 2007-12-10 18:32 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-12-10 18:32 . 2007-12-10 18:32 <DIR> d-------- C:\WINDOWS\system32\Flash
2007-12-10 18:32 . 2007-12-10 18:32 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2007-12-10 18:32 . 2007-12-10 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-12-10 15:16 . 2007-12-10 15:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 17:29 . 2007-12-09 17:29 <DIR> d-------- C:\Program Files\DVD Shrink
2007-12-09 17:29 . 2007-12-09 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-09 12:21 . 2007-12-09 12:21 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-09 12:21 . 2007-12-09 12:21 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-09 03:05 . 2007-12-09 03:05 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-09 03:01 . 2007-12-09 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-08 12:03 . 2001-08-17 13:48 17,664 --a------ C:\WINDOWS\system32\drivers\sermouse.sys
2007-12-08 03:00 . 2007-12-08 03:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-08 03:00 . 2007-12-09 03:05 1,374 --a------ C:\WINDOWS\imsins.BAK
2007-12-07 21:10 . 2007-12-07 21:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc
2007-12-07 19:27 . 2007-12-07 19:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 16:22 . 2007-12-07 16:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Toon Boom Animation
2007-12-07 16:15 . 2007-12-07 16:15 <DIR> d-------- C:\Program Files\Toon Boom Animation
2007-12-06 16:20 . 2007-12-06 16:20 <DIR> d-------- C:\Program Files\Easy Icon Maker
2007-12-06 12:28 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-06 12:28 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-06 05:24 . 2007-12-06 05:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SYSTRAN
2007-12-06 05:21 . 2007-12-06 05:21 878,080 --a------ C:\WINDOWS\system32\iconv.dll
2007-12-06 05:21 . 2007-12-06 05:21 721,920 --a------ C:\WINDOWS\system32\libxml2.dll
2007-12-06 05:21 . 2007-12-06 05:21 170,432 --a------ C:\WINDOWS\system32\libsyslic1.pd
2007-12-06 05:21 . 2007-12-06 05:21 150,016 --a------ C:\WINDOWS\system32\libxslt.dll
2007-12-06 05:21 . 2007-12-06 05:21 51,200 --a------ C:\WINDOWS\system32\libexslt.dll
2007-12-06 05:21 . 2007-12-06 05:21 192 --a------ C:\WINDOWS\system32\libsyslic1.ls
2007-12-06 05:19 . 2007-12-06 05:19 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-06 05:18 . 2007-03-14 01:57 144,896 -ra------ C:\WINDOWS\system32\libsyslic1.original.dll
2007-12-06 05:18 . 2007-03-24 12:45 57,344 -ra------ C:\WINDOWS\system32\libsyslic1.dll
2007-12-06 05:05 . 2007-12-06 05:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-05 21:56 . 2007-12-05 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-05 21:56 . 2007-12-05 21:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ulead Systems
2007-12-05 21:52 . 2007-12-05 21:52 <DIR> d-------- C:\Program Files\Ulead.dat
2007-12-05 21:52 . 2007-12-11 09:58 60 --a------ C:\WINDOWS\Wininit.ini
2007-12-05 21:49 . 2007-12-05 21:49 <DIR> d-------- C:\WINDOWS\Noslip
2007-12-05 21:49 . 2007-12-05 21:49 <DIR> d-------- C:\Program Files\Ulead Systems
2007-12-05 21:49 . 2007-12-05 21:49 110 --a------ C:\WINDOWS\ULEAD32.INI
2007-12-04 17:47 . 2007-12-10 16:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-04 17:47 . 2007-12-04 17:47 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 12:28 . 2007-12-04 12:28 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2007-12-04 11:43 . 2007-12-04 11:43 <DIR> d-------- C:\Program Files\Super Internet TV
2007-12-03 21:49 . 2007-12-03 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\e frontier
2007-12-03 17:49 . 2007-12-03 17:49 <DIR> d-------- C:\Program Files\AVI MPEG WMV RM to MP3 Converter
2007-12-03 17:24 . 2007-12-03 17:24 <DIR> d-------- C:\TEMP
2007-12-03 08:31 . 2007-12-03 08:31 <DIR> d-------- C:\Program Files\DAEMON Tools SearchBar
2007-12-03 04:09 . 2007-12-03 04:09 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-02 19:03 . 2007-12-02 19:03 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 09:37 . 2007-12-02 09:37 <DIR> d-------- C:\Program Files\RSS Submit
2007-12-01 03:57 . 2007-12-01 03:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2007-12-01 02:24 . 2007-12-01 02:24 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-30 22:33 . 2007-11-30 22:33 <DIR> d-------- C:\Program Files\SmartDraw 2008
2007-11-30 22:09 . 2007-11-30 22:09 <DIR> d-------- C:\Program Files\Pixarra
2007-11-30 18:21 . 2007-11-30 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-11-30 18:21 . 2007-11-30 18:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-11-30 18:21 . 2007-12-10 18:49 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-30 18:20 . 2007-11-30 18:20 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-11-30 18:10 . 2007-11-30 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-11-30 18:10 . 2007-11-30 18:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ACD Systems
2007-11-30 18:06 . 2004-03-05 01:21 339,968 --a------ C:\WINDOWS\system32\mpiwin32.dll
2007-11-30 18:06 . 2004-03-05 01:21 15,840 --a------ C:\WINDOWS\system32\Machnm1.exe
2007-11-30 18:01 . 2007-11-30 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Alias
2007-11-30 18:01 . 2007-11-30 18:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Alias
2007-11-30 18:00 . 2007-11-30 18:01 <DIR> d-------- C:\Program Files\Alias
2007-11-30 12:41 . 2007-11-30 12:41 <DIR> d-------- C:\Program Files\PowerISO
2007-11-30 09:56 . 2007-11-30 09:56 <DIR> d-------- C:\Program Files\Xara
2007-11-30 09:56 . 2007-11-30 09:56 <DIR> d-------- C:\Program Files\WMV9_VCM
2007-11-30 09:56 . 2007-11-30 09:56 <DIR> d-------- C:\Program Files\Common Files\Xara
