Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have Trojan Problem...


  • Please log in to reply
7 replies to this topic

#1 onyhow

onyhow

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 03 May 2007 - 08:27 AM

There is a problem regarding a cp****.nls file keep popping into the c:\...

I tried to remove it several times, but it keep coming back...with different name...(the **** is 4 digit number...)

Here's my log...

Logfile of HijackThis v1.99.1
Scan saved at 20:14:40, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\billion\Adsl\dslagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\BitComet\BitComet.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\WINDOWS\explorer.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\billion\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\billion\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DaemonTools_WhenUSaveNow_Installer] C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V12\Atlscript.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V12\Atlscript.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DF4A335-0DCE-4781-AAE6-D9A1EDC08C22}: NameServer = 203.146.237.237 203.146.237.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


m

#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:13 PM

Posted 03 May 2007 - 03:08 PM

Please download SuperAntiSpyware Home Edition Free Version
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

You need to copy the information in the SuperAntiSpyware log and post in your reply.

~~~~
Next, download SDFix and save it to the Desktop.

Right click the SDFix.zip folder
Select: Extract All to extract it to its own folder on the Desktop.

~~~~
Now, reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
In Safe Mode, open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

Press any key to restart the PC.

When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

~~~~
Next, download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

~~~~
Please provide the following in your reply:
The SuperAntiSpyware log
The SDFix Report.txt
The ComboFix report

Old duck...


#3 onyhow

onyhow
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 04 May 2007 - 07:41 AM

Here it is...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/04/2007 at 05:49 PM

Application Version : 3.7.1018

Core Rules Database Version : 3231
Trace Rules Database Version: 1242

Scan type : Complete Scan
Total Scan Time : 01:07:06

Memory items scanned : 422
Memory threats detected : 1
Registry items scanned : 5574
Registry threats detected : 0
File items scanned : 25588
File threats detected : 52

Trojan.Spam-RUCrzy
C:\CP1467.NLS
C:\CP1467.NLS

Adware.Tracking Cookie
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@www.googleadservices[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@www.mediafire[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@questionmarket[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@soundtrack[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ads.us.e-planning[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@3.adbrite[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@alivemedia[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@media.up-max[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@adecn[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@counter.xrea[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@creative.adsrevenue[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ads.marketingsector[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@adbrite[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ads.adbrite[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@www3.addfreestats[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ads.komli[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@list[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@www.gamestats[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ad1.clickhype[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ads.mininova[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ads.addesktop[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@azjmp[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ads.revsci[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@imrworldwide[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@www.googleadservices[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@stats.channel4[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ads.realtechnetwork[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@rotator.its.adjuggler[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@www.burstnet[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@www.free-sex-sexy-gallery[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@toplist[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@atwola[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@adinterax[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@clicktorrent[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@yadro[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@mediafire[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@msnportal.112.2o7[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@cpvfeed[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@008.free-counters.co[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@tribalfusion[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@www.yourtracking[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@data2.perf.overture[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@ad.reduxmedia[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@banners.iop[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@gamestats[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@anad.tacoda[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@server.cpmstar[2].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@linkto.mediafire[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@4.adbrite[3].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@tracker.bitebbs[1].txt
C:\Documents and Settings\The Blademaster\Cookies\the_blademaster@precisionclick[2].txt


SDFix: Version 1.81

Run by The Blademaster - Fri 05/04/2007 - 18:06:04.82

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\THEBLA~1\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
kprof
ntldr.sys
poof

ImagePath:
\??\C:\WINDOWS\system32\kprof
\??\C:\ntldr.sys
\??\C:\WINDOWS\system32\poof

kprof - Deleted
ntldr.sys - Deleted
poof - Deleted


ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\WINDOWS\odbc.INI - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\DOCUME~1\\THEBLA~1\\LOCALS~1\\Temp\\21.tmp"="C:\\DOCUME~1\\THEBLA~1\\LOCALS~1\\Temp\\21.tmp:*:Enabled:0F0D12100F29FF01"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"


Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\THEBLA~1\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\The Blademaster\My Documents\Fictions\Fanfictions\Freelancer\www.lancersreactor.com\~$eelancer Fanfic Freelancee Armageddon Version 2.0.doc
C:\Documents and Settings\The Blademaster\NetHood\ftp.3dfxwave.com\Desktop.ini
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL0004.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL0005.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL0461.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL0947.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL0980.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL1542.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL2344.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL2416.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL2491.tmp
C:\Documents and Settings\The Blademaster\My Documents\~WRL3324.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ca1c9a5f6bfb5c940f7b592a816e164e\BIT8.tmp

