Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

services.exe terminating and computer rebooting (hjt log)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

services.exe terminating and computer rebooting (hjt log)

Unread postby Noonway » July 30th, 2006, 11:18 pm

I recently got a nasty virus from a file that a friend sent me that must have loaded hundreds of trojans on my computer. I'm definitely not an expert at this kind of stuff but I know my way around a computer. I downloaded several removal and prevention programs and thought I had found and removed everything malicious. Except now, I am frequently having problems with my computer locking up and/or c:\WINDOWS\system32\services.exe "terminating unexpectedly" because of "code xxx"... So far the codes have been mostly "204" but I did see a "203" recently. This happens at random times so I can't seem to pinpoint it myself.

I am running AVAST as my anti-virus... I also ran Ad-Aware, SpyBot S&D, TrojanHunter, and Ewido Anti-Spyware. As you can see from the HJT log, I am now running the resident versions of most of these.

Anyway... I thought I would drop my HJT log here so that an expert could help me. I'm headed to bed now, but I will check in again tomorrow when I get home from work.

Thanks in advance!
-Noon

Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:21 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 2.2.89.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0300042434
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://my.goarmy.com/dana-cached/setup ... rSetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Noonway
Active Member
 
Posts: 8
Joined: July 30th, 2006, 10:42 pm
Advertisement
Register to Remove

Unread postby agrarianmonk » July 30th, 2006, 11:33 pm

Welcome !! Please take note of the following while we are working together:
  • Your fix may take a couple posts so please be patient even if you don't see immediate results.
  • I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's definitely better to be sure and safe than sorry.

***************************************


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

In your next post, please include
  • new hijackthis log
  • combofix log
  • uninstall list


*use separate posts to ensure the logs don't get cut off!
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Noonway » July 30th, 2006, 11:44 pm

Wow... Thanks for the quick reply... I was in the middle of upgrading my TrojanHunter to the latest version when I saw the reply come in...

Here is the Combofix log:

