Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijackthis log, obviously

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Shekb » October 13th, 2007, 9:12 am

Combofix doesn't create any zip file when I drag the CFScript.txt into it
I don,t know why :?

ComboFix 07-10-11.1 - Sr 2007-10-13 8:16:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.61 [GMT -4:00]
Running from: C:\Documents and Settings\Sr\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sr\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))
.

2007-10-10 22:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 07:08 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-07 11:25 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-06 19:17 <DIR> d-------- C:\Program Files\Incomplete
2007-10-02 17:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-30 22:10 <DIR> d-------- C:\Program Files\RegCleaner
2007-09-28 19:48 <DIR> d-------- C:\Documents and Settings\Sr\Incomplete
2007-09-28 19:43 <DIR> d-------- C:\Documents and Settings\Sr\.limewire
2007-09-26 16:46 <DIR> d-------- C:\Documents and Settings\Sr\Application Data\Thunderbird
2007-09-26 16:45 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-09-17 18:39 <DIR> d-------- C:\WINDOWS\pss
2007-09-16 17:18 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-15 21:45 <DIR> d-------- C:\temp\ext34942
2007-09-15 21:45 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-07 23:29 --------- d-----w C:\Program Files\Windows Live
2007-10-07 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-10-07 15:27 --------- d-----w C:\Program Files\Java
2007-10-06 23:53 --------- dc----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-06 23:40 --------- d-----w C:\Program Files\LimeWire
2007-10-06 23:26 --------- d-----w C:\Documents and Settings\Sr\Application Data\AVG7
2007-10-06 14:19 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-09-29 02:28 --------- d-----w C:\Program Files\Dobermann
2007-09-16 21:18 --------- d-----w C:\Program Files\Common Files\Real
2007-09-13 21:37 --------- d-----w C:\Program Files\Windows Desktop Search
2007-09-05 21:42 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-09-05 21:32 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-09-04 02:28 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP
2007-09-03 23:47 --------- d-----w C:\Program Files\Windows Defender
2007-08-23 14:04 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-23 14:04 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-23 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-23 03:52 --------- d-----w C:\Program Files\Lavasoft
2007-08-23 03:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-08-21 22:29 --------- d-----w C:\Documents and Settings\Sr\Application Data\Grisoft
2007-08-21 22:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-21 22:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-21 22:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-21 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-21 15:02 691,304,544 ----a-w C:\Documents and Settings\Sr\CD.bin
2007-08-21 03:13 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-08-19 12:21 --------- d-----w C:\Documents and Settings\Sr\Application Data\GTek
2007-08-15 19:04 578,560 ----a-w C:\WINDOWS\WLXPGSS.SCR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"anvshell"="anvshell.exe" [2003-07-23 23:19 C:\WINDOWS\anvshell.exe]
"LiveNote"="livenote.exe" [2002-07-11 05:31 C:\WINDOWS\livenote.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-19 21:34]
"nwiz"="nwiz.exe" [2005-09-19 21:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-19 21:34]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 18:15]
"MOUSE32B"="C:\Program Files\Tilt Wheel Mouse\MULTI-DIRECTION OPTICAL MOUSE\1.3\Mouse32B.exe" [2004-11-25 12:24]
"LyraHD2TrayApp"="C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2005-04-18 16:35]
"SchedulingAgent"="mstinit.exe" [2004-08-04 00:56 C:\WINDOWS\system32\mstinit.exe]
"AtiPTA"="atiptaxx.exe" [2001-09-26 22:39 C:\WINDOWS\system32\atiptaxx.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 16:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-16 17:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-08-16 16:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-05-30 22:19:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe


.
Contents of the 'Scheduled Tasks' folder
"2007-08-17 19:58:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-13 12:07:35 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-13 12:26:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-13 12:23:12 C:\WINDOWS\Tasks\wlmail.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 08:24:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-13 8:31:20 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-11 23:20
C:\ComboFix3.txt ... 2007-10-10 23:04
.
--- E O F ---
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm
Advertisement
Register to Remove

Unread postby Rogue » October 13th, 2007, 11:47 am

Hi Shekb,

Thanks for looking in System32. Was hoping a similar file would be there. :(

Question for you. How long has this been going on. More than a month?