Finished

"The Blademaster" - 07-05-04 18:17:33 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\The Blademaster\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-04 18:06 380,416 --a------ C:\WINDOWS\system32\rstrui.exe
2007-05-04 12:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-04 12:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-04 12:29 <DIR> d-------- C:\DOCUME~1\THEBLA~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-04 12:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 19:38 4,754 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-03 19:37 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-03 19:37 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-03 19:37 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-02 22:43 <DIR> d-------- C:\DOCUME~1\THEBLA~1\APPLIC~1\Leadertech
2007-05-02 22:38 0 --a------ C:\WINDOWS\PowerReg.dat
2007-05-02 22:20 <DIR> d-------- C:\NeverwinterNights
2007-04-29 13:26 <DIR> d-------- C:\Program Files\Narcissu 2 mini-demo
2007-04-21 14:03 <DIR> d-------- C:\Program Files\MP3TagEditor
2007-04-14 20:12 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-04-14 20:12 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-04-14 20:12 <DIR> d-------- C:\Program Files\OpenAL
2007-04-13 10:04 282,624 --a------ C:\WINDOWS\system32\NCTAudioVisualization.dll
2007-04-13 10:04 274,432 --a------ C:\WINDOWS\system32\NCTAudioRecord.dll
2007-04-13 10:04 120,832 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-04-13 09:29 <DIR> d-------- C:\Converted
2007-04-13 09:27 513,152 --a------ C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
2007-04-13 09:13 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2007-04-13 09:13 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-04-13 09:13 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2007-04-13 09:13 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-04-13 09:13 <DIR> d-------- C:\Program Files\Zittware
2007-04-12 20:55 <DIR> d-------- C:\Program Files\minori
2007-04-12 20:53 304,128 --a------ C:\WINDOWS\IsUn0411.exe
2007-04-12 20:53 <DIR> d-------- C:\DOCUME~1\THEBLA~1\WINDOWS
2007-04-08 16:11 <DIR> d-------- C:\Program Files\tamasoftware
2007-04-08 10:19 573,440 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll
2007-04-08 10:19 491,520 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2007-04-08 10:19 290,816 --a------ C:\WINDOWS\system32\NCTWMAFile.dll
2007-04-08 10:19 286,720 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll
2007-04-08 10:19 168,448 --a------ C:\WINDOWS\system32\NCTAudioPlayer.dll
2007-04-08 10:19 <DIR> d-------- C:\Program Files\4U Computing
2007-04-07 12:23 <DIR> d-------- C:\Sierra
2007-04-07 12:23 <DIR> d-------- C:\Program Files\Sierra On-Line


