Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
11 replies to this topic

#1 squert9

squert9

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 09 February 2008 - 11:18 AM

i was wondering if anyone can help me with my hijackthis log. I've tried everything to get rid of pop-ups i keep getting from zedo and other things like that. Any help will be appreciated. thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:19:04, on 09/02/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINNT\system32\csdhlkeobt\lsass.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [AskSBar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: lsass.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TmFvbWk\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 5172 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 16 February 2008 - 04:18 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 squert9

squert9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 17 February 2008 - 07:25 AM

i did everything that page said to do but i still keep getting the same problems. I keep getting pop-ups a lot of them from powered by zedo. When spybot it says its fixed the problem but i still get the same things happening. Think it's something to do with 'core.sys' and 'core.cache.dsk' files but i can't delete them. Here is my new HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:26, on 17/02/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINNT\system32\csdhlkeobt\lsass.exe
F2 - REG:system.ini: UserInit=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5593] command /c del "C:\WINNT\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC488] cmd /c del "C:\WINNT\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7462] command /c del "C:\WINNT\system32\drivers\core.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7969] cmd /c del "C:\WINNT\system32\drivers\core.sys"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3462] command /c del "C:\WINNT\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD697] cmd /c del "C:\WINNT\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5623] command /c del "C:\WINNT\system32\drivers\core.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9484] cmd /c del "C:\WINNT\system32\drivers\core.sys"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: lsass.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5793 bytes


Any help will be appreciated.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 17 February 2008 - 07:40 AM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop


Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 squert9

squert9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 17 February 2008 - 08:40 AM

Sorry it took me a bit longer to do since my internet decided to stop working. Here is the ComboFix log:

ComboFix 08-02-17.2 - Naomi 17/02/2008 12:54:07.1 - NTFSx86
Running from: C:\Documents and Settings\Naomi\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 12:50 . 08-02-17 12:53 <DIR> d-------- C:\Documents and Settings\Naomi\.SunDownloadManager
2008-02-17 12:15 . 08-02-17 12:15 <DIR> d-------- C:\Program Files\Unlocker
2008-02-17 09:58 . 04-10-15 18:17 60,496 --a------ C:\WINNT\system32\drivers\Teefer.sys
2008-02-17 09:58 . 04-10-15 18:32 14,568 --a------ C:\WINNT\system32\drivers\wg6n.sys
2008-02-17 09:58 . 04-10-15 18:32 14,568 --a------ C:\WINNT\system32\drivers\wg5n.sys
2008-02-17 09:58 . 04-10-15 18:32 14,568 --a------ C:\WINNT\system32\drivers\wg4n.sys
2008-02-17 09:58 . 04-10-15 18:32 14,568 --a------ C:\WINNT\system32\drivers\wg3n.sys
2008-02-17 09:57 . 08-02-17 09:57 <DIR> d-------- C:\Program Files\Sygate
2008-02-17 09:57 . 04-10-15 18:32 83,096 --a------ C:\WINNT\system32\SSSensor.dll
2008-02-17 09:57 . 04-10-15 18:18 21,075 --a------ C:\WINNT\system32\drivers\wpsdrvnt.sys
2008-02-17 09:56 . 08-02-17 09:56 23,600 --a------ C:\WINNT\system32\drivers\TVICHW32.SYS
2008-02-17 00:00 . 08-02-17 00:00 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-02-17 00:00 . 08-02-17 00:00 1,406 --a------ C:\WINNT\system32\Help.ico
2008-02-16 22:58 . 08-02-17 00:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-16 22:58 . 08-02-16 22:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 14:18 . 08-02-10 14:18 2,574 --a------ C:\WINNT\system32\tmp.reg
2008-02-10 14:04 . 07-09-05 23:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-02-10 14:04 . 06-04-27 16:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-02-10 14:04 . 08-02-08 23:55 85,504 --a------ C:\WINNT\system32\VACFix.exe
2008-02-10 14:04 . 08-02-08 10:37 82,432 --a------ C:\WINNT\system32\IEDFix.exe
2008-02-10 14:04 . 03-06-05 20:13 53,248 --a------ C:\WINNT\system32\Process.exe
2008-02-10 14:04 . 04-07-31 17:50 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-02-10 14:04 . 07-10-03 23:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-02-09 22:08 . 08-02-09 22:08 <DIR> d-------- C:\WINNT\winsxs
2008-02-09 20:35 . 08-02-09 20:35 <DIR> d-------- C:\VundoFix Backups
2008-02-09 20:28 . 08-02-17 00:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-09 20:28 . 08-02-09 20:28 <DIR> d-------- C:\Documents and Settings\Naomi\Application Data\SUPERAntiSpyware.com
2008-02-09 20:28 . 08-02-09 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-09 16:16 . 08-02-09 16:16 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-08 18:46 . 08-02-17 10:44 <DIR> d-------- C:\WINNT\BDOSCAN8
2008-02-08 18:33 . 08-02-12 21:52 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-02-08 18:33 . 08-02-08 18:33 1,409 --a------ C:\WINNT\QTFont.for
2008-02-05 17:26 . 08-02-16 10:23 <DIR> d-------- C:\Documents and Settings\Naomi\Application Data\FrostWire
2008-02-05 17:25 . 08-02-08 16:51 <DIR> d-------- C:\Program Files\FrostWire
2008-02-04 18:34 . 08-02-04 18:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-04 17:24 . 08-02-04 17:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 23:06 . 08-02-03 23:06 <DIR> d-------- C:\Documents and Settings\Naomi\Application Data\True Sword
2008-02-03 23:05 . 08-02-04 18:34 <DIR> d-------- C:\Program Files\True Sword 4
2008-02-03 18:13 . 08-02-17 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 17:45 . 08-02-16 23:16 <DIR> d-------- C:\Documents and Settings\Naomi\Application Data\AntiSpyware
2008-01-29 21:59 . 08-01-29 21:59 <DIR> d-------- C:\Documents and Settings\Naomi\Application Data\Apple Computer
2008-01-29 21:58 . 08-02-17 00:40 <DIR> d-------- C:\Program Files\QuickTime
2008-01-29 21:57 . 08-01-29 21:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-22 18:26 . 08-01-22 18:26 <DIR> d-------- C:\Documents and Settings\Naomi\Application Data\Leadertech
2008-01-19 17:36 . 08-01-19 17:36 <DIR> d-------- C:\Program Files\Disc2Phone

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 11:06 --------- d-----w C:\Program Files\Lavasoft
2008-02-17 11:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 00:39 --------- d-----w C:\Program Files\MSN Messenger
2008-02-17 00:30 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-02-17 00:29 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2008-02-05 17:21 --------- d-----w C:\Program Files\LimeWire
2008-02-04 18:37 --------- d-----w C:\Program Files\WildTangent
2008-02-03 11:37 --------- d-----w C:\Program Files\Common Files\Real
2008-02-03 11:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 22:29 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-09 15:01 53,248 ----a-w C:\WINNT\bdoscandel.exe
2007-12-21 17:35 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-20 16:27 --------- d-----w C:\Documents and Settings\Naomi\Application Data\Teleca
2007-12-20 16:16 --------- d-----w C:\Documents and Settings\Naomi\Application Data\Sony Ericsson
2007-12-20 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-12-20 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-20 16:04 --------- d-----w C:\Program Files\Sony Ericsson
2007-05-14 16:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-04-18 15:11 271 ---h--w C:\Program Files\desktop.ini
2006-04-18 15:11 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"lsass"="" []
"AntiSpyware"="C:\Program Files\AntiSpyware\AntiSpyware.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 15:40 6856704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [07-06-21 14:06 1318912]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3462"="command /c del C:\WINNT\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingD697"="cmd /c del C:\WINNT\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingB5623"="command /c del C:\WINNT\system32\drivers\core.sys" [ ]
"SpybotDeletingD9484"="cmd /c del C:\WINNT\system32\drivers\core.sys" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 19:05 111376 C:\WINNT\system32\mobsync.exe]
"VTTimer"="VTTimer.exe" [04-01-15 12:33 49152 C:\WINNT\system32\VTTimer.exe]
"Cmaudio"="cmicnfg.cpl" []
"LoadQM"="loadqm.exe" [00-05-03 16:23 7536 C:\WINNT\loadqm.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 132496]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [07-03-28 01:07 593920]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [05-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-01-29 21:59 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-01-11 22:16 39792]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [04-10-15 19:40 2577632]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [06-09-07 17:19 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 19:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 19:05 ]
S3 PAC207;USB PC Cam Plus;C:\WINNT\system32\DRIVERS\pfc027.sys [05-02-24 11:29 ]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINNT\system32\DRIVERS\se59bus.sys [06-09-05 20:07 ]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINNT\system32\DRIVERS\se59mdfl.sys [06-09-05 20:07 ]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINNT\system32\DRIVERS\se59mdm.sys [06-09-05 20:07 ]
S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINNT\system32\DRIVERS\se59mgmt.sys [06-09-05 20:08 ]
S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINNT\system32\DRIVERS\se59nd5.sys [06-09-05 20:06 ]
S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINNT\system32\DRIVERS\se59obex.sys [06-09-05 20:09 ]
S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINNT\system32\DRIVERS\se59unic.sys [06-09-05 20:06 ]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [03-06-18 15:48 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 03:00:00 C:\WINNT\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpyware\AntiSpyware.ex
- C:\Program Files\AntiSpyware
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:01:47
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R??o?u?r?c?e?\?D?e?t?e?c?t?o?r?\?C?T?D?e?t?e?c?t?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
.
**************************************************************************
.
Completion time: 2008-02-17 13:04:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 13:04:00
.
2008-02-13 16:13:57 --- E O F ---








And here is the new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39:56, on 17/02/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: lsass.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4942 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 17 February 2008 - 08:51 AM

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

* You might want to print/copy the following as you need to be in Safe Mode from here on.

* Please then reboot your computer into Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#7 squert9

squert9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 17 February 2008 - 10:36 AM

Here is the SDFix report:


SDFix: Version 1.143

Run by Naomi on Sun 17/02/2008 at 14:09

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Checking Files:

Trojan Files Found:

C:\Documents and Settings\Naomi\Start Menu\Programs\Startup\lsass.lnk - Deleted





Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 14:15:13
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0d8c&Pid_000c&Mi_00\6&3494ec91&0&0\Device Parameters]
"HWRevision?U\x2039\xec\x81\xec\xcc?"="100"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0d8c&Pid_000c&Mi_00\6&5e104b5&0&0\Device Parameters]
"HWRevision?U\x2039\xec\x81\xec\xcc?"="100"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0d8c&Pid_000c&Mi_00\6&3494ec91&0&0\Device Parameters]
"HWRevision?U\x2039\xec\x81\xec\xcc?"="100"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0d8c&Pid_000c&Mi_00\6&5e104b5&0&0\Device Parameters]
"HWRevision?U\x2039\xec\x81\xec\xcc?"="100"

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12E82328-557B-9596-FFE4-22472376084F}]
"abecafcdlimiolcjjjihgjpbliainnddmb?"=hex:61,61,00,77
"bbecafcdlimiolcjjjdidkghbpcnfljfinkb?"=hex:61,61,00,77

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:



Remaining Files:


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 22 Apr 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 1 May 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Sat 22 Apr 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Wed 20 Jun 2007 23,552 ...H. --- "C:\Documents and Settings\Naomi\My Documents\~WRL2083.tmp"
Mon 22 Jul 2002 418,816 ...HR --- "C:\WINNT\system32\Tools\All.exe"
Fri 19 Jul 2002 390,144 ...HR --- "C:\WINNT\system32\Tools\Change.exe"
Fri 19 Jul 2002 574,464 ...HR --- "C:\WINNT\system32\Tools\CheckPath.exe"
Tue 20 Aug 2002 430,592 ...HR --- "C:\WINNT\system32\Tools\Counter.exe"
Tue 23 Jul 2002 390,656 ...HR --- "C:\WINNT\system32\Tools\DelFolders.exe"
Fri 22 Nov 2002 399,872 ...HR --- "C:\WINNT\system32\Tools\DirectSetup.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINNT\system32\Tools\RegClean.exe"
Fri 19 Jul 2002 388,608 ...HR --- "C:\WINNT\system32\Tools\Regexe.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINNT\system32\Tools\RunRegexe.exe"
Fri 8 Jun 2007 2 A.SH. --- "C:\Program Files\True Sword 4\backuped\1\netstat.com"
Fri 8 Jun 2007 2 A.SH. --- "C:\Program Files\True Sword 4\backuped\2\taskkill.com"
Sat 22 Apr 2006 4,348 ...H. --- "C:\Documents and Settings\Naomi\My Documents\My Music\License Backup\drmv1key.bak"
Fri 19 Oct 2007 782 A..H. --- "C:\Documents and Settings\Naomi\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 27 Feb 2007 400 ...H. --- "C:\Documents and Settings\Naomi\My Documents\My Music\License Backup\drmv2key.bak"
Fri 19 Oct 2007 1,536 A..H. --- "C:\Documents and Settings\Naomi\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!






Here is the Avira Antivirus report:



AntiVir PersonalEdition Classic
Report file date: Sunday, February 17, 2008 14:46

Scanning for 1110678 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows 2000
Windows version: (Service Pack 4) [5.0.2195]
Username: SYSTEM
Computer name: NAOMI

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 14:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 13:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 16:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 13:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 15:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 14:45:34
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 2/8/2008 14:45:35
ANTIVIR3.VDF : 7.0.2.148 201216 Bytes 2/15/2008 14:45:35
AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 2/17/2008 14:45:36
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 11:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 08:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 14:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/17/2008 14:45:37
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 08:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 13:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 08:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 12:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 13:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 13:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 10:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, February 17, 2008 14:46

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '0' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '0' Module(s) have been scanned
Scan process 'epmworker.exe' - '1' Module(s) have been scanned
Scan process 'Generic.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpywar' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'UnlockerAssista' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'Application Lau' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'VTTimer.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mspmspsv.exe' - '1' Module(s) have been scanned
Scan process 'WinMgmt.exe' - '1' Module(s) have been scanned
Scan process 'stisvc.exe' - '1' Module(s) have been scanned
Scan process 'regsvc.exe' - '1' Module(s) have been scanned
Scan process 'hidserv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Smc.exe' - '0' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '14' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[INFO] The file was moved to '48324931.qua'!
C:\Documents and Settings\Naomi\Desktop\SmitfraudFix.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.34
[INFO] The file was moved to '482149ec.qua'!
C:\Documents and Settings\Naomi\Desktop\WinPFind35u.exe
[0] Archive type: ZIP SFX (self extracting)
--> WinPFind35u/WinPFind35U.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[INFO] The file was moved to '482649ef.qua'!
C:\Documents and Settings\Naomi\Desktop\WinPFind35u\WinPFind35U.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[INFO] The file was moved to '482649f8.qua'!
C:\QooBox\Quarantine\catchme2008-02-17_130141.50.zip
[0] Archive type: ZIP
--> core.sys
[DETECTION] Contains detection pattern of the rootkit RKIT/Drop.Loader
[INFO] The file was moved to '482c4ed2.qua'!


End of the scan: Sunday, February 17, 2008 15:26
Used time: 39:56 min

The scan has been done completely.

3588 Scanning directories
217323 Files were scanned
4 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
5 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
217319 Files not concerned
788 Archives were scanned
1 Warnings
0 Notes



And here is my new Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:33:44, on 17/02/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpyware\AntiSpyware.exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5622 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 17 February 2008 - 11:08 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.
If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Your Hijackthis log looks good,hows your pc running now please.
Posted Image
Posted Image

#9 squert9

squert9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 17 February 2008 - 11:20 AM

My computer's running fine, no pop-ups!
Thank you so much, i really appreciate it.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 17 February 2008 - 12:03 PM

Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,and hide the system/hidden files.

Posted Image

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Hardening Windows Security - Part 1:
http://www.malwarehelp.org/Malware-Prevent...-Security1.html

Hardening Windows Security - Part 2:
http://www.malwarehelp.org/malware-prevent...-security2.html
Posted Image
Posted Image

#11 squert9

squert9
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 17 February 2008 - 01:09 PM

I have done everything you asked me to and everything works perfectly.
Thanks again!

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 17 February 2008 - 02:03 PM

You're most welcome,glad to help out :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users