Delete all cfscript.txt present and let's start new.
Remeber to change the file name if different

Open Notepad and copy/paste the text in the quotebox below into it:
Rootkit:: C:\WINDOWS\System32\Drivers\agzdh3a9.SYS

Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Image

*=========================*

Can you go to C:\QooBox\Quarantine. Zip the folder and send the entire folder to the Spykiller link?
To zip it right clcik > Send To >> Compressed zip folder

http://www.thespykiller.co.uk/index.php?topic=5025

Rogue
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah

Unread postby Shekb » October 13th, 2007, 12:23 pm

So I used AVG AR to find the rootkit filename and I pasted it in a notepad like you did, I made a zip file of qoobox and now it's on that other forum :)
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm

Unread postby Rogue » October 13th, 2007, 2:43 pm

Shekb,

What can you tell me about the program "Roll" you have installed?

You never did answer how long you have had this problem

Remove Unnecessary Programs
Please Click Start > Control Panel > Add/Remove Programs

Remove these programs by clicking Remove

Rightonadz Browser Optimizer

*=========================*

The file was not in the folder. ComboFix couldn't find it.
Need some information from the file at least. It may be from one of the games you have installed

Now, enable the Show Hidden Folders option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
*=========================*

Navigate to the file and right click on the file
Select > Properties
Select the Version tab
Get the following information and post back it here please

Company
File Version
Description
Internal Name
Product Name
Product version


Thanks,
Rogue
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah

Unread postby Shekb » October 13th, 2007, 2:49 pm

Even with if I do that, I cannot see the file you want me to delete
And I cannot see the rootkit either
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm

Unread postby Rogue » October 13th, 2007, 4:17 pm

Hi Shekb,

What can you tell me about the program "Roll" you have installed? Found in Control Panel > Add Remove Programs

You never did answer how long you have had this problem

Please download & run regdump.exe
These logs can be large. If you can't get the log to post in one or two posts check your Private Message. I have sent an email address you can send the log file to.

Thanks,
Rogue
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah

Unread postby Shekb » October 13th, 2007, 4:23 pm

The program "Roll" is Roller Coaster Tycoon :P

I've had this problem..... for I dunno, a month
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm

Unread postby Rogue » October 13th, 2007, 4:37 pm

OK Thanks.
Looking over the log now. Only 1200 lines :roll: I'll get back as soon as I can.
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah

Unread postby Shekb » October 13th, 2007, 4:39 pm

Yeah, I guess my registry needs cleaning :roll:

:oops:

:D
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm

Unread postby Rogue » October 13th, 2007, 8:45 pm

Hi Shekb,

Well I got through them all but I'm afraid I have some unpleasant news. Three of the entries are tied to Remote Access Trojans (RAT)
These allow outsiders COMPLETE access to anything on your PC. Record every keystroke, account, and password you use while on this machine, install new files which can allow complete access to any other data present.
My best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish I will attempt to do so, but I cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

Here are the entries and links to my sources
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ip6fw]
ImagePath="system32\drivers\ip6fw.sys"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Secdrv]
ImagePath="System32\DRIVERS\secdrv.sys"
http://www.sophos.com/security/analyses ... hugen.html

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtmsSvc]
ServiceDll="%SystemRoot%\system32\ntmssvc.dll"
http://www.sophos.com/security/analyses/trojdbita.html

Since none of these files or entries showed up in the DSS or Combofix log I would say they have been there for a while. 1 - 3 months.
Removing these threats may or may not do anything with the file we have been battling.

Rogue
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah

Unread postby Shekb » October 13th, 2007, 10:16 pm

Awww crap

Ok, I want to delete them, I'm not going to format my hard drive, even if it would be safer

Will you help me remove them ?
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm

Unread postby Rogue » October 14th, 2007, 2:36 am

Hi Shekb,


Open Notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\drivers\ip6fw.sys
c:\windows\System32\DRIVERS\secdrv.sys
c:\windowsSystem32\NtmsSvcs.dll
c:\windowsSystem32\msethnet.dll

Driver::
ip6fw
Secdrv
NtmsSvc

Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
*=========================*

Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

*=========================*

Thanks,
Rogue
User avatar
Rogue
MRU Teacher Emeritus
 
Posts: 4782
Joined: November 3rd, 2005, 3:21 pm
Location: Salt Lake City, Utah

Unread postby Shekb » October 14th, 2007, 7:36 am

Combofix log

ComboFix 07-10-11.1 - Sr 2007-10-14 7:15:16.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.28 [GMT -4:00]
Running from: C:\Documents and Settings\Sr\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sr\Desktop\CFScript.txt
* Created a new restore point

FILE::
c:\windows\system32\drivers\ip6fw.sys
c:\windows\System32\DRIVERS\secdrv.sys
c:\windowsSystem32\msethnet.dll
c:\windowsSystem32\NtmsSvcs.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ip6fw.sys
c:\windows\System32\DRIVERS\secdrv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTMSSVC
-------\LEGACY_SECDRV
-------\ip6fw
-------\NtmsSvc
-------\Secdrv