Start Time= Sun 07/30/2006 23:37:10.04
Running from: C:\Documents and Settings\Tom\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-30 23:30:40 59392 ( ....R ) "C:\WINDOWS\system32\streamhlp.dll"
2006-07-30 23:30:38 ( .D... ) "C:\Program Files\TrojanHunter 4.5"
2006-07-30 22:01:34 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-30 21:55:56 59392 ( ....R ) "C:\WINDOWS\streamhlp.dll"
2006-07-30 21:55:46 ( .D... ) "C:\Program Files\TrojanHunter 3.9"
2006-07-30 21:47:54 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-30 19:37:28 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-30 13:37:50 ( .D... ) "C:\Program Files\GameShadow"
2006-07-30 13:31:30 ( .D... ) "C:\Program Files\Firefly Studios"
2006-07-29 10:39:02 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Lavasoft"
2006-07-28 23:15:30 ( .D... ) "C:\Program Files\Human Head Studios"
2006-07-25 23:06:06 ( .D... ) "C:\Program Files\Lighthouse Interactive"
2006-07-25 19:02:46 ( .D... ) "C:\Documents and Settings\Tom\Application Data\IGN_DLM"
2006-07-25 19:02:28 ( .D... ) "C:\Program Files\IGN"
2006-07-22 11:01:12 ( .D... ) "C:\Program Files\Debugging Tools for Windows"
2006-07-20 23:37:58 ( .D... ) "C:\Program Files\THQ"
2006-07-17 21:22:48 ( .D... ) "C:\Program Files\Windows Desktop Search"
2006-07-17 21:15:28 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Microsoft Games"
2006-07-17 21:02:34 ( .D... ) "C:\Program Files\Microsoft Games"
2006-07-17 20:55:24 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Apple Computer"
2006-07-16 20:16:02 194133 ( A.... ) "C:\WINDOWS\patcher.exe"
2006-07-14 21:37:20 ( .D... ) "C:\Program Files\Enlight"
2006-07-13 20:36:02 280692 ( A.... ) "C:\WINDOWS\dr.exe"
2006-06-19 20:23:44 34308 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-06-19 20:23:40 ( .D... ) "C:\Program Files\MagicISO"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-18 09:14:14 ( .D... ) "C:\Program Files\Winamp"
2006-06-17 01:27:06 ( .D... ) "C:\Documents and Settings\Tom\Application Data\My Games"
2006-06-17 01:24:28 ( .D... ) "C:\Program Files\Firaxis Games"
2006-06-17 00:26:46 ( .D... ) "C:\Program Files\Common Files\EasyInfo"
2006-06-17 00:16:12 ( .D... ) "C:\Program Files\EA SPORTS"
2006-06-17 00:00:20 ( .D... ) "C:\Program Files\QuickTime"
2006-06-16 17:36:54 ( .D... ) "C:\Program Files\Microsoft SQL Server"
2006-06-16 17:36:20 ( .D... ) "C:\Program Files\Microsoft Device Emulator"
2006-06-16 17:23:12 ( .D... ) "C:\Program Files\HTML Help Workshop"
2006-06-16 17:23:12 ( .D... ) "C:\Program Files\Common Files\Merge Modules"
2006-06-16 17:23:12 ( .D... ) "C:\Program Files\Common Files\Business Objects"
2006-06-16 17:23:12 ( .D... ) "C:\Program Files\CE Remote Tools"
2006-06-15 21:46:26 ( .D... ) "C:\Documents and Settings\Tom\Application Data\AdobeUM"
2006-06-15 21:32:40 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Talkback"
2006-06-15 21:32:08 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Mozilla"
2006-06-15 21:31:46 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-14 23:38:34 ( .D... ) "C:\Program Files\Common Files\Kodak"
2006-06-14 23:17:44 ( .D... ) "C:\Program Files\Kodak"
2006-06-14 22:34:22 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-06-14 22:18:46 ( .D... ) "C:\Program Files\MSBuild"
2006-06-14 22:18:32 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-06-14 22:18:30 ( .D... ) "C:\Program Files\Common Files\DESIGNER"
2006-06-14 22:17:46 ( .D... ) "C:\Program Files\Microsoft Works"
2006-06-14 22:17:44 ( .D... ) "C:\Program Files\Microsoft.NET"
2006-06-14 22:16:54 ( .D... ) "C:\Program Files\Microsoft Visual Studio 8"
2006-06-14 22:16:10 ( .D... ) "C:\Program Files\Microsoft Office"
2006-06-14 16:50:44 ( .D... ) "C:\Program Files\hp deskjet 5550 series"
2006-06-14 16:47:58 ( .D... ) "C:\Program Files\Hewlett-Packard"
2006-06-14 16:31:42 ( .D... ) "C:\Program Files\Alwil Software"
2006-06-14 16:14:14 ( .D... ) "C:\Program Files\mIRC"
2006-06-14 16:11:08 ( .D... ) "C:\Documents and Settings\Tom\Application Data\SmartFTP"
2006-06-14 16:08:06 ( .D... ) "C:\Program Files\SmartFTP Client 2.0"
2006-06-14 16:06:04 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Help"
2006-06-14 16:03:06 ( .D... ) "C:\Program Files\WinRAR"
2006-06-14 14:29:34 ( .D... ) "C:\Program Files\Neoteris"
2006-06-14 14:29:08 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Juniper Networks"
2006-06-14 13:18:30 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Macromedia"
2006-06-14 13:16:28 873 ( A.... ) "C:\Documents and Settings\Tom\Application Data\AdobeDLM.log"
2006-06-14 13:16:28 0 ( A.... ) "C:\Documents and Settings\Tom\Application Data\dm.ini"
2006-06-14 13:16:28 ( .D... ) "C:\Program Files\Adobe"
2006-06-14 13:15:42 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Adobe"
2006-06-14 13:15:40 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-06-14 13:07:54 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Sun"
2006-06-14 12:57:52 ( .D... ) "C:\Program Files\Java"
2006-06-14 12:53:02 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-14 12:42:02 ( .D... ) "C:\Program Files\eMule"
2006-06-14 12:31:02 ( .D... ) "C:\Program Files\Windows Media Connect 2"
2006-06-14 12:18:18 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Creative"
2006-06-14 12:16:52 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-06-14 12:16:50 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-06-14 12:12:50 ( .D... ) "C:\Program Files\Creative"
2006-06-14 10:56:54 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-06-14 10:48:16 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Identities"
2006-06-14 10:48:12 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-14 10:48:10 ( .DS.. ) "C:\Documents and Settings\Tom\Application Data\Microsoft"
2006-06-14 10:40:22 ( .D... ) "C:\Program Files\xerox"
2006-06-14 10:40:22 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-06-14 10:38:30 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-14 10:37:10 ( .D... ) "C:\Program Files\Common Files\Services"
2006-06-14 10:37:06 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-06-14 10:37:00 ( .D... ) "C:\Program Files\Movie Maker"
2006-06-14 10:36:56 ( .D... ) "C:\Program Files\NetMeeting"
2006-06-14 10:36:54 ( .D... ) "C:\Program Files\Outlook Express"
2006-06-14 10:36:52 ( .D... ) "C:\Program Files\Internet Explorer"
2006-06-14 10:36:52 ( .D... ) "C:\Program Files\Common Files\System"
2006-06-14 10:36:34 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-06-14 10:36:34 ( .D... ) "C:\Program Files\Windows Media Player"
2006-06-14 10:36:32 ( .D... ) "C:\Program Files\Messenger"
2006-06-14 10:36:28 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-06-14 10:36:02 ( .D... ) "C:\Program Files\Windows NT"
2006-06-14 06:20:44 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-06-14 06:20:42 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-06-14 06:20:42 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-06-14 06:20:42 ( .D... ) "C:\Program Files\Common Files"
2006-06-14 06:20:26 62 ( A.SH. ) "C:\Documents and Settings\Tom\Application Data\desktop.ini"
2006-05-31 05:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 04:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-05-02 14:29:00 229376 ( A.... ) "C:\WINDOWS\system32\KPDPMUI.dll"
2006-05-02 14:28:00 307200 ( A.... ) "C:\WINDOWS\system32\KPDPM.dll"