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-04 12:30 -------- d-------- C:\Program Files\flashget
2007-05-02 22:21 -------- d--h----- C:\Program Files\installshield installation information
2007-04-21 19:04 -------- d-------- C:\Program Files\ground control ii
2007-04-07 10:54 -------- d-------- C:\Program Files\nexus - the jupiter incident
2007-03-30 21:41 -------- d-------- C:\Program Files\limewire
2007-03-24 09:51 -------- d-------- C:\Program Files\cdburnerxp pro 3
2007-03-24 09:30 -------- d-------- C:\Program Files\slysoft
2007-03-20 06:20 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-17 19:54 -------- d-------- C:\Program Files\imtoo
2007-03-17 00:06 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-03-16 18:10 530 --a------ C:\WINDOWS\ereg.dat
2007-03-16 18:09 -------- d-------- C:\Program Files\ea games
2007-03-08 18:13 -------- d-------- C:\DOCUME~1\THEBLA~1\APPLIC~1\media player classic
2007-03-05 11:54 -------- d-------- C:\Program Files\jam software
2007-02-23 23:45 1168 --a------ C:\WINDOWS\mozver.dat
2007-02-21 22:45 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-02-16 21:59 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-16 00:14 62 --ahs---- C:\DOCUME~1\THEBLA~1\APPLIC~1\desktop.ini
2007-02-15 20:13 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-02-15 20:13 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-02-15 17:31 0 -rahs---- C:\MSDOS.SYS
2007-02-15 17:31 0 -rahs---- C:\IO.SYS
2007-02-15 17:31 0 --a------ C:\CONFIG.SYS
2007-02-15 17:31 0 --a------ C:\AUTOEXEC.BAT
2007-02-15 17:27 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
{3C6301ED-0F78-4AF2-8150-D9C052361A8E} C:\Program Files\ATLAS V12\ATLIECP.DLL
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
{A5366673-E8CA-11D3-9CD9-0090271D075B} C:\PROGRA~1\FlashGet\jccatch.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"DSLSTATEXE"="C:\\Program Files\\billion\\Adsl\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\billion\\Adsl\\dslagent.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"DaemonTools_WhenUSaveNow_Installer"="C:\\Program Files\\DaemonTools_WhenUSaveNow_Installer\\DaemonTools_WhenUSaveNow_Installer.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"LaunchAp"="\"C:\\Program Files\\Launch Manager\\LaunchAp.exe\""
"PowerKey"="\"C:\\Program Files\\Launch Manager\\PowerKey.exe\""
"LManager"="\"C:\\Program Files\\Launch Manager\\HotkeyApp.exe\""
"CtrlVol"="\"C:\\Program Files\\Launch Manager\\CtrlVol.exe\""
"LMgrOSD"="\"C:\\Program Files\\Launch Manager\\OSDCtrl.exe\""
"Wbutton"="\"C:\\Program Files\\Launch Manager\\Wbutton.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Rainlendar2"="C:\\Program Files\\Rainlendar2\\Rainlendar2.exe"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7090285-d770-11db-983f-000ae4f48d98}]
Shell\Auto\command RavMonE.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-25500412-183644-808
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
backup-25500221-225442-708
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
backup-25500221-225442-397
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
backup-25500221-225442-949
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 18:24:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-04 18:24:35
C:\ComboFix-quarantined-files.txt ... 07-05-04 18:24

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:13 PM

Posted 04 May 2007 - 03:50 PM

Good work!! :thumbsup:

Please run HijackThis, Scan
Check box for:

O4 - HKLM\..\Run: [DaemonTools_WhenUSaveNow_Installer] C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe

Select: Fix checked

~~~~
Once again, reboot to Safe Mode.

~~~~
Launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue REGEDIT below to it:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\The Blademaster\Local Settings\Temp\21.tmp"=-


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: delete.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes

~~~~
Now, search for the following folder (bold):
C:\Documents and Settings\The Blademaster\Local Settings\Temp <- Delete the contents inside the folder, but not the folder itself!

Search for, and remove the following folder (bold):
C:\Program Files\DaemonTools_WhenUSaveNow_Installer

~~~~
Empty the Recycle Bin.

~~~~
Restart the computer normally.

~~~~
Run HijackThis, Scan, and post a new log in your reply.

Old duck...


#5 onyhow

onyhow
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 05 May 2007 - 03:31 AM

Here it is...

Logfile of HijackThis v1.99.1
Scan saved at 15:25:58, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\billion\Adsl\dslstat.exe
C:\Program Files\billion\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fevergame.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V12\ATLIECP.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\billion\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\billion\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V12\Atlscript.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V12\Atlscript.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:13 PM

Posted 05 May 2007 - 10:20 PM

FlashGet, the download manager, is showing entries on the HijackThis log
The trial program bundles the Cydoor adware, but when you register the Ads disappear.
If you didn't purchase it, I recommend you remove it the program.

To remove: Go to Start > Settings > Control Panel > Add/Remove Programs and select the entry from the list. Then, select: Remove


Otherwise, the HijackThis log looks fine. No apparent malware issues.

Are you still having problems?

Old duck...


#7 onyhow

onyhow
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 05 May 2007 - 11:04 PM

Already register Flashget and have no more problem...

Thank you...

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:13 PM

Posted 06 May 2007 - 06:19 PM

If you are not having malware problems, you are good to go!


Take a good look at the following suggestions to remain malware free:
Tony Kleinís article 'How Did I Get Infected In The First Place'
http://forums.spywareinfo.com/index.php?showtopic=60955

Thank you for your patience, and performing the procedures requested.
If you have any questions or comments, post back. Otherwise...


Good luck, and safe journey through WWW land!!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users