Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is My Pc Clean?


  • Please log in to reply
12 replies to this topic

#1 SKULL

SKULL

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:12:03 AM

Posted 01 July 2007 - 06:40 AM

I have had some virus the last few days and i think i got rid of it but would like to double check, i also have a ntos.exe i have looked this up and found it to be a virus but can not get rid of it or if i do it keeps coming back.

Logfile of HijackThis v1.99.1
Scan saved at 12:39:51, on 01/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Common Files\AOL\1182198904\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SKULL\LOCALS~1\Temp\Rar$EX00.390\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redi...&key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1182198904\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7324E363-14A0-4C38-830C-441FE10276F0}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:03 AM

Posted 01 July 2007 - 07:32 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

I have noticed from your log that you have various online poker programs installed on your computer. I understand that you may use these games on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this. If you do decide to go ahead and remove the poker software, you should be able uninstall them via add/remove which can be found in the control panel. Let me know if you have any problems whilst doing so.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\WINDOWS\system32\ntos.exe

Allow the PC to reboot, if it doesn't do it automatically, please reboot manually.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 SKULL

SKULL
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:12:03 AM

Posted 01 July 2007 - 10:42 AM

"SKULL" - 2007-07-01 15:43:58 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


2007-07-01 15:41 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-01 04:58 7,313 --a------ C:\sysggyz.exe
2007-06-30 03:51 7,313 --a------ C:\systlmc.exe
2007-06-29 15:13 <DIR> d-------- C:\Program Files\ParadisePoker
2007-06-29 14:55 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-29 14:55 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-29 14:55 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-29 14:55 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-29 14:55 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-29 14:55 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-29 14:54 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-29 00:54 22,592 --a------ C:\WINDOWS\system32\qf1Q63pj.exe
2007-06-28 18:11 <DIR> d-------- C:\Program Files\Easy HTML To Any Script Converter
2007-06-28 05:52 <DIR> d-------- C:\NVIDIA
2007-06-27 00:01 7,313 --a------ C:\sysdrfg.exe
2007-06-26 22:04 <DIR> d-------- C:\DOCUME~1\SKULL\APPLIC~1\AdobeUM
2007-06-26 01:06 7,313 --a------ C:\sysivup.exe
2007-06-25 23:25 7,313 --a------ C:\sysuyqd.exe
2007-06-24 23:01 7,313 --a------ C:\syseshf.exe
2007-06-23 13:01 <DIR> d---s---- C:\DOCUME~1\SKULL\UserData
2007-06-19 04:43 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2007-06-19 04:43 <DIR> dr-hs---- C:\cmdcons
2007-06-19 04:43 <DIR> dr-h----- C:\MSOCache
2007-06-19 04:43 <DIR> dr--s---- C:\WINDOWS\Fonts
2007-06-19 04:43 <DIR> dr------- C:\WINDOWS\Web
2007-06-19 04:43 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-06-19 04:43 <DIR> dr------- C:\Program Files
2007-06-19 04:43 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-06-19 04:43 <DIR> d--hs---- C:\WINDOWS\Installer
2007-06-19 04:43 <DIR> d--hs---- C:\System Volume Information
2007-06-19 04:43 <DIR> d--hs---- C:\RECYCLER
2007-06-19 04:43 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-06-19 04:43 <DIR> d--h----- C:\WINDOWS\inf
2007-06-19 04:43 <DIR> d--h----- C:\WINDOWS\I386
2007-06-19 04:43 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-06-19 04:43 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-06-19 04:43 <DIR> d--h----- C:\PNP
2007-06-19 04:43 <DIR> d--h----- C:\DIVTOOLS
2007-06-19 04:43 <DIR> d---s---- C:\WINDOWS\Tasks
2007-06-19 04:43 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\WinSxS
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\twain_32
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\wins
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\wbem
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\usmt
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\trayres
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\spool
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\Setup
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\Restore
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\ras
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\oobe
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\npp
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\mui
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\Macromed
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\IME
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\icsxml
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\ias
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\export
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\DirectX
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\dhcp
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\config
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\Com
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\3076
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\2052
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1054
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1042
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1041
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1037
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1033
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1031
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1028
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1025
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\srchasst
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\SiS
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\security
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Resources
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\REPAIR
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Registration
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Provisioning
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\PREFETCH
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\PeerNet
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\pchealth
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\occache


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{E5A1691B-D188-4419-AD02-90002030B8EE}=C:\PROGRA~1\FlashFXP\IEFlash.dll [2004-07-29 18:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-09-15 22:17]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 11:31]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-01-10 12:06]
"nwiz"="nwiz.exe" [2006-02-28 13:38 C:\WINDOWS\system32\nwiz.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1182198904\ee\AOLSoftware.exe" [2006-11-17 14:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-13 19:01]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-28 13:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 22:57]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]


Contents of the 'Scheduled Tasks' folder
2007-06-28 23:54:43 C:\WINDOWS\tasks\At1.job
2007-07-01 08:00:30 C:\WINDOWS\tasks\At10.job
2007-07-01 09:00:30 C:\WINDOWS\tasks\At11.job
2007-07-01 10:00:30 C:\WINDOWS\tasks\At12.job
2007-07-01 11:00:30 C:\WINDOWS\tasks\At13.job
2007-07-01 12:00:30 C:\WINDOWS\tasks\At14.job
2007-07-01 13:00:30 C:\WINDOWS\tasks\At15.job
2007-07-01 14:00:30 C:\WINDOWS\tasks\At16.job
2007-07-01 15:00:30 C:\WINDOWS\tasks\At17.job
2007-06-29 16:00:30 C:\WINDOWS\tasks\At18.job
2007-06-29 17:00:30 C:\WINDOWS\tasks\At19.job
2007-06-29 00:00:30 C:\WINDOWS\tasks\At2.job
2007-06-28 23:54:43 C:\WINDOWS\tasks\At20.job
2007-06-28 23:54:43 C:\WINDOWS\tasks\At21.job
2007-06-28 23:54:43 C:\WINDOWS\tasks\At22.job
2007-06-28 23:54:43 C:\WINDOWS\tasks\At23.job
2007-06-28 23:54:43 C:\WINDOWS\tasks\At24.job
2007-06-28 23:54:43 C:\WINDOWS\tasks\At3.job
2007-06-28 23:54:43 C:\WINDOWS\tasks\At4.job
2007-06-30 03:00:30 C:\WINDOWS\tasks\At5.job
2007-07-01 04:00:30 C:\WINDOWS\tasks\At6.job
2007-07-01 05:00:30 C:\WINDOWS\tasks\At7.job
2007-07-01 06:00:42 C:\WINDOWS\tasks\At8.job
2007-07-01 07:00:30 C:\WINDOWS\tasks\At9.job
2007-06-25 22:49:31 C:\WINDOWS\tasks\HDReg.job
2007-06-18 20:01:42 C:\WINDOWS\tasks\Registration reminder 3.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 16:34:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 16:36:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-01 16:36

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 16:37:59, on 01/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1182198904\ee\AOLSoftware.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1182198904\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




P.S i also have some files in my C: drive folder
1F0.tmp
1F1.tmp
1FD.tmp
1FE.tmp
ComboFix
ComboFix-quarantined-files
DWNLOG
SAUDIT
sysdrfg.exe
syseshf.exe
sysggyz.exe
sysivup.exe
systlmc.exe
sysuyqd.exe

Should i delate these or keep them as i don't know what thay are.

Thanks for all your help so far.

Edited by SKULL, 01 July 2007 - 10:46 AM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:03 AM

Posted 01 July 2007 - 10:45 AM

Go to this page.
Where it says, browse to the file that you want to submit, copy and paste the filepath at the bottom in the field:
Then click the Send File button below.
C:\syseshf.exe

Please do the same for:
C:\sysdrfg.exe

#5 SKULL

SKULL
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:12:03 AM

Posted 01 July 2007 - 10:50 AM

Ok C:\sysdrfg.exe and C:\syseshf.exe file has been submited.

Did you need the other ones done as well ?

sysggyz.exe
sysivup.exe
systlmc.exe
sysuyqd.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:03 AM

Posted 02 July 2007 - 04:12 PM

It's ok thanks, they are all similar infected trojan downloaders.
Let's continue removing the rest of the infected files..

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Click start > run and type: notepad, then hit enter.

File::
C:\sysggyz.exe
C:\systlmc.exe
C:\WINDOWS\system32\qf1Q63pj.exe
C:\sysdrfg.exe
C:\sysivup.exe
C:\sysuyqd.exe
C:\syseshf.exe
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

Click File > Save and call it "ComboFix-Do.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

#7 SKULL

SKULL
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:12:03 AM

Posted 03 July 2007 - 02:33 AM

"SKULL" - 2007-07-03 8:23:18 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\SKULL\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\sysdrfg.exe
C:\syseshf.exe
C:\sysggyz.exe
C:\sysivup.exe
C:\systlmc.exe
C:\sysuyqd.exe
C:\WINDOWS\system32\qf1Q63pj.exe
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job


((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))