Rootkit driver pe386 is present. A rootkit scan is required


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-30 13:37 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-30 13:37 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-30 13:36 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-29 11:48 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-07-29 11:48 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-07-29 11:01 1,610,612,736 C:\pagefile.sys
2006-07-20 23:42 40,960 C:\WINDOWS\system32\psfind.dll
2006-07-16 20:16 194,133 C:\WINDOWS\patcher.exe
2006-07-13 20:36 280,692 C:\WINDOWS\dr.exe
2006-06-22 19:00 7,168 C:\WINDOWS\system32\snprfdll.dll
2006-06-22 19:00 5,632 C:\WINDOWS\system32\adsiisex.dll
2006-06-22 19:00 43,520 C:\WINDOWS\system32\fcachdll.dll
2006-06-22 19:00 23,040 C:\WINDOWS\system32\regtrace.exe
2006-06-22 19:00 12,288 C:\WINDOWS\system32\smtpctrs.dll
2006-06-22 18:59 8,704 C:\WINDOWS\system32\infoctrs.dll
2006-06-22 18:59 7,680 C:\WINDOWS\system32\ftpctrs2.dll
2006-06-22 18:59 7,168 C:\WINDOWS\system32\wamregps.dll
2006-06-22 18:59 6,144 C:\WINDOWS\system32\ftpsapi2.dll
2006-06-22 18:59 6,144 C:\WINDOWS\system32\admxprox.dll
2006-06-22 18:59 56,320 C:\WINDOWS\system32\convlog.exe
2006-06-22 18:59 5,632 C:\WINDOWS\system32\w3svapi.dll
2006-06-22 18:59 5,632 C:\WINDOWS\system32\iisrstap.dll
2006-06-22 18:59 4,608 C:\WINDOWS\system32\w3ctrs.dll
2006-06-22 18:59 3,584 C:\WINDOWS\system32\iismui.dll
2006-06-22 18:59 19,968 C:\WINDOWS\system32\inetsloc.dll
2006-06-22 18:59 14,336 C:\WINDOWS\system32\iisreset.exe
2006-06-22 18:59 10,240 C:\WINDOWS\system32\aspperf.dll
2006-06-18 09:14 109,568 C:\WINDOWS\system32\pxinsi64.exe
2006-06-18 09:14 108,544 C:\WINDOWS\system32\pxcpyi64.exe
2006-06-18 00:34 438,272 C:\WINDOWS\system32\vp6vfw.dll
2006-06-18 00:34 118,832 C:\WINDOWS\system32\SHW32.DLL
2006-06-15 17:50 221,184 C:\WINDOWS\system32\wmpns.dll
2006-06-15 06:52 127,208 C:\WINDOWS\system32\mucltui.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Software Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Software Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="KODAK Software Updater"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At6.job