((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-13 12:20 236,534 --a--c--- C:\qoobox.zip
2007-10-10 22:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 07:08 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-07 11:25 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-06 19:17 <DIR> d-------- C:\Program Files\Incomplete
2007-10-02 17:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-30 22:10 <DIR> d-------- C:\Program Files\RegCleaner
2007-09-28 19:48 <DIR> d-------- C:\Documents and Settings\Sr\Incomplete
2007-09-28 19:43 <DIR> d-------- C:\Documents and Settings\Sr\.limewire
2007-09-26 16:46 <DIR> d-------- C:\Documents and Settings\Sr\Application Data\Thunderbird
2007-09-26 16:45 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-09-17 18:39 <DIR> d-------- C:\WINDOWS\pss
2007-09-16 17:18 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-15 21:45 <DIR> d-------- C:\temp\ext34942
2007-09-15 21:45 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-07 23:29 --------- d-----w C:\Program Files\Windows Live
2007-10-07 21:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-10-07 15:27 --------- d-----w C:\Program Files\Java
2007-10-06 23:53 --------- dc----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-06 23:40 --------- d-----w C:\Program Files\LimeWire
2007-10-06 23:26 --------- d-----w C:\Documents and Settings\Sr\Application Data\AVG7
2007-10-06 14:19 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-09-29 02:28 --------- d-----w C:\Program Files\Dobermann
2007-09-16 21:18 --------- d-----w C:\Program Files\Common Files\Real
2007-09-13 21:37 --------- d-----w C:\Program Files\Windows Desktop Search
2007-09-05 21:42 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-09-05 21:32 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-09-04 02:28 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP
2007-09-03 23:47 --------- d-----w C:\Program Files\Windows Defender
2007-08-23 14:04 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-23 14:04 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-23 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-23 03:52 --------- d-----w C:\Program Files\Lavasoft
2007-08-23 03:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-08-21 22:29 --------- d-----w C:\Documents and Settings\Sr\Application Data\Grisoft
2007-08-21 22:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-21 22:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-21 22:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-21 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-21 15:02 691,304,544 ----a-w C:\Documents and Settings\Sr\CD.bin
2007-08-21 03:13 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-08-19 12:21 --------- d-----w C:\Documents and Settings\Sr\Application Data\GTek
2007-08-15 19:04 578,560 ----a-w C:\WINDOWS\WLXPGSS.SCR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"anvshell"="anvshell.exe" [2003-07-23 23:19 C:\WINDOWS\anvshell.exe]
"LiveNote"="livenote.exe" [2002-07-11 05:31 C:\WINDOWS\livenote.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-19 21:34]
"nwiz"="nwiz.exe" [2005-09-19 21:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-19 21:34]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 18:15]
"MOUSE32B"="C:\Program Files\Tilt Wheel Mouse\MULTI-DIRECTION OPTICAL MOUSE\1.3\Mouse32B.exe" [2004-11-25 12:24]
"LyraHD2TrayApp"="C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2005-04-18 16:35]
"SchedulingAgent"="mstinit.exe" [2004-08-04 00:56 C:\WINDOWS\system32\mstinit.exe]
"AtiPTA"="atiptaxx.exe" [2001-09-26 22:39 C:\WINDOWS\system32\atiptaxx.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 16:46]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-16 17:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-08-16 16:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-05-30 22:19:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\anvosdnt.sys
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
S1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-08-17 19:58:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-14 11:07:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-14 11:27:17 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 11:23:55 C:\WINDOWS\Tasks\wlmail.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 07:24:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-14 7:29:28 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-13 12:11
.
--- E O F ---
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm

Unread postby Shekb » October 14th, 2007, 7:36 am

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:10 AM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\Sr\My Documents\S-C\Visual Boy\PSX\IsoBuster\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tilt Wheel Mouse\MULTI-DIRECTION OPTICAL MOUSE\1.3\Mouse32B.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.20.6.254:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MOUSE32B] C:\Program Files\Tilt Wheel Mouse\MULTI-DIRECTION OPTICAL MOUSE\1.3\Mouse32B.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by7fd.bay7.hotmail.msn.com/resou ... nPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/A ... gWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Documents and Settings\Sr\My Documents\S-C\Visual Boy\PSX\IsoBuster\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 11318 bytes
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm

Unread postby Shekb » October 14th, 2007, 8:48 am

Eset did not find anything
Shekb
Regular Member
 
Posts: 62
Joined: October 2nd, 2007, 5:51 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware