Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ayb.netbios-wait.com


  • This topic is locked This topic is locked
9 replies to this topic

#1 ^MavericK!

^MavericK!

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Monterrey
  • Local time:02:56 PM

Posted 08 June 2007 - 02:49 PM

I think I have an infection, the reason it cause my PC has been trying to connect to very wierd places, and by wierd methods. I got yesterday, while I was gaming, my firewall poped up and Daemon tools iniciated a connection to the master server list, I play RTCW. I almost never use IE, but when I use it I get a pop up, every single time. Here is my hijackthis! log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:42:39 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\DOCUME~1\^MAVER~1\LOCALS~1\Temp\Rar$EX00.610\HiJackThis_v2.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [roadnew] C:\DOCUME~1\^MAVER~1\APPLIC~1\KINDNA~1\Debug skip bolt.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163840827781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5631 bytes

------------------------------------------------------------------------------------------------------------------------------------------------------------

I've tried reading here and downloading utilities that can clean my pc, no luck. I had this popup from my firewall today when I turned on my PC

Posted Image

Dont reall know if this means anything, but it seemed to me as an infection...

Any help will be apreciated...


Mav

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:56 PM

Posted 15 June 2007 - 09:13 PM

Hello ^MavericK!,

If you still need help, post a fresh Hijackthis log and and I will take a look at it.

You posted a Hijackthis that is run from a Beta version of Hijackthis. This verson still has bugs in it so we do not use it. :thumbsup:

Please delete that Beta version and download the latest version from the following link:

HijackThis Download Site with installer
Just click on Hijackthis_sfx.exe file that you downloaded.
A WinZip self extractor screen appears with the default location of C:\Program Files\Hijackthis.
Then press the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it.

If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on.

Please post a fresh Hijackthis log (if you still need help).
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ^MavericK!

^MavericK!
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Monterrey
  • Local time:02:56 PM

Posted 15 June 2007 - 11:06 PM

Thanks for the reply, I have had some wierd things in my PC lateley, and to tell you the truth I really don't know if I'm still infected.

Here is a 3 sec ago hajack this log, donloaded from the link you gave me..



Logfile of HijackThis v1.99.1
Scan saved at 11:05:09 PM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [roadnew] C:\DOCUME~1\^MAVER~1\APPLIC~1\KINDNA~1\Debug skip bolt.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163840827781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe



Thanks in advance
:thumbsup:

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:56 PM

Posted 16 June 2007 - 01:01 AM

Hello ^MavericK!,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [roadnew] C:\DOCUME~1\^MAVER~1\APPLIC~1\KINDNA~1\Debug skip bolt.exe


These are optinal fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
(Description: System Tray icon for the Realtek AC97 Audio Sound Manager for AC97 onboard audio. Available via Start -> Settings-> Control Panel. Removing this entry will free up a small amount of system resources. )

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.
Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\DOCUME~1\^MAVER~1\APPLIC~1\KINDNA~1\Debug skip bolt.exe <==file

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix  log and Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking    
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.    
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.    
 In the right pane, uncheck Enable Script Blocking (recommended).    
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
 
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ^MavericK!

^MavericK!
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Monterrey
  • Local time:02:56 PM

Posted 16 June 2007 - 03:28 AM

OMG thanks SifuMike, thanks for taking time to explain.
:flowers:

Had no problem deleting the file and my PC is now reboting faster, but didn't find no JRE or J2SE in my add and remove program list to deinstall, but now I have it.

Here is my Hijackthis! log

Logfile of HijackThis v1.99.1
Scan saved at 3:20:47 AM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163840827781
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

And this is the ComboFix log

ComboFix 07-06-13.3 - C:\Documents and Settings\MavericK!\Desktop\ComboFix.exe
"^MavericK!" - 2007-06-16 3:02:34 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\install.log
C:\WINDOWS\system32\drivers\sfsync02.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\nm
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))


2007-06-16 03:05 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-06-16 03:02 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-16 02:33 <DIR> d-------- C:\Program Files\CCleaner
2007-06-14 19:27 <DIR> d-------- C:\Program Files\iTunes
2007-06-14 19:27 <DIR> d-------- C:\Program Files\iPod
2007-06-07 05:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-07 04:56 3,116 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-01 06:21 <DIR> d-------- C:\Program Files\RegCleaner
2007-05-30 22:40 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-22 03:16 <DIR> d-------- C:\DOCUME~1\^MAVER~1\APPLIC~1\WinRAR
2007-05-17 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DupeBikeSlowBone
2007-05-17 19:54 <DIR> d-------- C:\Program Files\Kindnamewipe
2007-05-17 19:54 <DIR> d-------- C:\DOCUME~1\^MAVER~1\APPLIC~1\Kindnamewipe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-16 07:57:10 -------- d-----w C:\Program Files\SpeedFan
2007-06-16 07:41:25 -------- d-----w C:\DOCUME~1\^MAVER~1\APPLIC~1\Kindnamewipe
2007-06-15 03:03:34 -------- d-----w C:\Program Files\Return to Castle Wolfenstein
2007-06-15 00:26:22 -------- d-----w C:\Program Files\QuickTime
2007-06-08 23:21:47 -------- d-----w C:\DOCUME~1\^MAVER~1\APPLIC~1\LimeWire
2007-05-31 04:53:44 -------- d-----w C:\DOCUME~1\^MAVER~1\APPLIC~1\AdobeUM
2007-05-30 14:12:37 -------- d-----w C:\Program Files\The Cleaner
2007-05-22 08:16:52 -------- d-----w C:\DOCUME~1\^MAVER~1\APPLIC~1\WinRAR
2007-05-19 18:03:51 -------- d-----w C:\Program Files\DivX
2007-05-13 07:37:36 -------- d-----w C:\Program Files\NuGardt Software
2007-05-04 23:52:45 -------- d-----w C:\Program Files\Xicat
2007-04-26 00:50:39 -------- d-----w C:\Program Files\AvRack
2007-04-26 00:50:33 -------- d-----w C:\Program Files\Realtek AC97
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-24 03:20:50 -------- d-----w C:\Program Files\Gigabyte
2007-04-23 08:41:58 -------- d-----w C:\Program Files\Winamp
2007-04-19 18:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 18:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 18:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 18:26:00 794,624 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 18:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 18:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 18:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 18:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 18:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 18:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 18:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 18:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 18:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 18:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 18:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 18:26:00 311,296 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 18:26:00 3,988,384 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-04-19 18:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 18:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 18:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 18:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 18:26:00 2,924,544 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-19 18:26:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-19 18:26:00 159,810 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-19 18:26:00 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-19 18:26:00 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 18:26:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-04-19 18:26:00 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-04-19 18:26:00 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 18:26:00 1,236,992 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-04-19 18:26:00 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-19 18:26:00 1,011,712 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 06:28:17 -------- d-----w C:\Program Files\PCPitstop
2007-04-16 22:34:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-16 19:22:27 -------- d-----w C:\Program Files\Sygate
2007-04-16 19:11:26 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 02:26:10 -------- d-----w C:\Program Files\Error Repair Pro
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2002-12-28 13:14]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 12:28]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-11-06 03:27]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 19:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_001.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_001.lnk
backup=C:\WINDOWS\pss\EA_RESTART_001.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\slowbonenewenc]
C:\Documents and Settings\All Users\Application Data\DupeBikeSlowBone\eggs platform.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VgaOverClk]
C:\Program Files\BIOSTAR\BIOSTAR VGA Ocer Clock\Vgaoc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"usnjsvc"=3 (0x3)
"dmadmin"=3 (0x3)
"Diskeeper"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\Setup\rsrc\autorun.exe
dinstall\command- I:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62650d42-76a6-11db-9831-806d6172696f}]
AutoRun\command- H:\TmNationsESWCse_Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2984b99-9d32-11db-b454-000fea35087a}]
1\Command- L:\.\RECYCLER\RECYCLER\autorun.exe
2\Command- L:\.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe


Contents of the 'Scheduled Tasks' folder
2007-05-18 00:55:32 C:\WINDOWS\tasks\B62C65EE960C1BC2.job
2007-05-31 03:40:15 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-05-31 03:53:18 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 03:15:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-16 3:18:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-16 03:18

--- E O F ---



This process DupeBikeSlowBone ComboFix log show has been brought to my attention several times, but haven't find any info on it.

Thanks again man!

:thumbsup:

Edited by ^MavericK!, 16 June 2007 - 03:32 AM.


#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:56 PM

Posted 16 June 2007 - 01:21 PM

Hello MavericK,

This process DupeBikeSlowBone ComboFix log show has been brought to my attention several times, but haven't find any info on it.


It is a remenent of a LOP infection. We will get rid of it shortly. :thumbsup:


Using Windows Explorer, delete the following files/folders in bold
C:\WINDOWS\system32\sfsync02.dll <== file


Lets back up the registry.

Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
  • Click Start » Run » type: Notepad » OK
  • Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below (starting with REGEDIT4) to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).

    REGEDIT4 
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\slowbonenewenc]



  • Make sure there are no blank spaces before REGEDIT4 and there should be one blank line at the end.
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it FixME.reg and save it on your desktop.
  • Its icon should look like this : Posted Image
  • Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.
Run ComboFix again and post the ComboFix log.

Edited by SifuMike, 16 June 2007 - 01:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ^MavericK!

^MavericK!
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Monterrey
  • Local time:02:56 PM

Posted 16 June 2007 - 07:37 PM

I really apreciate your help :flowers:


Here is the new ComboFix log...