2007-07-01 15:41 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 15:13 <DIR> d-------- C:\Program Files\ParadisePoker
2007-06-29 14:55 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-29 14:55 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-29 14:55 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-29 14:55 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-29 14:55 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-29 14:55 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-29 14:54 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-28 18:11 <DIR> d-------- C:\Program Files\Easy HTML To Any Script Converter
2007-06-28 05:52 <DIR> d-------- C:\NVIDIA
2007-06-26 22:04 <DIR> d-------- C:\DOCUME~1\SKULL\APPLIC~1\AdobeUM
2007-06-23 13:01 <DIR> d---s---- C:\DOCUME~1\SKULL\UserData
2007-06-19 04:43 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2007-06-19 04:43 <DIR> dr-hs---- C:\cmdcons
2007-06-19 04:43 <DIR> dr-h----- C:\MSOCache
2007-06-19 04:43 <DIR> dr--s---- C:\WINDOWS\Fonts
2007-06-19 04:43 <DIR> dr------- C:\WINDOWS\Web
2007-06-19 04:43 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-06-19 04:43 <DIR> dr------- C:\Program Files
2007-06-19 04:43 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-06-19 04:43 <DIR> d--hs---- C:\WINDOWS\Installer
2007-06-19 04:43 <DIR> d--hs---- C:\System Volume Information
2007-06-19 04:43 <DIR> d--hs---- C:\RECYCLER
2007-06-19 04:43 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-06-19 04:43 <DIR> d--h----- C:\WINDOWS\inf
2007-06-19 04:43 <DIR> d--h----- C:\WINDOWS\I386
2007-06-19 04:43 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-06-19 04:43 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-06-19 04:43 <DIR> d--h----- C:\PNP
2007-06-19 04:43 <DIR> d--h----- C:\DIVTOOLS
2007-06-19 04:43 <DIR> d---s---- C:\WINDOWS\Tasks
2007-06-19 04:43 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\WinSxS
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\twain_32
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\wins
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\wbem
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\usmt
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\trayres
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\spool
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\Setup
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\Restore
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\ras
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\oobe
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\npp
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\mui
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\Macromed
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\IME
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\icsxml
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\ias
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\export
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\DirectX
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\dhcp
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\config
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\Com
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\3076
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\2052
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1054
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1042
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1041
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1037
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1033
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1031
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1028
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32\1025
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system32
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\system
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\srchasst
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\SiS
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\security
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Resources
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\REPAIR
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Registration
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Provisioning
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\PREFETCH
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\PeerNet
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\pchealth
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\occache
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\mui
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\msapps
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\msagent
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Modio
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Media
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\ime
2007-06-19 04:43 <DIR> d-------- C:\WINDOWS\Help


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{E5A1691B-D188-4419-AD02-90002030B8EE}=C:\PROGRA~1\FlashFXP\IEFlash.dll [2004-07-29 18:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-09-15 22:17]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 11:31]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-01-10 12:06]
"nwiz"="nwiz.exe" [2006-02-28 13:38 C:\WINDOWS\system32\nwiz.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1182198904\ee\AOLSoftware.exe" [2006-11-17 14:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-13 19:01]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 22:57]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]


Contents of the 'Scheduled Tasks' folder
2007-06-25 22:49:31 C:\WINDOWS\tasks\HDReg.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 08:24:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-03 8:25:02
C:\ComboFix-quarantined-files.txt ... 2007-07-03 08:24
C:\ComboFix2.txt ... 2007-07-01 16:36

--- E O F ---

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:03 AM

Posted 03 July 2007 - 02:29 PM

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#9 SKULL

SKULL
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:12:03 AM

Posted 03 July 2007 - 03:51 PM

Tuesday, July 03, 2007 9:45:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 3/07/2007
Kaspersky Anti-Virus database records: 335365


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\SKULL\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 13992
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 00:11:57

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\keyhook.exe Infected: Virus.Win32.Agent.ab skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_4bc.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\SKULL\LOCALS~1\Temp\Cookies\index.dat Object is locked skipped

C:\DOCUME~1\SKULL\LOCALS~1\Temp\History\History.IE5\index.dat Object is locked skipped

C:\DOCUME~1\SKULL\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\DOCUME~1\SKULL\LOCALS~1\Temp\~DFDAFE.tmp Object is locked skipped

C:\DOCUME~1\SKULL\LOCALS~1\Temp\~DFDB11.tmp Object is locked skipped

C:\DOCUME~1\SKULL\LOCALS~1\Temp\~DFEACC.tmp Object is locked skipped

C:\DOCUME~1\SKULL\LOCALS~1\Temp\~DFEB49.tmp Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 21:51:45, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\AOL\1182198904\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1182198904\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7324E363-14A0-4C38-830C-441FE10276F0}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:03 AM

Posted 03 July 2007 - 03:57 PM

Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

#11 SKULL

SKULL
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:12:03 AM

Posted 03 July 2007 - 05:04 PM

Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:03 AM

Posted 04 July 2007 - 12:18 PM

Interesting, let's continue.. :thumbsup:

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Can you please tell me in the following folder exists please:
C:\WINDOWS\system32\bak

#13 SKULL

SKULL
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:12:03 AM

Posted 05 July 2007 - 01:22 AM

No folder C:\WINDOWS\system32\bak is not on my PC

P.S i have also added back all the following to how it was as i feel unsafe having them all off

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.


P.SS somthink keeps trying to turn my firewall off and somthink keeps adding files in my advast programme and it say if you contue you PC will be at risk so i have to keep installing advast every so many weeks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users