Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Other Anti-virus, Spyware Software Has Work


  • Please log in to reply
3 replies to this topic

#1 Crossan

Crossan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 02 June 2007 - 03:38 PM

I have used many scans on many different pieces of software but nothing has worked; my computer runs much slower; i get pop-ups but they arent in the usual internet explorer window so no pop-up blocker can stop them, they seem to appear just in a box but with no address bar... its hard to explain, i also do get the conventional pop-ups but ones tht always redirect me to "cpvfeed.com"; programs randomly crash and when i try to start them again they will not start. please help me get rid of the bugs in my computer, and restore it to its prime.

Logfile of HijackThis v1.99.1
Scan saved at 21:16:46, on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\KService\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\PC-Clean\PC-Clean.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TrojanHunter 4.6\TrojanHunter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566.../www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/broadband
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Web Class - {D03B6018-E880-4A89-99A2-7354FE52DDAE} - c:\progra~1\nlia\nlia.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PC-Clean] C:\Program Files\PC-Clean\PC-Clean.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay130.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1171570288812
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5BFB770-47E0-4DAB-9F0B-8AC8DDB6EBF4}: NameServer = 212.139.132.6 212.139.132.7
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\WEBACC~1\FASTSE~1.DLL,wbsys.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

could someone please help me tell me what is safe to get rid of and what to keep,
thank you

Edited by Crossan, 02 June 2007 - 04:08 PM.


BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:29 AM

Posted 02 June 2007 - 08:38 PM

Welcome to BC :thumbsup:

You do have a lot of programs running, i would recommend keeping SuperAnti-Spyware, Commando Firewall, and AVG. Everything else you can uninstall. These programs aren't good at removing this infection because its hidden behind a rootkit.


Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#3 Crossan

Crossan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 03 June 2007 - 06:32 PM

Thank you for the welcome

i shall get rid of all the software tht is not needed but for now here is the log from the combofix:

"Andrew" - 2007-06-04 0:20:31 Service Pack 2 NTFS
ComboFix 07-06-2.5.Ex - Running from: "C:\Documents and Settings\Andrew\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 )))))))))))))))))))))))))))))))


2007-06-03 17:37 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-02 22:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-02 21:53 <DIR> d-------- C:\WINDOWS\pss
2007-06-02 20:58 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\TrojanHunter
2007-06-02 20:56 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-02 20:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-31 02:39 <DIR> d-------- C:\Program Files\LimeWire
2007-05-30 10:25 <DIR> d-------- C:\Program Files\iPod
2007-05-29 01:26 <DIR> d-------- C:\WINDOWS\$regcmp$
2007-05-29 01:18 <DIR> d-------- C:\Program Files\ZSoft
2007-05-27 15:36 11,138 --a------ C:\WINDOWS\msvrc20.dll
2007-05-22 09:12 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\LimeWire
2007-05-21 02:56 <DIR> d-------- C:\Program Files\IObit
2007-05-20 18:43 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-20 18:09 <DIR> d-------- C:\Program Files\Sierra
2007-05-20 01:55 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-05-20 01:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-18 05:38 606,848 --a------ C:\WINDOWS\flashax.exe
2007-05-18 05:38 <DIR> d-------- C:\WINDOWS\xrayScreensaver2 dir
2007-05-17 23:32 <DIR> d-------- C:\DOCUME~1\Robbie\APPLIC~1\Comodo
2007-05-17 20:24 <DIR> d-------- C:\Program Files\NoAds
2007-05-17 20:03 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\Comodo
2007-05-17 20:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-05-17 19:57 <DIR> d-------- C:\Program Files\Comodo
2007-05-17 15:37 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-05-17 15:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-05-17 00:01 <DIR> d-------- C:\Program Files\Thomson
2007-05-16 02:42 <DIR> d-------- C:\Program Files\DivX
2007-05-15 01:24 <DIR> d-------- C:\DOCUME~1\Robbie\APPLIC~1\PC Tools
2007-05-14 21:43 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-14 21:42 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-14 21:41 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-14 21:14 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\PC Tools
2007-05-14 21:03 <DIR> d-------- C:\Program Files\PC-Clean
2007-05-14 20:26 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-14 20:26 <DIR> d-------- C:\Temp
2007-05-14 18:40 <DIR> d-------- C:\DOCUME~1\Robbie\Incomplete
2007-05-14 18:40 <DIR> d-------- C:\DOCUME~1\Robbie\APPLIC~1\LimeWire
2007-05-14 15:46 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\Ahead
2007-05-14 15:39 <DIR> d-------- C:\Program Files\Nero
2007-05-14 15:39 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-05-14 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-05-14 15:36 <DIR> d--hs---- C:\Documents and Settings\Andrew\Complete
2007-05-14 15:36 <DIR> d--hs---- C:\DOCUME~1\Andrew\Complete
2007-05-09 22:28 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\Sonic
2007-05-09 22:27 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\Leadertech
2007-05-06 00:20 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-05-06 00:20 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-05-06 00:20 <DIR> d-------- C:\Program Files\Stardock
2007-05-05 14:16 <DIR> d-------- C:\Program Files\LiveUpdate
2007-05-05 14:15 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-05-05 14:14 <DIR> d-------- C:\Program Files\mobile PhoneTools
2007-05-05 14:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 10:44:45 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-31 03:08:30 -------- d-----w C:\Program Files\SUPERAntiSpyware
2007-05-30 09:25:33 -------- d-----w C:\Program Files\iTunes
2007-05-30 09:11:08 -------- d-----w C:\Program Files\QuickTime
2007-05-29 01:21:36 -------- d-----w C:\Program Files\Sonic
2007-05-23 13:21:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-17 20:37:35 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-05-16 01:07:35 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-02 18:04:37 -------- d-----w C:\Program Files\LucasArts
2007-04-26 08:45:58 -------- d-----w C:\Program Files\SymNetDrv
2007-04-25 17:26:23 -------- d-----w C:\Program Files\Symantec
2007-04-25 17:26:23 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-22 23:49:55 -------- d-----w C:\Program Files\Messenger
2007-04-22 20:43:51 -------- d-----w C:\DOCUME~1\Andrew\APPLIC~1\Creative
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-12 00:13:34 -------- d-----w C:\DOCUME~1\Andrew\APPLIC~1\TurboFTP
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 11:46:09 723,357 --sh--w C:\WINDOWS\system32\dgjlm.ini2
2007-03-17 11:36:51 0 -c--a-w C:\WINDOWS\system32\CMMGR32.EXE
2007-03-16 23:49:48 737,238 --sh--w C:\WINDOWS\system32\dgjlm.bak2
2007-03-16 08:24:50 720,166 --sh--w C:\WINDOWS\system32\ststv.bak1
2007-03-15 23:49:41 719,270 --sh--w C:\WINDOWS\system32\dgjlm.bak1
2007-03-15 23:41:35 744,676 --sh--w C:\WINDOWS\system32\rttss.ini2
2007-03-15 21:49:45 723,656 --sh--w C:\WINDOWS\system32\rttss.bak2
2007-03-14 18:27:58 972,336 ----a-w C:\WINDOWS\UNRecode.exe
2007-03-14 18:19:56 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-03-14 18:19:26 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
2007-03-12 12:51:08 972,336 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-03-09 20:59:44 743,187 --sha-w C:\WINDOWS\system32\rttss.bak1
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 11:28]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29]
{69A87B7D-DE56-4136-9655-716BA50C19C7}=C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll [2007-03-29 21:34]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-17 20:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2007-02-05 05:05]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-05-17 20:24]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-05-18 01:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"PcCleanUninstall"="C:\Program Files\PC-Clean\PcCleanUninstall.exe" --del

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\WEBACC~1\FASTSE~1.DLL,wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC-Clean]
C:\Program Files\PC-Clean\PC-Clean.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
"C:\Program Files\TrojanHunter 4.6\THGuard.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-28 08:42:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-03 15:44:31 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 00:21:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-04 0:21:29
C:\ComboFix-quarantined-files.txt ... 2007-06-04 00:21
C:\ComboFix2.txt ... 2007-06-04 00:17
C:\ComboFix3.txt ... 2007-06-02 22:19

--- E O F ---


And here is the log from HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 00:26:47, on 04/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\KService\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/broadband
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [PcCleanUninstall] "C:\Program Files\PC-Clean\PcCleanUninstall.exe" --del
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay130.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1171570288812
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5BFB770-47E0-4DAB-9F0B-8AC8DDB6EBF4}: NameServer = 212.139.132.6 212.139.132.7
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\WEBACC~1\FASTSE~1.DLL,wbsys.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

What should i do now?

thank you

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:29 AM

Posted 04 June 2007 - 06:42 AM

Sorry for delay

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\rttss.ini2
C:\WINDOWS\system32\rttss.bak2
C:\WINDOWS\system32\rttss.bak1


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


==================================

Please upload the following file/s for a developer to analyze
http://www.bleepingcomputer.com/submit-malware.php?channel=4

<C:\avenger\backup.zip>

===================================

Please perform a scan with Kaspersky Webscan Online Virus Scanner
1. Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
2. Read the Requirements and Privacy statement, then select "Accept".
3. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
4. Click "Yes or select "Install" to download the ActiveX controls that allows ActiveScan to run.
5. When the download is complete it will say ready, click "Next".
6. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
7. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
8. Click "OK".
9. Under "Select a target to scan", click on "My Computer".
10. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users