Completion time: Sun 07/30/2006 23:39:42.65
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt
Noonway
Active Member
 
Posts: 8
Joined: July 30th, 2006, 10:42 pm

Unread postby Noonway » July 30th, 2006, 11:46 pm

Uninstall Log from HJT:

Ad-aware 6 Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
avast! Antivirus
CCScore
CivCity
Creative Audio Console
Debugging Tools for Windows
eMule
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ewido anti-spyware 4.0
HijackThis 1.99.1
HLPPDOCK
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp deskjet 5550 series (Remove only)
IGN Download Manager 2.2.2
Intel(R) PRO Network Connections Drivers
Internet Explorer 7 Beta 2
J2SE Runtime Environment 5.0 Update 7
kgcbase
Kodak EasyShare software
KSU
Macromedia Flash Player 8
Macromedia Shockwave Player
Madden NFL 06
Magic ISO Maker v5.0 (build 0166)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Office Access MUI (English) 2007 (Beta)
Microsoft Office Excel MUI (English) 2007 (Beta)
Microsoft Office InfoPath MUI (English) 2007 (Beta)
Microsoft Office Outlook MUI (English) 2007 (Beta)
Microsoft Office PowerPoint MUI (English) 2007 (Beta)
Microsoft Office Professional 2007 (Beta)
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Project MUI (English) 2007 (Beta)
Microsoft Office Project Professional 2007 (Beta)
Microsoft Office Project Professional 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Publisher MUI (English) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Office Visio MUI (English) 2007 (Beta)
Microsoft Office Visio Professional 2007 (Beta)
Microsoft Office Visio Professional 2007 (Beta)
Microsoft Office Word MUI (English) 2007 (Beta)
Microsoft Visual Studio 2005 Professional Edition - ENU
mIRC
Mozilla Firefox (1.5)
NBA LIVE 06
NFL Head Coach
Notifier
NVIDIA Drivers
OfotoXMI
OTtBP
OTtBPSDK
Prey
QuickTime
Restaurant Empire
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SFR
SHASTA
Sid Meier's Civilization 4
SKIN0001
SKINXSDK
SmartFTP Client 2.0 (remove only)
Spybot - Search & Destroy 1.4
staticcr
Tiger Woods PGA TOUR 06
Titan Quest
TrojanHunter 4.5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
VPRINTOL
Winamp (remove only)
Windows Defender Signatures
Windows Desktop Search
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WIRELESS
Zoo Tycoon 2 - African Adventure
Noonway
Active Member
 
Posts: 8
Joined: July 30th, 2006, 10:42 pm

Unread postby Noonway » July 30th, 2006, 11:48 pm

New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:06 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\hjt\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 2.2.89.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0300042434
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://my.goarmy.com/dana-cached/setup ... rSetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Noonway
Active Member
 
Posts: 8
Joined: July 30th, 2006, 10:42 pm

Unread postby agrarianmonk » July 31st, 2006, 12:34 am

looks like you have the pe386 rootkit mailer bot.

let's try to get rid of it this way:

Download F-Secure Blacklight (blbeta.exe) and save it to your desktop.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\blbeta.exe" /expert

- Accept the user agreement.
- Click Scan.

DURING the scan, shutdown your computer.

This is important because the rootkit removes itself during the scanning process to avoid detection, but reinstalls itself immediately after the scan finishes. By shutting down the computer during the scan, we can prevent the rootkit from reintalling itself.

Then, turn your computer back on, and post a new combofix log.

thanks,
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Noonway » July 31st, 2006, 8:28 am

Blacklight scan run... Pulled the plug on the comp during the scan. Plugged computer back in, restarted... Ran combofix scan:

Start Time= Mon 07/31/2006 8:24:01.64
Running from: C:\Documents and Settings\Tom\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-30 23:30:40 59392 ( ....R ) "C:\WINDOWS\system32\streamhlp.dll"
2006-07-30 23:30:38 ( .D... ) "C:\Program Files\TrojanHunter 4.5"
2006-07-30 22:01:34 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-30 21:55:56 59392 ( ....R ) "C:\WINDOWS\streamhlp.dll"
2006-07-30 21:55:46 ( .D... ) "C:\Program Files\TrojanHunter 3.9"
2006-07-30 21:47:54 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-30 19:37:28 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-30 13:37:50 ( .D... ) "C:\Program Files\GameShadow"
2006-07-30 13:31:30 ( .D... ) "C:\Program Files\Firefly Studios"
2006-07-29 10:39:02 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Lavasoft"
2006-07-28 23:15:30 ( .D... ) "C:\Program Files\Human Head Studios"
2006-07-25 23:06:06 ( .D... ) "C:\Program Files\Lighthouse Interactive"
2006-07-25 19:02:46 ( .D... ) "C:\Documents and Settings\Tom\Application Data\IGN_DLM"
2006-07-25 19:02:28 ( .D... ) "C:\Program Files\IGN"
2006-07-22 11:01:12 ( .D... ) "C:\Program Files\Debugging Tools for Windows"
2006-07-20 23:37:58 ( .D... ) "C:\Program Files\THQ"
2006-07-17 21:22:48 ( .D... ) "C:\Program Files\Windows Desktop Search"
2006-07-17 21:15:28 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Microsoft Games"
2006-07-17 21:02:34 ( .D... ) "C:\Program Files\Microsoft Games"
2006-07-17 20:55:24 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Apple Computer"
2006-07-16 20:16:02 194133 ( A.... ) "C:\WINDOWS\patcher.exe"
2006-07-14 21:37:20 ( .D... ) "C:\Program Files\Enlight"
2006-07-13 20:36:02 280692 ( A.... ) "C:\WINDOWS\dr.exe"
2006-06-19 20:23:44 34308 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-06-19 20:23:40 ( .D... ) "C:\Program Files\MagicISO"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-18 09:14:14 ( .D... ) "C:\Program Files\Winamp"
2006-06-17 01:27:06 ( .D... ) "C:\Documents and Settings\Tom\Application Data\My Games"
2006-06-17 01:24:28 ( .D... ) "C:\Program Files\Firaxis Games"
2006-06-17 00:26:46 ( .D... ) "C:\Program Files\Common Files\EasyInfo"
2006-06-17 00:16:12 ( .D... ) "C:\Program Files\EA SPORTS"
2006-06-17 00:00:20 ( .D... ) "C:\Program Files\QuickTime"
2006-06-16 17:36:54 ( .D... ) "C:\Program Files\Microsoft SQL Server"
2006-06-16 17:36:20 ( .D... ) "C:\Program Files\Microsoft Device Emulator"
2006-06-16 17:23:12 ( .D... ) "C:\Program Files\HTML Help Workshop"
2006-06-16 17:23:12 ( .D... ) "C:\Program Files\Common Files\Merge Modules"
2006-06-16 17:23:12 ( .D... ) "C:\Program Files\Common Files\Business Objects"
2006-06-16 17:23:12 ( .D... ) "C:\Program Files\CE Remote Tools"
2006-06-15 21:46:26 ( .D... ) "C:\Documents and Settings\Tom\Application Data\AdobeUM"
2006-06-15 21:32:40 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Talkback"
2006-06-15 21:32:08 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Mozilla"
2006-06-15 21:31:46 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-14 23:38:34 ( .D... ) "C:\Program Files\Common Files\Kodak"
2006-06-14 23:17:44 ( .D... ) "C:\Program Files\Kodak"
2006-06-14 22:34:22 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-06-14 22:18:46 ( .D... ) "C:\Program Files\MSBuild"
2006-06-14 22:18:32 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-06-14 22:18:30 ( .D... ) "C:\Program Files\Common Files\DESIGNER"
2006-06-14 22:17:46 ( .D... ) "C:\Program Files\Microsoft Works"
2006-06-14 22:17:44 ( .D... ) "C:\Program Files\Microsoft.NET"
2006-06-14 22:16:54 ( .D... ) "C:\Program Files\Microsoft Visual Studio 8"
2006-06-14 22:16:10 ( .D... ) "C:\Program Files\Microsoft Office"
2006-06-14 16:50:44 ( .D... ) "C:\Program Files\hp deskjet 5550 series"
2006-06-14 16:47:58 ( .D... ) "C:\Program Files\Hewlett-Packard"
2006-06-14 16:31:42 ( .D... ) "C:\Program Files\Alwil Software"
2006-06-14 16:14:14 ( .D... ) "C:\Program Files\mIRC"
2006-06-14 16:11:08 ( .D... ) "C:\Documents and Settings\Tom\Application Data\SmartFTP"
2006-06-14 16:08:06 ( .D... ) "C:\Program Files\SmartFTP Client 2.0"
2006-06-14 16:06:04 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Help"
2006-06-14 16:03:06 ( .D... ) "C:\Program Files\WinRAR"
2006-06-14 14:29:34 ( .D... ) "C:\Program Files\Neoteris"
2006-06-14 14:29:08 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Juniper Networks"
2006-06-14 13:18:30 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Macromedia"
2006-06-14 13:16:28 873 ( A.... ) "C:\Documents and Settings\Tom\Application Data\AdobeDLM.log"