2007-11-28 18:16 . 2007-11-28 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2007-11-28 18:16 . 2007-11-28 18:16 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-28 18:13 . 2007-11-28 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-11-27 11:50 . 2007-11-27 11:58 117,504 --a------ C:\ja.jpg
2007-11-27 04:10 . 2007-11-27 04:10 <DIR> d-------- C:\Program Files\Opera
2007-11-26 18:53 . 2007-11-26 18:53 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-24 16:50 . 2007-11-24 16:50 <DIR> d-------- C:\Program Files\MB Free Subliminal Message Software
2007-11-23 16:55 . 2005-06-01 12:15 966,144 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2007-11-23 16:47 . 2007-04-16 14:58 1,118,208 --a------ C:\WINDOWS\system32\NMSDVDXU.dll
2007-11-23 16:47 . 2005-06-01 12:11 877,568 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2007-11-23 16:47 . 2002-04-07 22:14 724,992 --a------ C:\WINDOWS\system32\ebCrypt.dll
2007-11-23 16:47 . 2003-05-15 12:07 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2007-11-23 16:47 . 2007-01-04 22:47 376,832 --a------ C:\WINDOWS\system32\cmd22.dll
2007-11-23 16:47 . 2003-10-29 22:43 253,952 --a------ C:\WINDOWS\system32\SkinBoxer43.dll
2007-11-22 11:48 . 2007-11-22 11:48 <DIR> d-------- C:\Program Files\Conceptworld
2007-11-22 06:57 . 2007-11-22 06:57 <DIR> d-------- C:\Program Files\ffdshow
2007-11-22 06:57 . 2006-10-02 13:44 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-22 06:57 . 2006-08-05 12:06 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-11-22 06:56 . 2007-11-22 06:56 <DIR> d-------- C:\Program Files\Vodei
2007-11-19 19:14 . 2007-11-19 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2007-11-19 18:48 . 2007-11-19 18:48 <DIR> d-------- C:\Program Files\VideoLAN
2007-11-19 18:45 . 2007-11-19 18:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2007-11-18 13:39 . 2007-11-18 13:39 <DIR> d-------- C:\Program Files\Google
2007-11-17 11:38 . 2002-11-02 09:53 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2007-11-16 12:24 . 2007-11-16 12:24 <DIR> d-------- C:\Program Files\Jufsoft
2007-11-15 18:59 . 2007-11-15 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 04:12 . 2005-06-15 03:00 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-11-14 18:15 . 2007-11-14 18:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-11-14 18:11 . 2007-11-14 18:11 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-14 18:11 . 2007-11-14 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-06 19:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX
2007-11-06 19:02 --------- d-----w C:\Program Files\DivX
2007-10-30 12:17 --------- d-----w C:\Program Files\InterActual
2007-10-30 10:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2007-10-30 10:44 --------- d-----w C:\Program Files\ImTOO
2007-10-29 17:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-10-29 17:13 --------- d-----w C:\Program Files\InterVideo
2007-10-27 08:06 --------- d-----w C:\Program Files\Womble Multimedia
2007-10-24 12:39 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-24 12:38 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2007-10-24 12:38 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2007-10-24 12:38 --------- d-----w C:\Program Files\scripts
2007-10-24 12:38 --------- d-----w C:\Program Files\resources
2007-10-24 12:38 --------- d-----w C:\Program Files\Python
2007-10-24 12:38 --------- d-----w C:\Program Files\presets
2007-10-24 12:38 --------- d-----w C:\Program Files\movies
2007-10-24 12:38 --------- d-----w C:\Program Files\mentalray
2007-10-24 12:38 --------- d-----w C:\Program Files\lib
2007-10-24 12:38 --------- d-----w C:\Program Files\include
2007-10-24 12:38 --------- d-----w C:\Program Files\ExternalWebBrowser
2007-10-24 12:38 --------- d-----w C:\Program Files\docs
2007-10-24 12:38 --------- d-----w C:\Program Files\devkit
2007-10-24 12:38 --------- d-----w C:\Program Files\brushShapes
2007-10-24 12:38 --------- d-----w C:\Program Files\brushImages
2007-10-24 12:38 --------- d-----w C:\Program Files\brushes
2007-10-24 12:37 --------- d-----w C:\Program Files\icons
2007-10-24 12:37 --------- d-----w C:\Program Files\Common Files\Alias Shared
2007-10-24 12:37 --------- d-----w C:\Program Files\bin
2007-10-24 11:16 --------- d-----w C:\Program Files\CCleaner
2007-10-22 07:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-09-27 12:05 74,240 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-09-27 12:05 253,952 ------w C:\WINDOWS\Setup1.exe
2007-09-14 10:15 50,520 ----a-w C:\WINDOWS\system32\csvidcap.dll
2004-05-06 11:14 755 ----a-w C:\Program Files\setup.ini
2004-05-06 11:14 40,448 ----a-w C:\Program Files\setup.exe
2004-05-06 11:14 4,292,096 ----a-w C:\Program Files\setup.msi
2004-08-03 23:56 568,832 --sh--r C:\WINDOWS\system32\WinUpdater.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2007-11-12 09:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"PSDrvCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-08-28 11:47]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 04:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05]
"Windows Updater"="WinUpdater.exe" [2004-08-04 00:56 C:\WINDOWS\system32\WinUpdater.exe]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-09 12:21]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-16 12:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Updater"="WinUpdater.exe" [2004-08-04 00:56 C:\WINDOWS\system32\WinUpdater.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LoopBe1 Monitor.lnk - C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe [2005-04-20 19:10:22]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-27 09:11:00]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-10-29 18:13:04]
Alias SketchBook Snapshot.lnk - C:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe [2005-06-03 14:33:44]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"Diskeeper"=2 (0x2)

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
S1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys
S3 TAP;TAP-Win32 Adapter;C:\WINDOWS\system32\DRIVERS\tapdrvr.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 10:21:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 10:22:09 - machine was rebooted
.
--- E O F --- 2007-12-09 02:06:27
Thanks again I'll wait wait for next advice. By the way I like your icon smiley.

Edited by cequin, 11 December 2007 - 04:35 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:54 PM

Posted 11 December 2007 - 11:52 AM

Hello,

You're welcome. :thumbsup: And.....

By the way I like your icon smiley.

Thanks. :blink:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 cequin

cequin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 11 December 2007 - 04:36 PM

Unfortunately I am not able to boot into safe mode. Comp does not recognize my keyboard nor my mouse ?!!.I will find usb one that might work.
Seee You or hear from you tomorrow cheers, VBS victim

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:54 PM

Posted 11 December 2007 - 05:01 PM

Okay, forget that for now. We'll run this one in Normal Mode, and fix Safe Mode later if we need to. :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 cequin

cequin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 15 December 2007 - 04:17 PM

Hi finally I managed to do the right thing.Thanks to Your advice trojan warning disappeared .I ll remember your help.Right now I am striving to get my first job done .And my comp is all I got . Thanks one more time.

SDFix: Version 1.118

Run by Administrator on 2007-12-15 at 21:51

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\BFX_FR~1.TMP - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\system32\WinUpdater.exe - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 21:54:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"
"C:\\WINDOWS\\System32\\WinUpdater.exe"="C:\\WINDOWS\\System32\\WinUpdater.exe:*:Enabled:WinUpdater"
"C:\\Program Files\\bin\\maya.exe"="C:\\Program Files\\bin\\maya.exe:*:Enabled:Maya"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 30 Nov 2006 2,045 ...H. --- "C:\WINDOWS\system32\whlprd32a.dll"
Tue 11 Dec 2007 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 15 Dec 2007 1,441 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti6.tmp"

Finished!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09:23, on 2007-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ntvdm.exe
E:\Autodesk\bin\maya.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointa.autodesk.com/local/enu/porta...gnin.jsp?po=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://forums.shareaza.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UVS11 Preload] F:\program files\New Folder\uvPL.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: LoopBe1 Monitor.lnk = C:\Program Files\nerds.de\LoopBe1\loopBeMon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O8 - Extra context menu item: SYSTRAN Lookup - res://F:\program files\\GUIres.dll/lookup.js
O8 - Extra context menu item: SYSTRAN Translate - res://F:\program files\\GUIres.dll/translate.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6308 bytes

Cheers Cequin.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:54 PM

Posted 15 December 2007 - 04:45 PM

Hello,

Looks a LOT better! Way to go! :blink:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://forums.shareaza.com/ <---this is a no no!!
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Did you get ComboFix to run? If so, I'd really like to see the report from it please. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:54 PM

Posted 12 January 2008 - 11:23 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users