ComboFix 07-06-13.3 - C:\Documents and Settings\MavericK!\Desktop\ComboFix.exe
"^MavericK!" - 2007-06-16 19:30:56 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))


2007-06-16 03:02 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-16 02:33 <DIR> d-------- C:\Program Files\CCleaner
2007-06-14 19:27 <DIR> d-------- C:\Program Files\iTunes
2007-06-14 19:27 <DIR> d-------- C:\Program Files\iPod
2007-06-07 05:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-07 04:56 3,116 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-01 06:21 <DIR> d-------- C:\Program Files\RegCleaner
2007-05-30 22:40 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-22 03:16 <DIR> d-------- C:\DOCUME~1\^MAVER~1\APPLIC~1\WinRAR
2007-05-17 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DupeBikeSlowBone
2007-05-17 19:54 <DIR> d-------- C:\Program Files\Kindnamewipe
2007-05-17 19:54 <DIR> d-------- C:\DOCUME~1\^MAVER~1\APPLIC~1\Kindnamewipe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-16 09:39:49 -------- d-----w C:\Program Files\Return to Castle Wolfenstein
2007-06-16 08:18:25 -------- d-----w C:\Program Files\SpeedFan
2007-06-16 07:41:25 -------- d-----w C:\DOCUME~1\^MAVER~1\APPLIC~1\Kindnamewipe
2007-06-15 00:26:22 -------- d-----w C:\Program Files\QuickTime
2007-06-08 23:21:47 -------- d-----w C:\DOCUME~1\^MAVER~1\APPLIC~1\LimeWire
2007-05-31 04:53:44 -------- d-----w C:\DOCUME~1\^MAVER~1\APPLIC~1\AdobeUM
2007-05-30 14:12:37 -------- d-----w C:\Program Files\The Cleaner
2007-05-22 08:16:52 -------- d-----w C:\DOCUME~1\^MAVER~1\APPLIC~1\WinRAR
2007-05-19 18:03:51 -------- d-----w C:\Program Files\DivX
2007-05-13 07:37:36 -------- d-----w C:\Program Files\NuGardt Software
2007-05-04 23:52:45 -------- d-----w C:\Program Files\Xicat
2007-04-26 00:50:39 -------- d-----w C:\Program Files\AvRack
2007-04-26 00:50:33 -------- d-----w C:\Program Files\Realtek AC97
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-24 03:20:50 -------- d-----w C:\Program Files\Gigabyte
2007-04-23 08:41:58 -------- d-----w C:\Program Files\Winamp
2007-04-19 18:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 18:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 18:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 18:26:00 794,624 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 18:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 18:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 18:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 18:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 18:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 18:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 18:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 18:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 18:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 18:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 18:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 18:26:00 311,296 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 18:26:00 3,988,384 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-04-19 18:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 18:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 18:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 18:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 18:26:00 2,924,544 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-19 18:26:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-19 18:26:00 159,810 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-19 18:26:00 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-19 18:26:00 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 18:26:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-04-19 18:26:00 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-04-19 18:26:00 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 18:26:00 1,236,992 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-04-19 18:26:00 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-19 18:26:00 1,011,712 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 06:28:17 -------- d-----w C:\Program Files\PCPitstop
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2002-12-28 13:14]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 12:28]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-11-06 03:27]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 19:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_001.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_001.lnk
backup=C:\WINDOWS\pss\EA_RESTART_001.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VgaOverClk]
C:\Program Files\BIOSTAR\BIOSTAR VGA Ocer Clock\Vgaoc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"usnjsvc"=3 (0x3)
"dmadmin"=3 (0x3)
"Diskeeper"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\Setup\rsrc\autorun.exe
dinstall\command- I:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62650d42-76a6-11db-9831-806d6172696f}]
AutoRun\command- H:\TmNationsESWCse_Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2984b99-9d32-11db-b454-000fea35087a}]
1\Command- L:\.\RECYCLER\RECYCLER\autorun.exe
2\Command- L:\.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe


Contents of the 'Scheduled Tasks' folder
2007-05-18 00:55:32 C:\WINDOWS\tasks\B62C65EE960C1BC2.job
2007-05-31 03:40:15 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-05-31 03:53:18 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 19:33:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-16 19:34:37
C:\ComboFix-quarantined-files.txt ... 2007-06-16 19:34
C:\ComboFix2.txt ... 2007-06-16 03:18

--- E O F ---


:thumbsup:

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:56 PM

Posted 16 June 2007 - 08:42 PM

Hi MavericK,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.



Please read and follow How did I get infected?, With steps so it does not happen again!

If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 16 June 2007 - 08:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ^MavericK!

^MavericK!
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Monterrey
  • Local time:02:56 PM

Posted 17 June 2007 - 05:49 AM

I really thank you man, Pc works fine and my latency is smooth...


:thumbsup:


:flowers:

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:56 PM

Posted 22 June 2007 - 05:19 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users