Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible infection.Can someone help please.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible infection.Can someone help please.

Unread postby Hiwatt » December 21st, 2007, 12:13 pm

Hi folks
When booting up I'm seeing a message saying "stera program not found skip autocheck" while the screen is still blue then it boots as normal.None of my antivirus or spyware problems can find anything but a google search points to a possible infection.I would really appreciate if someone would look at my hijack this log and see if anything's wrong.Thankyou.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:08:55, on 21/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {909E3340-DFF8-FD06-FC3F-8DEA6EEF2392} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1278819140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5457565359
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5316 bytes
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm
Advertisement
Register to Remove

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » December 23rd, 2007, 4:19 am

Hi Hiwatt. :)

Welcome to Malware Removal.

Step 1

Please download FindAWF by noadfear from Noadfear or Geeks to Go.

Save it to your desktop.

Double click on FindAWF.exe to run it. Press any key to continue, followed by pressing the number 1 and pressing Enter.

A report will be produced once it's done. Please post this report as well as a new HijackThis log in your next reply.

Note: Do not select other options until you are told to do so.

Step 2

  1. Please download and install CCleaner Slim.
  2. Once installed, double click on the desktop shortcut created.
  3. On the leftmost column, click on Tools.
  4. On the middle column, click on Uninstall.
  5. At the bottom right hand corner, click on the Save to text file... button.
  6. By default, it saves this file to C:\Program Files\CCleaner named install.txt. You may want to save it to your desktop to find it easily. Click Save.
  7. Close CCleaner.

In your next reply, please post:

  1. FindAWF report
  2. CCleaner install.txt
  3. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » December 23rd, 2007, 7:38 am

Hi there,thanks very much for replying.I'll not be able to get to my own computer untill tomorrow.I'll follow your instructions to the letter and post back first thing tomorrow.Thankyou.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » December 24th, 2007, 6:02 am

Hi there,that's me just got at my computer now.I've done as you said and the reports are below.Thanks very much and I'll await further instructions from you.Thankyou.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 24/12/2007
The current time is: 9:54:16.21


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

µTorrent
Adobe Flash Player Plugin
Adobe Reader 7.0.8
a-squared Anti-Malware 3.1
Audacity 1.2.4
AVG 7.5
AVG Anti-Spyware 7.5
Backup CD Player
broadband medic
CCleaner (remove only)
COMODO Firewall Pro
Eusing Free Registry Cleaner
FLAC Installer 1.1.2a (remove only)
IObit SmartDefrag Beta4.01
iTunes
Java(TM) 6 Update 3
LimeWire 4.14.10
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.11)
MSConfig CleanUp 1.2
MSN Messenger 6.2
Nero Suite
PowerDVD
QuickTime
RealPlayer
Spybot - Search & Destroy 1.4
Spyware Terminator
SpywareBlaster v3.5.1
StepVoice Recorder 1.4
SUPERAntiSpyware Free Edition
WebFldrs XP
Winamp (remove only)
WinASO Registry Optimizer 3.0.9
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
Yahoo! Toolbar

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56:31, on 24/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {909E3340-DFF8-FD06-FC3F-8DEA6EEF2392} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1278819140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5457565359
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5028 bytes
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » December 24th, 2007, 10:14 am

Hi,

Your log looks a bit odd.

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer. Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware
Geeks to Go

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new Hijackthis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » December 24th, 2007, 2:01 pm

Hi there thanks for replying.Below is the log that combo fix produced and a new hijack this log.Thankyou.I'll await your reply.

ComboFix 07-12-21.4 - Default 2007-12-24 17:47:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.37 [GMT 0:00]Running from: C:\Documents and Settings\Default\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Default\Application Data\ICROSO~1.NET
C:\Documents and Settings\Default\Application Data\SKS~1
C:\Program Files\Common Files\companion wizard
C:\WINDOWS\asks~1
C:\WINDOWS\crosof~1
C:\WINDOWS\hosts
C:\WINDOWS\mbols~1
C:\WINDOWS\mbols~1\??mbols\
C:\WINDOWS\scurit~1
C:\WINDOWS\system32\_000228_.tmp.dll
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\stera.log
C:\WINDOWS\wnsxs~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN


((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-24 09:56 . 2007-12-24 09:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 12:18 . 2007-12-24 11:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-21 12:18 . 2007-12-24 11:43 <DIR> d-------- C:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2007-12-21 12:18 . 2007-12-21 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-21 09:57 . 2007-12-24 11:46 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-12-18 17:13 . 2007-12-18 15:57 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-10 18:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-10 18:11 . 2007-12-10 18:16 <DIR> d-------- C:\Program Files\Java
2007-12-10 13:32 . 2007-12-10 13:33 <DIR> d-------- C:\WINDOWS\java
2007-12-03 19:46 . 2007-12-03 19:46 <DIR> d-------- C:\Program Files\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 11:42 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-24 11:42 --------- d-----w C:\Documents and Settings\Default\Application Data\Spyware Terminator
2007-12-24 11:00 --------- d-----w C:\Program Files\Spyware Terminator
2007-12-22 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-12-21 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-18 14:55 --------- d-----w C:\Documents and Settings\Default\Application Data\AVG7
2007-12-03 11:40 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-11-26 17:06 --------- d-----w C:\Documents and Settings\Default\Application Data\uTorrent
2007-11-17 14:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-17 14:28 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-16 11:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-24 14:31 --------- d-----w C:\Documents and Settings\Default\Application Data\AdobeUM
2006-11-13 21:51 14 ----a-w C:\Documents and Settings\Default\getfile.dat
2007-02-16 15:01 5 --sha-w C:\WINDOWS\system32\aeeafedf5_s.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-10-18 12:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:52]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-12-03 11:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-17 14:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoRecentDocsMenu"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"UPS"=3 (0x3)
"ose"=3 (0x3)
"KAVMonitorService"=2 (0x2)
"IDriverT"=3 (0x3)

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-12-03 11:40]
R3 ip100xp;IC Plus IP100 10/100 Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2005-02-02 08:33]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-03 19:46:49 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 17:54:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 17:57:31 - machine was rebooted [Default]
.
2007-12-21 10:10:58 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:01:01, on 24/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {909E3340-DFF8-FD06-FC3F-8DEA6EEF2392} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1278819140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5457565359
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 4666 bytes
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » December 24th, 2007, 11:01 pm

Hi,

Did you set those policies yourself?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)


When Windows is shutting down, restarting or logging off, you won't see the Display Box about telling you to wait.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)


ForceClassicControlPanel - Uses the Windows 9x or ME style of navigating through Control Panel, not XP style.

NoResolveSearch - doesn't search the system to resolve a shortcut if it can't find the file which the shortcut is pointing to.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)


NoSMHelp - You won't see the Help option on Start menu.

From your log, it shows that Windows has been updated recently, but there are no signs of it anywhere.

  1. Please download this tool from Microsoft.
  2. Double click on MGADiag.exe to run it.
  3. Click Continue.
  4. The program will run. It takes a while to finish the diagnosis, please be patient.
  5. Once done, click on Copy.
  6. Open Notepad and paste the contents in. Save this file and post it in your next reply.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » December 26th, 2007, 6:12 am

Hi there,thanks for replying.I never set those polices myself,I'm not even sure what they mean.They would have been set like this when I bought my computer.Below is the copy from the WGA report.I'll await further instructions from you.Thankyou very much.

Diagnostic Report (1.7.0066.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-TFVTJ-TJF7Q-VB79T
Windows Product Key Hash: vWCjDUc05ra0eB2k53t32nO6/kc=
Windows Product ID: 76487-OEM-2212025-25978
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.2.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {01B3F3CE-3395-4519-B6D0-E48E8E028167}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.59.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
OGA Version: Registered, 1.6.21.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{01B3F3CE-3395-4519-B6D0-E48E8E028167}</UGUID><Version>1.7.0066.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-VB79T</PKey><PID>76487-OEM-2212025-25978</PID><PIDType>3</PIDType><SID>S-1-5-21-1390067357-1979792683-682003330</SID><SYSTEM><Manufacturer>AWARD_</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20050627000000.000000+000</Date></BIOS><HWID>BE2D33570184A04C</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57751</Pid><PidType>14</PidType></Product></Products></Office></Software></GenuineResults>
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » December 26th, 2007, 7:59 am

Hi,

Please read this - viewtopic.php?t=550

Your copy of Microsoft Office is not legitimate. If you no longer work in your company, please remove it. An alternative for Microsoft Office is Open Office - http://www.openoffice.org/

If you are still working there, please inform your company of it.

After the copy of Office is legal, you can request for this topic to be reopened again.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » December 26th, 2007, 9:27 am

Hi there,thanks for replying.I bought this computer brand new with a genuine copy of windows pre-installed so I'm not sure how it can't be genuine?I don't use office anyway so is it safe to uninstall it?Can you help me with my problem(stera program not found skip auto check)and tell me if my computer is infected with something and maybe help me to set the settings the way they should be?Thankyou.P.s,I've never used any the programs you told me to use(combo fix etc)is it ok to delete them and the folders(qoobox)Thanks.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » December 26th, 2007, 9:33 am

Your copy of Windows is legal.

But your copy of Microsoft Office is not.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » December 26th, 2007, 9:50 am

Hi there,I don't use office so I'll just uninstall it then.Do you know how it could be possible for windows to be genuine but not office if they came together?Did you see anything wrong in the logs I posted for you?Thankyou.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » December 26th, 2007, 9:56 am

I have no idea how your copy of Microsoft Office is not legal. It's meant for Enterprises, Governments or schools, and appears to have been misused, which was why it was blocked.

If you have been working or studying, this would explain why. Other than that, the school or company probably got an illegitimate version without them knowing.

As for your log, please wait while I go through them.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » December 27th, 2007, 3:00 am

Hi,

Please go to Virus Total or Jotti and upload C:\WINDOWS\system32\aeeafedf5_s.dll for scanning.

For Virus Total

  1. Please copy and paste C:\WINDOWS\system32\aeeafedf5_s.dll in the text box next to the Browse button.
  2. Click on Send File.

For Jotti

  1. Please copy and paste C:\WINDOWS\system32\aeeafedf5_s.dll in the text box next to the Browse button.
  2. Click on Submit.

Please post back the scan results of this file.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » December 27th, 2007, 6:21 am

Hi there,thanks for replying.It doesn't give me the option to paste the contents into either.Have I to copy the actual text(C:\WINDOWS\system32\aeeafedf5_s.dll)in to the box?I can copy it from your post but it wont let me paste it?I am infected with something?Thankyou.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware