Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Alert Infected With Trojan Horse Generic7.hmx


  • Please log in to reply
10 replies to this topic

#1 aboxhill

aboxhill

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 20 April 2008 - 03:20 AM

Hi I hope you can help me, I'm having problems removing a trojan.

When I run Firefox AVG anti-virus tells me I'm infected with 'Trojan horse Generic7.HMX'.

The infected file is C:\WINDOWS\system32\395C621C.DLL

I've moved it to the virus vault and emptied the vault. Everything is ok until I restart the computer and run Firefox, and the message reappears.

I've tried leaving the infected file and rebooting into safemode then scanning with AVG. It doesn't find the infection, even through I can locate the file in explorer.

I've also run PC Tools Spyware Doctor and a-squared free and they don't find the infection, only AVG.

All help would be greatly appreciated as I'm completely at a loss! I don't want to format and reinstall if I can help it. Many thanks.

DSS main.txt

Deckard's System Scanner v20071014.68
Run by Lee on 2008-04-20 18:06:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-04-20 08:06:35 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-04-20 08:02:18 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Lee.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:01 PM, on 20/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Downloads\Software\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Lee.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8052 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 SNP2STD (USB2.0 PC Camera (SNP2STD)) - c:\windows\system32\drivers\snp2sxp.sys <Not Verified; ; USB2.0 PC Camera driver>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 85F5A5E4 - c:\windows\system32\d078a548.exe -k <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}
Description: NVIDIA Network Bus Enumerator
Device ID: PCI\VEN_10DE&DEV_0450&SUBSYS_82491043&REV_A1\3&267A616A&0&30
Manufacturer: NVIDIA
Name: NVIDIA Network Bus Enumerator
PNP Device ID: PCI\VEN_10DE&DEV_0450&SUBSYS_82491043&REV_A1\3&267A616A&0&30
Service: nvnetbus


-- Files created between 2008-03-20 and 2008-04-20 -----------------------------

2008-04-20 17:48:06 36864 --a------ C:\WINDOWS\system32\395C621C.DLL
2008-04-20 17:23:31 0 d-------- C:\Program Files\Trend Micro
2008-04-17 17:25:13 0 d-------- C:\Program Files\directx
2008-04-17 17:24:20 0 d-------- C:\Program Files\Focus Multimedia Limited
2008-04-15 17:27:53 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-15 16:49:44 0 d-------- C:\WINDOWS\pss
2008-04-15 16:17:10 0 d-------- C:\Documents and Settings\Lee\Application Data\Auslogics
2008-04-15 16:13:10 0 dr-h----- C:\Documents and Settings\Lee\Recent
2008-04-15 15:55:47 0 d-------- C:\Program Files\CCleaner
2008-04-15 15:55:27 0 d-------- C:\Program Files\Auslogics
2008-04-14 18:23:35 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 18:23:18 0 d-------- C:\Program Files\Spyware Doctor
2008-04-14 18:23:18 0 d-------- C:\Documents and Settings\Lee\Application Data\PC Tools
2008-04-14 18:20:14 0 d-------- C:\Program Files\Picasa2
2008-04-14 18:18:57 0 d-------- C:\WINDOWS\system32\runtime
2008-04-14 18:18:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-14 18:15:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-14 18:15:08 0 d-------- C:\Program Files\Google
2008-04-14 18:14:51 0 d-------- C:\Program Files\a-squared Free
2008-04-14 18:11:54 0 d-------- C:\Downloads
2008-04-14 18:10:09 0 d-------- C:\Documents and Settings\Lee\Application Data\Free Download Manager
2008-04-14 18:10:07 0 d-------- C:\Program Files\Free Download Manager
2008-04-14 18:10:07 0 d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-04-12 16:29:01 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-11 17:07:19 94208 --a------ C:\WINDOWS\amcap.exe <Not Verified; Microsoft Corporation; DirectX 8.1 Sample>
2008-04-11 17:07:17 675840 --a------ C:\WINDOWS\vsnp2std.exe <Not Verified; Sonix; CameraMonitor Application>
2008-04-11 17:07:17 262144 --a------ C:\WINDOWS\tsnp2std.exe <Not Verified; ; tsnp2std>
2008-04-11 17:07:16 24832 --a------ C:\WINDOWS\system32\drivers\sncamd.sys <Not Verified; ; USB2.0 PC Camera driver>
2008-04-11 17:07:15 61440 --a------ C:\WINDOWS\vsnp2std.dll <Not Verified; Sonix; >
2008-04-11 17:07:15 10305280 --a------ C:\WINDOWS\system32\drivers\snp2sxp.sys <Not Verified; ; USB2.0 PC Camera driver>
2008-04-11 17:07:15 53248 --a------ C:\WINDOWS\system32\csnp2std.dll <Not Verified; ; InstallUtil>
2008-04-11 17:07:15 147456 --a------ C:\WINDOWS\rsnp2std.dll <Not Verified; ; ResourceDLL>
2008-04-11 17:07:14 0 d-------- C:\Program Files\Common Files\snp2std
2008-03-31 19:04:50 0 d-------- C:\Program Files\SCi
2008-03-29 12:53:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 10:44:14 0 d-------- C:\spoolerlogs
2008-03-29 10:44:13 0 dr-h----- C:\$VAULT$.AVG
2008-03-29 10:08:59 0 d-------- C:\Documents and Settings\Lee\Application Data\AVG7
2008-03-29 10:08:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-29 10:08:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 10:08:26 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-29 10:05:54 20710 ---h----- C:\auto.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-29 10:04:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-03-26 15:49:12 0 d-------- C:\Program Files\AVG
2008-03-26 14:56:24 0 d-------- C:\Program Files\DVD Decrypter
2008-03-26 14:55:59 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-26 14:55:58 0 d-------- C:\Program Files\DVD Shrink
2008-03-26 14:52:43 0 d-------- C:\Program Files\Nero
2008-03-26 14:52:43 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-26 14:47:02 0 d-------- C:\Documents and Settings\Lee\Application Data\WinRAR
2008-03-26 14:43:24 0 d-------- C:\MuMu
2008-03-24 07:57:59 0 d-------- C:\Program Files\The Bitmap Brothers


-- Find3M Report ---------------------------------------------------------------

2008-04-20 17:50:52 0 d-------- C:\Documents and Settings\Lee\Application Data\Skype
2008-04-20 13:07:32 0 d-------- C:\Documents and Settings\Lee\Application Data\skypePM
2008-04-18 20:46:10 0 d-------- C:\Documents and Settings\Lee\Application Data\dvdcss
2008-04-12 16:31:43 0 d-------- C:\Documents and Settings\Lee\Application Data\Adobe
2008-04-12 16:29:07 1414 --a------ C:\WINDOWS\mozver.dat
2008-04-11 17:07:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-11 17:07:14 0 d-------- C:\Program Files\Common Files
2008-03-16 20:55:52 0 d-------- C:\Program Files\Sierra On-Line
2008-03-09 09:34:05 0 d-------- C:\Program Files\LucasArts
2008-03-09 09:31:36 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-03-09 09:31:34 0 d-------- C:\Documents and Settings\Lee\Application Data\LucasArts
2008-03-08 10:49:44 0 d-------- C:\Documents and Settings\Lee\Application Data\HP
2008-03-08 10:49:35 0 d-------- C:\Documents and Settings\Lee\Application Data\Image Zone Express
2008-03-07 20:30:14 0 d-------- C:\Documents and Settings\Lee\Application Data\MSN6
2008-02-08 18:03:31 109885 --a------ C:\WINDOWS\hpoins08.dat
2008-02-02 21:47:07 62 --ahs---- C:\Documents and Settings\Lee\Application Data\desktop.ini
2008-02-02 13:52:02 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-02 10:56:01 0 -rahs---- C:\MSDOS.SYS
2008-02-02 10:56:01 0 -rahs---- C:\IO.SYS
2008-02-02 10:56:01 0 --a------ C:\CONFIG.SYS
2008-02-02 10:56:01 0 --a------ C:\AUTOEXEC.BAT
2008-02-02 10:53:59 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [16/05/2006 08:04 PM C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/03/2006 05:29 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/03/2006 05:29 PM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [16/12/2004 04:49 PM]
"RTHDCPL"="RTHDCPL.EXE" [19/12/2006 01:12 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 08:43 PM C:\WINDOWS\Alcmtr.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [15/12/2005 10:18 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [25/09/2005 06:11 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [16/04/2008 08:38 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [19/06/2006 01:37 PM]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [15/05/2006 03:52 PM]
"nwiz"="nwiz.exe" [09/03/2006 05:29 PM C:\WINDOWS\system32\nwiz.exe]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [01/02/2008 12:55 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [14/04/2008 06:15 PM]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [22/07/2005 09:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [01/02/2008 04:22 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 10:43 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 11:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [14/04/2008 6:15:09 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [15/12/2005 10:40:44 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [22/03/1999 11:00:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8073 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-20 18:07:42 ------------


DSS extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor LE-1150
Percentage of Memory in Use: 24%
Physical Memory (total/avail): 2047.3 MiB / 1545.83 MiB
Pagefile Memory (total/avail): 3940.35 MiB / 3376.75 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.52 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 206.48 GiB free.
D: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - ST3250620A - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\LucasArts\\Star Wars Republic Commando\\GameData\\System\\SWRepublicCommando.exe"="C:\\Program Files\\LucasArts\\Star Wars Republic Commando\\GameData\\System\\SWRepublicCommando.exe:*:Enabled:Star Wars™: Republic Commando™"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\battlefront.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\battlefront.exe:*:Enabled:Star Wars™: Battlefront™"
"H:\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe"="H:\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe:*:Enabled:SoF2MP-Test"
"C:\\Documents and Settings\\Lee\\My Documents\\box hill high school folder\\it\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe"="C:\\Documents and Settings\\Lee\\My Documents\\box hill high school folder\\it\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe:*:Disabled:SoF2MP-Test"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lee\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MARCEL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lee
LOGONSERVER=\\MARCEL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\Mozilla Firefox;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 127 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=7f01
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Lee\LOCALS~1\Temp
TMP=C:\DOCUME~1\Lee\LOCALS~1\Temp
USERDOMAIN=MARCEL
USERNAME=Lee
USERPROFILE=C:\Documents and Settings\Lee
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Lee (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Ultra Lionel® TrainTown --> C:\WINDOWS\IsUninst.exe -fC:\Sierra\TrainTown\Uninst.isu
a-squared Free 3.5 --> "C:\Program Files\a-squared Free\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AirPlus G --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{0EA44599-1E9D-4517-A088-9588A9FAB211} /l1033
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
AusLogics Disk Defrag --> "C:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Create your own Model Railway --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Focus Multimedia Limited\Create your own Model Railway\Uninst.isu"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Free Download Manager 2.5 --> "C:\Program Files\Free Download Manager\unins000.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Photos Screensaver --> MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Imaging Device Functions 6.1 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{D7CAE58E-26DE-49B7-A75D-EAEDF76726BE}
HP PSC & OfficeJet 6.1.A --> "C:\Program Files\HP\Digital Imaging\{E5A8DDAB-AE80-48C6-A75B-D0FAB83B299D}\setup\hpzscr01.exe" -datfile hposcr08.dat
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.1 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
LucasArts' The Phantom Menace --> C:\WINDOWS\uninst.exe -f"C:\Program Files\LucasArts\The Phantom Menace\DeIsL1.isu"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Nero 7 Ultra Edition --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Star Wars Battlefront --> C:\Program Files\InstallShield Installation Information\{C79CB9C7-10A4-4814-8402-F574672C2192}\Setup.exe -runfromtemp -l0x0009 -removeonly
Star Wars Battlefront II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D374523-CFDE-461A-827E-2A102E2AB365}\Setup.exe" -l0x9 -removeonly
Star Wars Republic Commando --> C:\Program Files\InstallShield Installation Information\{DFAE9340-E8BB-4433-9A08-C8334DAFE1B9}\Setup.exe -runfromtemp -l0x0009 -removeonly
The Italian Job --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B58561BB-0425-458C-B9C4-44618814BA70}\setup.exe" -l0x9
USB20 WEB CAMERA --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\Setup.exe" -l0x9
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\System32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WWII Frontline Command --> C:\PROGRA~1\THEBIT~1\WWIIFR~1\UNWISE.EXE C:\PROGRA~1\THEBIT~1\WWIIFR~1\INSTALL.LOG
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7983 / Warning
Event Submitted/Written: 04/20/2008 05:44:24 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type7982 / Warning
Event Submitted/Written: 04/20/2008 05:43:14 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001B11227BF3. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type7811 / Error
Event Submitted/Written: 04/17/2008 05:25:17 PM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

Event Record #/Type7810 / Error
Event Submitted/Written: 04/17/2008 05:25:17 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 10.1.1.3 for the Network Card with network address 001B11227BF3 has been
denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type7726 / Error
Event Submitted/Written: 04/15/2008 08:06:29 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-04-20 18:07:42 ------------

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:44 AM

Posted 20 April 2008 - 07:20 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\WINDOWS\system32\395C621C.DLL

Allow the PC to reboot, if it doesn't do it automatically, please reboot manually.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\d3d9caps.dat

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please open the Suspicious File Packer you downloaded earlier.
Paste the following bold part into the Suspicious File Packer window:

C:\windows\system32\d078a548.exe

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Reboot back to normal mode.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 aboxhill

aboxhill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 21 April 2008 - 04:36 AM

Hi David, thank you for your help fixing this issue.

I've followed your instructions and submitted the cab file. The 395C621C.DLL file has come returned to C:\WINDOWS\system32\

During Combofix Spyware Doctor kept saying it blocked an attempt of Trojan-PWS.Bancos to access c:\combofix\pv.cfexe

That particular file asked to be opened so I set notepad to run it (c:\combofix\pv.cfexe) and it opening multiple times. I kept on closing the opened file as Combofix was running.

Please find the combofix log below, followed by hijackthislog

Thanks again for all your help!

John

ComboFix 08-04-20.2 - Lee 2008-04-21 18:57:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1422 [GMT 10:00]
Running from: C:\Downloads\Software\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\D078A548.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_85F5A5E4
-------\Service_85F5A5E4


((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-21 18:53 . 2008-04-21 18:53 36,864 --a------ C:\WINDOWS\system32\395C621C.DLL
2008-04-20 18:02 . 2008-04-20 18:02 <DIR> d-------- C:\Deckard
2008-04-20 17:23 . 2008-04-20 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 19:06 . 2008-04-17 19:06 39,936 --a------ C:\Parent_Teacher_Interviews_.doc
2008-04-17 17:25 . 2008-04-17 17:25 <DIR> d-------- C:\Program Files\directx
2008-04-17 17:24 . 2008-04-17 17:24 <DIR> d-------- C:\Program Files\Focus Multimedia Limited
2008-04-15 16:17 . 2008-04-15 16:17 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Auslogics
2008-04-15 15:55 . 2008-04-15 15:55 <DIR> d-------- C:\Program Files\CCleaner
2008-04-15 15:55 . 2008-04-15 15:55 <DIR> d-------- C:\Program Files\Auslogics
2008-04-14 18:23 . 2008-04-21 18:06 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-14 18:23 . 2008-04-14 18:23 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\PC Tools
2008-04-14 18:23 . 2008-04-21 19:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 18:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-14 18:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-14 18:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-14 18:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-14 18:20 . 2008-04-14 18:20 <DIR> d-------- C:\Program Files\Picasa2
2008-04-14 18:20 . 2006-10-05 12:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-14 18:20 . 2006-10-05 12:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-14 18:18 . 2008-04-14 18:18 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-04-14 18:15 . 2008-04-14 18:18 <DIR> d-------- C:\Program Files\Google
2008-04-14 18:15 . 2008-04-21 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-14 18:14 . 2008-04-14 19:18 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-14 18:11 . 2008-04-21 18:41 <DIR> d-------- C:\Downloads
2008-04-14 18:10 . 2008-04-14 18:10 <DIR> d-------- C:\Program Files\Free Download Manager
2008-04-14 18:10 . 2008-04-21 19:11 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Free Download Manager
2008-04-14 18:10 . 2008-04-14 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-04-12 16:29 . 2008-04-12 16:34 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-11 17:08 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-04-11 17:07 . 2008-04-11 17:07 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-04-11 17:07 . 2006-06-07 10:34 10,305,280 --a------ C:\WINDOWS\system32\drivers\snp2sxp.sys
2008-04-11 17:07 . 2006-05-15 15:52 675,840 --a------ C:\WINDOWS\vsnp2std.exe
2008-04-11 17:07 . 2005-01-26 15:45 349,472 --a------ C:\WINDOWS\WindowsXP-KB822603-x86.exe
2008-04-11 17:07 . 2006-06-19 13:37 262,144 --a------ C:\WINDOWS\tsnp2std.exe
2008-04-11 17:07 . 2006-04-07 10:33 147,456 --a------ C:\WINDOWS\rsnp2std.dll
2008-04-11 17:07 . 2004-08-09 17:43 94,208 --a------ C:\WINDOWS\amcap.exe
2008-04-11 17:07 . 2006-05-04 11:14 61,440 --a------ C:\WINDOWS\vsnp2std.dll
2008-04-11 17:07 . 2005-11-23 13:55 53,248 --a------ C:\WINDOWS\system32\csnp2std.dll
2008-04-11 17:07 . 2006-04-27 20:43 24,832 --a------ C:\WINDOWS\system32\drivers\sncamd.sys
2008-04-11 17:07 . 2004-12-09 17:23 15,497 --a------ C:\WINDOWS\snp2std.ini
2008-04-11 17:07 . 2004-12-09 17:23 13,022 --a------ C:\WINDOWS\snp2std.src
2008-03-31 19:04 . 2008-03-31 19:04 <DIR> d-------- C:\Program Files\SCi
2008-03-29 12:53 . 2008-03-29 12:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-29 12:53 . 2008-03-29 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 10:44 . 2008-03-29 10:44 <DIR> d-------- C:\spoolerlogs
2008-03-29 10:44 . 2008-04-21 18:10 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-29 10:08 . 2008-03-29 10:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-29 10:08 . 2008-04-21 17:48 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\AVG7
2008-03-29 10:08 . 2008-03-29 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 10:08 . 2008-03-29 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-29 10:05 . 2007-09-09 05:19 20,710 ---h----- C:\auto.exe
2008-03-29 10:04 . 2008-03-29 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-03-26 15:49 . 2008-03-26 15:49 <DIR> d-------- C:\Program Files\AVG
2008-03-26 14:58 . 2008-04-18 20:59 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-26 14:56 . 2008-03-26 14:56 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-03-26 14:55 . 2008-03-26 14:55 <DIR> d-------- C:\Program Files\DVD Shrink
2008-03-26 14:55 . 2008-03-26 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-26 14:53 . 2008-04-14 18:18 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-03-26 14:52 . 2008-03-26 14:52 <DIR> d-------- C:\Program Files\Nero
2008-03-26 14:52 . 2008-03-26 14:52 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-26 14:43 . 2008-03-26 15:47 <DIR> d-------- C:\MuMu
2008-03-24 07:57 . 2008-03-24 07:57 <DIR> d-------- C:\Program Files\The Bitmap Brothers

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 09:13 --------- d-----w C:\Documents and Settings\Lee\Application Data\Skype
2008-04-21 07:48 --------- d-----w C:\Documents and Settings\Lee\Application Data\skypePM
2008-04-18 10:46 --------- d-----w C:\Documents and Settings\Lee\Application Data\dvdcss
2008-04-11 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 10:55 --------- d-----w C:\Program Files\Sierra On-Line
2008-03-15 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-03-08 23:34 --------- d-----w C:\Program Files\LucasArts
2008-03-08 23:31 --------- d-----w C:\Documents and Settings\Lee\Application Data\LucasArts
2008-03-08 00:49 --------- d-----w C:\Documents and Settings\Lee\Application Data\Image Zone Express
2008-03-08 00:49 --------- d-----w C:\Documents and Settings\Lee\Application Data\HP
2008-03-07 10:30 --------- d-----w C:\Documents and Settings\Lee\Application Data\MSN6
2008-03-07 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-02-23 02:38 43,872 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-09 02:29 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 16:22 21898024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 10:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 17:29 7561216]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 17:29 86016]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 49152]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 13:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 10:18 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2005-09-25 18:11 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 20:38 579584]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-06-19 13:37 262144]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-05-15 15:52 675840]
"nwiz"="nwiz.exe" [2006-03-09 17:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-14 18:15 29744]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 09:42 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-29 10:08 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-14 18:15:09 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 11:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Republic Commando\\GameData\\System\\SWRepublicCommando.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\battlefront.exe"=
"C:\\Documents and Settings\\Lee\\My Documents\\box hill high school folder\\it\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-14 18:15]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-06-07 10:34]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 19:13:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-04-21 19:15:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 09:14:51

Pre-Run: 221,693,968,384 bytes free
Post-Run: 221,630,468,096 bytes free

186 --- E O F --- 2008-04-11 06:00:14


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:25 PM, on 21/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7958 bytes

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:44 AM

Posted 21 April 2008 - 01:37 PM

Hello! :thumbsup:

Don't worry about getting warnings about combofix being flagged as malware, it's normal.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

Rootkit::
C:\WINDOWS\system32\395C621C.DLL

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

#5 aboxhill

aboxhill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 24 April 2008 - 02:48 AM

Hi David

Many thanks! I've followed your instructions -- please find the log below:


ComboFix 08-04-20.2 - Lee 2008-04-24 17:37:14.1 - NTFSx86
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\395C621C.DLL

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-20 18:02 . 2008-04-20 18:02 <DIR> d-------- C:\Deckard
2008-04-20 17:23 . 2008-04-20 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 19:06 . 2008-04-17 19:06 39,936 --a------ C:\Parent_Teacher_Interviews_.doc
2008-04-17 17:25 . 2008-04-17 17:25 <DIR> d-------- C:\Program Files\directx
2008-04-17 17:24 . 2008-04-17 17:24 <DIR> d-------- C:\Program Files\Focus Multimedia Limited
2008-04-15 16:17 . 2008-04-15 16:17 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Auslogics
2008-04-15 15:55 . 2008-04-15 15:55 <DIR> d-------- C:\Program Files\CCleaner
2008-04-15 15:55 . 2008-04-15 15:55 <DIR> d-------- C:\Program Files\Auslogics
2008-04-14 18:23 . 2008-04-21 18:06 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-14 18:23 . 2008-04-14 18:23 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\PC Tools
2008-04-14 18:23 . 2008-04-24 17:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 18:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-14 18:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-14 18:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-14 18:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-14 18:20 . 2008-04-14 18:20 <DIR> d-------- C:\Program Files\Picasa2
2008-04-14 18:20 . 2006-10-05 12:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-14 18:20 . 2006-10-05 12:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-14 18:18 . 2008-04-14 18:18 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-04-14 18:15 . 2008-04-21 21:00 <DIR> d-------- C:\Program Files\Google
2008-04-14 18:15 . 2008-04-24 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-14 18:14 . 2008-04-14 19:18 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-14 18:11 . 2008-04-24 17:33 <DIR> d-------- C:\Downloads
2008-04-14 18:10 . 2008-04-24 17:33 <DIR> d-------- C:\Program Files\Free Download Manager
2008-04-14 18:10 . 2008-04-24 17:39 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Free Download Manager
2008-04-14 18:10 . 2008-04-14 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-04-12 16:29 . 2008-04-12 16:34 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-11 17:08 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-04-11 17:07 . 2008-04-11 17:07 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-04-11 17:07 . 2006-06-07 10:34 10,305,280 --a------ C:\WINDOWS\system32\drivers\snp2sxp.sys
2008-04-11 17:07 . 2006-05-15 15:52 675,840 --a------ C:\WINDOWS\vsnp2std.exe
2008-04-11 17:07 . 2005-01-26 15:45 349,472 --a------ C:\WINDOWS\WindowsXP-KB822603-x86.exe
2008-04-11 17:07 . 2006-06-19 13:37 262,144 --a------ C:\WINDOWS\tsnp2std.exe
2008-04-11 17:07 . 2006-04-07 10:33 147,456 --a------ C:\WINDOWS\rsnp2std.dll
2008-04-11 17:07 . 2004-08-09 17:43 94,208 --a------ C:\WINDOWS\amcap.exe
2008-04-11 17:07 . 2006-05-04 11:14 61,440 --a------ C:\WINDOWS\vsnp2std.dll
2008-04-11 17:07 . 2005-11-23 13:55 53,248 --a------ C:\WINDOWS\system32\csnp2std.dll
2008-04-11 17:07 . 2006-04-27 20:43 24,832 --a------ C:\WINDOWS\system32\drivers\sncamd.sys
2008-04-11 17:07 . 2004-12-09 17:23 15,497 --a------ C:\WINDOWS\snp2std.ini
2008-04-11 17:07 . 2004-12-09 17:23 13,022 --a------ C:\WINDOWS\snp2std.src
2008-03-31 19:04 . 2008-03-31 19:04 <DIR> d-------- C:\Program Files\SCi
2008-03-29 12:53 . 2008-03-29 12:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-29 12:53 . 2008-03-29 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 10:44 . 2008-03-29 10:44 <DIR> d-------- C:\spoolerlogs
2008-03-29 10:44 . 2008-04-22 22:02 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-29 10:08 . 2008-03-29 10:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-29 10:08 . 2008-04-24 17:25 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\AVG7
2008-03-29 10:08 . 2008-03-29 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-29 10:08 . 2008-03-29 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-29 10:05 . 2007-09-09 05:19 20,710 ---h----- C:\auto.exe
2008-03-29 10:04 . 2008-03-29 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-03-26 15:49 . 2008-03-26 15:49 <DIR> d-------- C:\Program Files\AVG
2008-03-26 14:58 . 2008-04-22 22:39 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-26 14:56 . 2008-03-26 14:56 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-03-26 14:55 . 2008-03-26 14:55 <DIR> d-------- C:\Program Files\DVD Shrink
2008-03-26 14:55 . 2008-03-26 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-26 14:53 . 2008-04-14 18:18 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-03-26 14:52 . 2008-03-26 14:52 <DIR> d-------- C:\Program Files\Nero
2008-03-26 14:52 . 2008-03-26 14:52 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-26 14:43 . 2008-03-26 15:47 <DIR> d-------- C:\MuMu
2008-03-24 07:57 . 2008-03-24 07:57 <DIR> d-------- C:\Program Files\The Bitmap Brothers

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 07:42 --------- d-----w C:\Documents and Settings\Lee\Application Data\Skype
2008-04-24 07:26 --------- d-----w C:\Documents and Settings\Lee\Application Data\skypePM
2008-04-18 10:46 --------- d-----w C:\Documents and Settings\Lee\Application Data\dvdcss
2008-04-11 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 10:55 --------- d-----w C:\Program Files\Sierra On-Line
2008-03-15 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-03-08 23:34 --------- d-----w C:\Program Files\LucasArts
2008-03-08 23:31 --------- d-----w C:\Documents and Settings\Lee\Application Data\LucasArts
2008-03-08 00:49 --------- d-----w C:\Documents and Settings\Lee\Application Data\Image Zone Express
2008-03-08 00:49 --------- d-----w C:\Documents and Settings\Lee\Application Data\HP
2008-03-07 10:30 --------- d-----w C:\Documents and Settings\Lee\Application Data\MSN6
2008-03-07 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-02-09 02:29 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 16:22 21898024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 17:29 7561216]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 17:29 86016]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 49152]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 13:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 10:18 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2005-09-25 18:11 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 20:38 579584]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-06-19 13:37 262144]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-05-15 15:52 675840]
"nwiz"="nwiz.exe" [2006-03-09 17:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-14 18:15 29744]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 09:42 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-29 10:08 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-14 18:15:09 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 11:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Republic Commando\\GameData\\System\\SWRepublicCommando.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\battlefront.exe"=
"C:\\Documents and Settings\\Lee\\My Documents\\box hill high school folder\\it\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-14 18:15]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-06-07 10:34]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 17:42:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-04-24 17:43:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 07:43:44
ComboFix2.txt 2008-04-21 09:15:01

Pre-Run: 221,464,150,016 bytes free
Post-Run: 221,463,638,016 bytes free

179 --- E O F --- 2008-04-11 06:00:14

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:44 AM

Posted 25 April 2008 - 05:07 AM

Good work! :thumbsup:
Let's scan for any leftover infected files now..

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#7 aboxhill

aboxhill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 27 April 2008 - 03:44 AM

Hi David

Unfortunately I'm still infected as before! Looking at the kasperesky report it's in system restore points. Appreciate you're ongoing help and support!

==============
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 27, 2008 6:20:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/04/2008
Kaspersky Anti-Virus database records: 727193
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 33790
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:26:48

Infected Object Name Virus Name Last Action
C:\auto.exe Infected: Worm.Win32.AutoRun.zt skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Lee\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbdam Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbdao Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbeam Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbeao Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbm Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\fii.cf1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\hp Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Google\Google Desktop\fb433dd1a37a\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\History\History.IE5\MSHist012008042720080428\index.dat Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Temp\Free Download Manager\tic19.tmp Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Temp\Free Download Manager\tic1B.tmp Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Temp\~DF13E.tmp Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Lee\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lee\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lee\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\D078A548.EXE.vir Infected: Worm.Win32.AutoRun.zt skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5A7309AE-7478-43C7-81AC-FB0D1BF73AA9}\RP2\A0000012.DLL Object is locked skipped
C:\System Volume Information\_restore{5A7309AE-7478-43C7-81AC-FB0D1BF73AA9}\RP2\A0000059.DLL Object is locked skipped
C:\System Volume Information\_restore{5A7309AE-7478-43C7-81AC-FB0D1BF73AA9}\RP3\A0000084.EXE Infected: Worm.Win32.AutoRun.zt skipped
C:\System Volume Information\_restore{5A7309AE-7478-43C7-81AC-FB0D1BF73AA9}\RP4\A0000166.DLL Object is locked skipped
C:\System Volume Information\_restore{5A7309AE-7478-43C7-81AC-FB0D1BF73AA9}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
==============


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:38 PM, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7154 bytes

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:44 AM

Posted 28 April 2008 - 04:45 PM

Nothing too serious here at all... :thumbsup:

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\auto.exe

Allow the PC to reboot, if it doesn't do it automatically, please reboot manually.

Please find and delete this folder:
C:\QooBox

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Please reboot a final time and let me know how the PC is running.
I see a clean Hijackthis log now!

#9 aboxhill

aboxhill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 29 April 2008 - 01:15 AM

Fantastic!! Thank you David for all your help!

KASPERSKY seems to pick up more things than AVG, do you recommend that over AVG? Overall can you recommend a better security set up than my current one? I'm going to install a Sunbelt-Kerio Personal Firewall as I understand this is better than the Windows Firewall.

Thanks again and here's the (hopefully clean) log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:28 PM, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7287 bytes

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:44 AM

Posted 29 April 2008 - 02:39 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.
I would still thoroughly recommend AVG, it's one of the best AV packages out there!

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. This link has listings of stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#11 aboxhill

aboxhill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 14 May 2008 - 08:34 AM

Thanks again for your help, I've just left something as a token of my appreciation. (johncrumpton) Many thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users