Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Tratbho (trj)


  • This topic is locked This topic is locked
1 reply to this topic

#1 jewel78

jewel78

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 15 January 2008 - 01:45 PM

Hi I'm new here n have this problem since few days now n it's freakin me alot .
I searched net for some help to get rid of this Win32 tratbho. Me have avast antivirus ,n it detected
c: windows\system32\ssqpm.dll contains a sample of win32 tratbho (trj) i moved it to chest so many times, delete it manually,
scanned with Ad-Aware2007,RegCure,Xoftspy se .NoAdware they all detected same thing removed it n when i reboot it comes back.
Help !!! 10x in advance

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:23 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SiSAudUt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SiSAudUt .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webwaves.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.webwaves.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webwaves.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqpm.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7443A2AE-255C-43CD-81BF-9D7CA51EB06E} - C:\WINDOWS\system32\ssqpm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiS7012Utility] "C:\WINDOWS\system32\SiSAudUt.exe" -wdm
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195066788903
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195066873685
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/crusher-kiwen.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43924CE1-F5F0-4BBA-A2E2-8FA141EA4C75}: NameServer = 194.105.32.12,194.105.32.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A5DD49A-67B5-4A7F-AC16-5FB65BE22F49}: NameServer = 194.105.32.12 194.105.32.2
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 6625 bytes

and combofix log file

ComboFix 08-01-15.3 - user 2008-01-15 3:33:01.1 - NTFSx86
Running from: F:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqonl.dll
C:\WINDOWS\system32\citkdhgp.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\geuitejy.dll
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\system32\pghdktic.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\runtime


((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 03:52 . 2008-01-15 03:53 324,608 --a------ C:\WINDOWS\system32\ssqpm.dll
2008-01-15 03:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 00:53 . 2008-01-15 00:53 <DIR> d-------- C:\Program Files\Sqirlz Water Reflections
2008-01-15 00:53 . 2008-01-15 00:54 160,134 --a------ C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe
2008-01-14 20:22 . 2008-01-14 20:28 <DIR> d-------- C:\Program Files\RegCure
2008-01-14 20:02 . 2008-01-15 03:53 294,912 --a------ C:\WINDOWS\system32\SiSAudUt .exe
2008-01-14 20:02 . 2008-01-14 20:02 262,403 --a------ C:\WINDOWS\system32\sistray .exe
2008-01-14 01:32 . 2008-01-14 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-01-14 00:53 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2008-01-14 00:53 . 2006-07-28 09:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2008-01-14 00:52 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-13 22:54 . 2008-01-13 22:55 <DIR> d-------- C:\Program Files\Ares
2008-01-13 03:16 . 2008-01-13 16:47 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-01-13 00:30 . 2008-01-13 04:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 22:21 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-12 10:20 . 2008-01-12 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 04:35 . 2008-01-12 10:40 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-12 03:25 . 2008-01-12 09:59 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-10 03:36 . 2002-10-01 14:43 119,798 --a------ C:\WINDOWS\system32\drivers\SPCA561.SYS
2008-01-10 03:36 . 2002-10-31 16:37 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2008-01-10 03:36 . 2002-08-13 18:01 53,248 --a------ C:\WINDOWS\ap561.exe
2008-01-10 03:36 . 2002-08-13 18:01 14,385 --a------ C:\WINDOWS\Tw561a.ini
2008-01-10 03:36 . 2002-09-20 19:44 14,336 --a------ C:\WINDOWS\system32\dshow508.ax
2008-01-10 03:36 . 2002-08-13 18:01 7,431 --a------ C:\WINDOWS\Tw561a.src
2008-01-10 03:36 . 2002-03-19 14:11 81 --a------ C:\WINDOWS\Setup8a.ini
2008-01-10 03:35 . 2008-01-10 03:36 <DIR> d-------- C:\WINDOWS\Setup2K
2008-01-10 01:29 . 2008-01-11 14:39 <DIR> d-------- C:\Documents and Settings\user\Application Data\SolSuite
2008-01-10 01:29 . 2008-01-10 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TreeCardGames
2008-01-10 01:28 . 2008-01-10 01:28 <DIR> d-------- C:\Program Files\SolSuite
2008-01-08 17:33 . 2008-01-08 17:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-08 14:52 . 2008-01-08 14:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-08 14:47 . 2008-01-08 14:57 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2008-01-07 18:50 . 2008-01-07 18:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2008-01-07 18:44 . 2008-01-13 22:42 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-05 21:46 . 2008-01-05 21:46 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-01-04 20:05 . 2008-01-04 19:00 72,192 -rahs---- C:\WINDOWS\system32\usnshare.exe
2008-01-03 19:40 . 2008-01-03 19:46 <DIR> d-------- C:\Program Files\Windows Live
2008-01-03 19:40 . 2008-01-03 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-03 19:40 . 2008-01-03 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2008-01-02 01:53 . 2008-01-02 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IM
2008-01-02 01:48 . 2008-01-02 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-01-01 03:44 . 2008-01-11 00:01 <DIR> d-------- C:\Program Files\Babysitting Mania
2007-12-31 16:21 . 2007-12-31 16:21 <DIR> d-------- C:\Program Files\Windows Journal Viewer
2007-12-25 11:41 . 2007-12-25 11:41 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-25 11:35 . 2007-12-25 11:35 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-25 11:35 . 2007-12-25 11:38 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-18 22:36 . 2007-12-18 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2007-12-17 23:32 . 2007-12-17 23:32 <DIR> d-------- C:\Documents and Settings\user\Application Data\Teggo
2007-12-17 23:32 . 2007-12-18 00:38 <DIR> d--hs---- C:\Documents and Settings\user\Application Data\.#
2007-12-17 18:03 . 2007-12-28 00:18 1,956 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-16 15:06 . 2007-12-16 15:06 <DIR> d-------- C:\Program Files\Dirty Dancing
2007-12-16 14:53 . 2007-12-16 14:53 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-16 14:53 . 2007-12-16 14:53 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2007-12-16 14:53 . 2007-12-16 14:53 <DIR> d-------- C:\Program Files\Alien Skin
2007-12-16 14:53 . 2007-12-16 14:53 <DIR> d-------- C:\Documents and Settings\user\Application Data\Jasc
2007-12-16 14:53 . 2007-12-16 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-16 14:52 . 2008-01-04 18:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-16 14:47 . 2007-12-16 14:47 <DIR> d-------- C:\Program Files\Yahoo! Games
2007-12-16 14:46 . 2008-01-12 10:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-16 14:46 . 2007-12-16 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-16 14:45 . 2007-12-16 14:45 <DIR> d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2007-12-16 14:44 . 2007-12-16 14:44 <DIR> d-------- C:\WINDOWS\Sun
2007-12-16 14:39 . 2008-01-03 19:47 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-16 14:39 . 2007-12-16 14:39 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-12-16 14:37 . 2007-12-16 14:37 <DIR> d-------- C:\WINDOWS\SiSInf
2007-12-16 14:37 . 2007-12-16 14:37 <DIR> d-------- C:\WINDOWS\SiSAGP
2007-12-16 14:37 . 2007-12-16 14:47 <DIR> d-------- C:\WINDOWS\SiS
2007-12-16 14:37 . 2007-12-16 14:37 <DIR> d-------- C:\Program Files\SiS7012
2007-12-16 14:37 . 2007-12-16 14:37 <DIR> d-------- C:\Program Files\CyberLink
2007-12-16 14:37 . 2007-12-16 14:37 <DIR> d-------- C:\Documents and Settings\user\WINDOWS
2007-12-15 14:26 . 2007-12-15 14:26 65,536 --ah----- C:\WINDOWS\MEMORY.DMP
2007-12-15 09:28 . 2007-12-15 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 00:28 625,664 ----a-w C:\WINDOWS\system32\SiSAudUt.exe
2008-01-13 14:59 90,112 ----a-w C:\WINDOWS\DUMP2c4f.tmp
2008-01-12 20:18 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-01-12 20:02 488,960 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-01-12 17:35 598,016 ----a-w C:\WINDOWS\system32\khooker.exe
2008-01-10 02:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 17:50 594,944 ----a-w C:\WINDOWS\system32\sistray.EXE
2008-01-07 17:50 484,864 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2008-01-04 18:49 --------- d-----w C:\Program Files\SoundTells
2008-01-02 02:23 --------- d-----w C:\Program Files\IncrediMail
2007-12-29 19:00 90,112 ----a-w C:\WINDOWS\DUMP3855.tmp
2007-12-23 15:24 90,112 ----a-w C:\WINDOWS\DUMP3b24.tmp
2007-12-18 21:35 --------- d-----w C:\Documents and Settings\user\Application Data\PlayFirst
2007-12-17 23:38 --------- d-sh--w C:\Documents and Settings\user\Application Data\.#
2007-12-16 14:06 --------- d-----w C:\Program Files\MediaMonkey
2007-12-16 14:05 --------- d-----w C:\Program Files\Movie Converter V3(2)
2007-12-16 14:05 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-16 13:53 --------- d-----w C:\Program Files\Jasc Software Inc
2007-12-16 13:52 --------- d-----w C:\Program Files\bfgclient
2007-12-16 13:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-16 13:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-12-16 13:47 --------- d-----w C:\Program Files\SiS305_V1.15
2007-12-16 13:47 --------- d-----w C:\Documents and Settings\user\Application Data\Ponys
2007-12-16 13:46 --------- d-----w C:\Program Files\Fashion Fits
2007-12-16 13:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-16 13:46 --------- d-----w C:\Documents and Settings\user\Application Data\Ahead
2007-12-16 13:45 --------- d-----w C:\Program Files\Yahoo!
2007-12-16 13:45 --------- d-----w C:\Program Files\Dr Daisy Pet Vet
2007-12-16 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-16 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-16 13:38 --------- d-----w C:\Program Files\hp deskjet 656c series
2007-12-16 13:37 --------- d-----w C:\Program Files\SiS305_V1.13
2007-12-16 13:37 --------- d-----w C:\Program Files\DVD Region-Free
2007-12-16 13:37 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-16 13:37 --------- d-----w C:\Program Files\Ahead
2007-12-06 18:37 --------- d-----w C:\Documents and Settings\user\Application Data\Alien Skin
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-27 20:01 --------- d-----w C:\Documents and Settings\user\Application Data\Home Sweet Home
2007-11-22 01:17 --------- d-----w C:\Documents and Settings\user\Application Data\Jasc Software Inc
2007-11-22 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-11-18 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2007-11-18 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2007-11-15 05:55 --------- d-----w C:\Program Files\ReflexiveArcade
2007-11-15 01:51 --------- d-----w C:\Program Files\Java
2007-11-15 01:49 --------- d-----w C:\Program Files\Common Files\Java
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.
<pre>
----a-w			79,224 2008-01-15 02:53:25  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		   132,496 2008-01-07 17:51:24  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 1,694,208 2008-01-07 17:52:16  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2008-01-15 01:25:50  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		 1,460,560 2008-01-14 22:20:24  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 5,729,136 2008-01-10 23:23:58  C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
----a-w		   224,248 2008-01-12 19:13:15  C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w		   158,208 2008-01-12 20:18:07  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-13 21:42:10  C:\WINDOWS\system32\ctfmon .exe
----a-w		   155,648 2008-01-07 17:50:58  C:\WINDOWS\system32\NeroCheck .exe
----a-w		   294,912 2008-01-15 02:53:08  C:\WINDOWS\system32\SiSAudUt .exe
----a-w		   262,403 2008-01-14 19:02:28  C:\WINDOWS\system32\sistray .exe
----a-w		   196,608 2008-01-15 02:53:17  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS7012Utility"="C:\WINDOWS\system32\SiSAudUt.exe" [2008-01-15 01:28 625664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2008-01-15 01:28 526848]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-13 22:41 434176]
"RegistryMechanic"="" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 13:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-12-20 21:58 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqonl]
awtqonl.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\ssqpm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f8661d00]
C:\WINDOWS\system32\citkdhgp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-07 18:49 2214912 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-01-07 18:50 484864 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS KHooker]
--a------ 2008-01-12 18:35 598016 C:\WINDOWS\system32\khooker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-01-07 18:50 464896 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\User Sharing Wizard]
-rahs---- 2008-01-04 19:00 72192 C:\WINDOWS\system32\usnshare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-01-12 18:48 578048 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"AresChatServer"=3 (0x3)
"aawservice"=2 (0x2)

R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2001-11-26 15:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 02:50:57 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-14 22:34:51 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-15 02:53:43 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-15 02:06:05 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 03:53:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 3:59:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 02:59:22
.
2008-01-09 04:32:35 --- E O F ---

Just ingnore this post
Thnx anyway hopefully me managed to clean my pc.
Keep it up!!!

Edited by jewel78, 15 January 2008 - 08:07 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:13 AM

Posted 16 January 2008 - 09:31 AM

Thanks for informing us.

This topic is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users