2006-06-14 13:16:28 0 ( A.... ) "C:\Documents and Settings\Tom\Application Data\dm.ini"
2006-06-14 13:16:28 ( .D... ) "C:\Program Files\Adobe"
2006-06-14 13:15:42 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Adobe"
2006-06-14 13:15:40 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-06-14 13:07:54 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Sun"
2006-06-14 12:57:52 ( .D... ) "C:\Program Files\Java"
2006-06-14 12:53:02 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-14 12:42:02 ( .D... ) "C:\Program Files\eMule"
2006-06-14 12:31:02 ( .D... ) "C:\Program Files\Windows Media Connect 2"
2006-06-14 12:18:18 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Creative"
2006-06-14 12:16:52 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-06-14 12:16:50 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-06-14 12:12:50 ( .D... ) "C:\Program Files\Creative"
2006-06-14 10:56:54 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-06-14 10:48:16 ( .D... ) "C:\Documents and Settings\Tom\Application Data\Identities"
2006-06-14 10:48:12 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-14 10:48:10 ( .DS.. ) "C:\Documents and Settings\Tom\Application Data\Microsoft"
2006-06-14 10:40:22 ( .D... ) "C:\Program Files\xerox"
2006-06-14 10:40:22 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-06-14 10:38:30 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-14 10:37:10 ( .D... ) "C:\Program Files\Common Files\Services"
2006-06-14 10:37:06 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-06-14 10:37:00 ( .D... ) "C:\Program Files\Movie Maker"
2006-06-14 10:36:56 ( .D... ) "C:\Program Files\NetMeeting"
2006-06-14 10:36:54 ( .D... ) "C:\Program Files\Outlook Express"
2006-06-14 10:36:52 ( .D... ) "C:\Program Files\Internet Explorer"
2006-06-14 10:36:52 ( .D... ) "C:\Program Files\Common Files\System"
2006-06-14 10:36:34 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-06-14 10:36:34 ( .D... ) "C:\Program Files\Windows Media Player"
2006-06-14 10:36:32 ( .D... ) "C:\Program Files\Messenger"
2006-06-14 10:36:28 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-06-14 10:36:02 ( .D... ) "C:\Program Files\Windows NT"
2006-06-14 06:20:44 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-06-14 06:20:42 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-06-14 06:20:42 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-06-14 06:20:42 ( .D... ) "C:\Program Files\Common Files"
2006-06-14 06:20:26 62 ( A.SH. ) "C:\Documents and Settings\Tom\Application Data\desktop.ini"
2006-05-31 05:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 04:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-05-02 14:29:00 229376 ( A.... ) "C:\WINDOWS\system32\KPDPMUI.dll"
2006-05-02 14:28:00 307200 ( A.... ) "C:\WINDOWS\system32\KPDPM.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-30 13:37 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-30 13:37 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-30 13:36 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-29 11:48 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-07-29 11:48 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-07-29 11:01 1,610,612,736 C:\pagefile.sys
2006-07-20 23:42 40,960 C:\WINDOWS\system32\psfind.dll
2006-07-16 20:16 194,133 C:\WINDOWS\patcher.exe
2006-07-13 20:36 280,692 C:\WINDOWS\dr.exe
2006-06-22 19:00 7,168 C:\WINDOWS\system32\snprfdll.dll
2006-06-22 19:00 5,632 C:\WINDOWS\system32\adsiisex.dll
2006-06-22 19:00 43,520 C:\WINDOWS\system32\fcachdll.dll
2006-06-22 19:00 23,040 C:\WINDOWS\system32\regtrace.exe
2006-06-22 19:00 12,288 C:\WINDOWS\system32\smtpctrs.dll
2006-06-22 18:59 8,704 C:\WINDOWS\system32\infoctrs.dll
2006-06-22 18:59 7,680 C:\WINDOWS\system32\ftpctrs2.dll
2006-06-22 18:59 7,168 C:\WINDOWS\system32\wamregps.dll
2006-06-22 18:59 6,144 C:\WINDOWS\system32\ftpsapi2.dll
2006-06-22 18:59 6,144 C:\WINDOWS\system32\admxprox.dll
2006-06-22 18:59 56,320 C:\WINDOWS\system32\convlog.exe
2006-06-22 18:59 5,632 C:\WINDOWS\system32\w3svapi.dll
2006-06-22 18:59 5,632 C:\WINDOWS\system32\iisrstap.dll
2006-06-22 18:59 4,608 C:\WINDOWS\system32\w3ctrs.dll
2006-06-22 18:59 3,584 C:\WINDOWS\system32\iismui.dll
2006-06-22 18:59 19,968 C:\WINDOWS\system32\inetsloc.dll
2006-06-22 18:59 14,336 C:\WINDOWS\system32\iisreset.exe
2006-06-22 18:59 10,240 C:\WINDOWS\system32\aspperf.dll
2006-06-18 09:14 109,568 C:\WINDOWS\system32\pxinsi64.exe
2006-06-18 09:14 108,544 C:\WINDOWS\system32\pxcpyi64.exe
2006-06-18 00:34 438,272 C:\WINDOWS\system32\vp6vfw.dll
2006-06-18 00:34 118,832 C:\WINDOWS\system32\SHW32.DLL


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Software Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Software Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="KODAK Software Updater"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At6.job

Completion time: Mon 07/31/2006 8:26:33.84
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-31.080747.txt
ComboFix.2006-07-31.081840.txt
ComboFix.2006-07-31.082401.txt
Noonway
Active Member
 
Posts: 8
Joined: July 30th, 2006, 10:42 pm

Unread postby agrarianmonk » July 31st, 2006, 9:41 am

looking good :)

looks like it did the trick :D

now let's run blacklight again, but this time we'll let it run all the way through:

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\blbeta.exe" /expert

- Accept the user agreement.
- Click Scan.

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

After the scan finishes, click on Next, then Exit.

Copy and paste the log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Noonway » July 31st, 2006, 6:21 pm

Ran Blacklight again... Here was the log:

07/31/06 18:17:23 [Info]: BlackLight Engine 1.0.42 initialized
07/31/06 18:17:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/31/06 18:17:23 [Note]: 7019 4
07/31/06 18:17:23 [Note]: 7005 0
07/31/06 18:17:27 [Note]: 7006 0
07/31/06 18:17:27 [Note]: 7022 0
07/31/06 18:17:27 [Note]: 7011 1780
07/31/06 18:17:27 [Note]: 7026 0
07/31/06 18:17:28 [Note]: 7026 0
07/31/06 18:17:28 [Note]: FSRAW library version 1.7.1019
07/31/06 18:20:41 [Note]: 7007 0
Noonway
Active Member
 
Posts: 8
Joined: July 30th, 2006, 10:42 pm

Unread postby agrarianmonk » July 31st, 2006, 6:26 pm

looks good!

How is your comptuer running?
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Noonway » July 31st, 2006, 7:14 pm

No crashes or hang-ups yet! Awesome job!! Thanks so much for the help. I made a small donation to the site earlier this morning. I really appreciate your help.

I will definitely spread the word.

Thanks,
-Noon
Noonway
Active Member
 
Posts: 8
Joined: July 30th, 2006, 10:42 pm

Unread postby agrarianmonk » July 31st, 2006, 7:17 pm

A quick warning before I send you off with my all clean speech:

P2P - I see you have P2P software Emule installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your previous situation. This page will give you further information.

*********************************

This is my post for when your computer is all clean - which it currently appears to be. Please let me know if you are experiencing any other problems with your computer.

If you are not having any more problems, we have just a couple of last steps to perform and then you're all set.

It's a good idea to Flush your System Restore points after ridding yourself of malware:

  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.

This will remove all previous restore points except the newly created one.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

To keep your operating system up to date visit
monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!


(Please respond to this thread one more time so we can mark this thread as resolved.)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Noonway » July 31st, 2006, 8:53 pm

Thanks for the advice! Resolved.
Noonway
Active Member
 
Posts: 8
Joined: July 30th, 2006, 10:42 pm

Unread postby 'KotaGuy » July 31st, 2006, 9:00 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 67 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware