Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

A variety package - Trusted Antivirus, AV Systemcare , SHeur

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

A variety package - Trusted Antivirus, AV Systemcare , SHeur

Unread postby spreadlove » April 24th, 2008, 1:25 pm

Hi there

I've run Superantispyware and AVG but these 3 keep popping back up - Trusted Antivirus, AV systemcare and SHeur

Can you help?

Hijack This log below

logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:08, on 24/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAKE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {205F28FC-DF76-4ED8-92C9-1BF740021CEA} - C:\WINDOWS\system32\CatRoot2\msvcsrv.dll
O2 - BHO: (no name) - {4eab1ba1-178f-4eab-a2a8-179f8162c9a6} - C:\WINDOWS\system32\IPXSYS.dll (file missing)
O2 - BHO: CIEIntegrator Object - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - C:\Program Files\AVSystemCare\Tools\pblock.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\AVSystemCare\Tools\sbiebho.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON PictureMate 100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAKE.EXE /P21 "EPSON PictureMate 100" /O6 "USB003" /M "PictureMate 100"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1B735B98-8010-11D5-AD0B-00500463D885} (SearchCD Control) - http://www.partsarena.com/baxi/Plugins/IMIESRCH.cab
O16 - DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} (GrafixViewControl) - http://www.partsarena.com/baxi/Plugins/GFXVIEW.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://sell-vehicle.ebay.co.uk/images/e ... 0-3-50.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddccyyx - ddccyyx.dll (file missing)
O20 - Winlogon Notify: IPXSYS - IPXSYS.dll (file missing)
O20 - Winlogon Notify: msvcsrv - C:\WINDOWS\system32\CatRoot2\msvcsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9179 bytes
spreadlove
Active Member
 
Posts: 4
Joined: April 24th, 2008, 1:21 pm
Top
Advertisement
Register to Remove

Re: A variety package - Trusted Antivirus, AV Systemcare , SHeur

Unread postby peku006 » April 25th, 2008, 12:41 am

Welcome to the MWR forums. My name is peku006. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: A variety package - Trusted Antivirus, AV Systemcare , SHeur

Unread postby peku006 » April 25th, 2008, 6:27 am

Hello spreadlove

1 - disable SUPERAntiSpyware
  • Please disable SuperAntispyware as it can interfere with the fix
  • Right-click on the shortcut from the system tray,
  • choose View Control Center (preferences/options),
  • on the General and Startup tab,
  • uncheck, Start SUPERAntispyware when Windows starts,
  • click Close to exit.

2 - Scan With ComboFix

Please visit >this webpage< at Bleeping Computer and follow the instructions for downloading and running ComboFix.

IMPORTANT !!! combofix.exe MUST be on your Desktop for us to proceed.

3 - Status Check
Please reply with

1. the ComboFix log
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: A variety package - Trusted Antivirus, AV Systemcare , SHeur

Unread postby spreadlove » April 25th, 2008, 5:43 pm

Thanks for your help Peku006

Here is the Combfix log

ComboFix 08-04-24.1 - David 2008-04-25 22:09:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.59 [GMT 1:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\WinXP_EN_HOM_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\6QDEEVPA\iforex.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\6QDEEVPA\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\David\ResErrors.log
C:\Temp\sanR24
C:\WINDOWS\system32\drivers\dhlp.sys
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\pac.txt

----- BITS: Possible infected sites -----

hxxp://www.lookme.biz
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINNOTIFY
-------\Service_dhlp


((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 18:16 . 2008-04-24 18:16 <DIR> d----c--- C:\Program Files\Trend Micro
2008-04-12 23:22 . 2005-01-04 14:37 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-12 23:22 . 2005-01-04 14:40 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-12 23:22 . 2005-01-04 14:35 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-04-12 23:22 . 2005-01-04 14:33 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Creative
2008-04-12 23:22 . 2005-01-06 16:40 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-12 23:22 . 2008-04-12 23:22 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-04-12 23:22 . 2008-04-25 22:07 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-08 21:25 . 2008-04-08 21:26 <DIR> d----c--- C:\Program Files\RogueRemover FREE
2008-03-30 12:39 . 2008-03-30 13:57 0 --a--c--- C:\Temp\EnhancedDataOutput.txt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 17:41 --------- dc----w C:\Documents and Settings\David\Application Data\AVG7
2008-03-16 14:05 --------- dc----w C:\Program Files\SUPERAntiSpyware
2006-02-16 16:35 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2005-07-13 22:15 515,099 -c--a-w C:\Program Files\GoogleEarth.exe
2005-06-27 08:20 65,560 -c--a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2005-06-03 15:57 535,565 -csh--w C:\WINDOWS\INF\daca.ini2
2005-05-11 23:40 412,772 -csha-w C:\WINDOWS\INF\daca.tmp
2000-01-03 18:39 50,612 -c--a-w C:\Documents and Settings\David\Application Data\wklnhst.dat
2005-06-03 15:57 535,565 -csh--w C:\WINDOWS\INF\daca.ini2
2005-06-03 15:57 512,020 -csha-w C:\WINDOWS\SYSTEM32\CatRoot2\msvcsrv.dll
2005-10-20 17:53 525,836 -csha-w C:\WINDOWS\SYSTEM32\CatRoot2\vrscvsm.bak1
2005-12-17 20:45 461,397 -csha-w C:\WINDOWS\SYSTEM32\CatRoot2\vrscvsm.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{205F28FC-DF76-4ED8-92C9-1BF740021CEA}]
2005-06-03 16:57 512020 --ahsc--- C:\WINDOWS\system32\CatRoot2\msvcsrv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4eab1ba1-178f-4eab-a2a8-179f8162c9a6}]
C:\WINDOWS\system32\IPXSYS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E}]
C:\Program Files\AVSystemCare\Tools\pblock.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}]
C:\Program Files\AVSystemCare\Tools\sbiebho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"DiTask.exe"="C:\Program Files\Eicon\Diva\DiTask.exe" [2002-04-10 10:21 143360]
"Divamon.exe"="C:\Program Files\Eicon\Diva\Divamon.exe" [2002-04-10 10:28 32768]
"Eicon TechnologyLAN_DAEMON"="C:\Program Files\Eicon\Diva\watch.exe" [2002-04-10 10:27 192512]
"CGServer"="C:\Program Files\Eicon\Diva\cgserver.exe" [2002-04-10 10:26 40960]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2004-03-11 10:50 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]
"EPSON PictureMate 100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAKE.exe" [2005-05-06 05:00 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-18 20:22 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 22:22 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-01-06 18:25:09 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E02098A-953A-A108-ED09-BA11A116D2BA}"= C:\WINDOWS\system32\cidjwsdrv.dll [2000-01-01 01:01 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyyx]
ddccyyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IPXSYS]
IPXSYS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msvcsrv]
C:\WINDOWS\system32\CatRoot2\msvcsrv.dll 2005-06-03 16:57 512020 C:\WINDOWS\SYSTEM32\CatRoot2\msvcsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo7"= STV680tg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Eicon\\Diva\\watch.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R0 DiMaint;Eicon Maintenance Driver;C:\WINDOWS\system32\DRIVERS\DISDN\dimaint.sys [2002-12-04 14:49]
R2 Cubase32;Cubase32;C:\WINDOWS\system32\drivers\Cubase32.sys [1996-08-14 14:07]
R2 DiCapi;Eicon CAPI 2.0 Driver;C:\WINDOWS\system32\DRIVERS\DISDN\capi202k.sys [2001-06-12 14:27]
R2 DiPort;Eicon Port Driver;C:\WINDOWS\system32\DRIVERS\DISDN\diport40.sys [2002-10-16 15:32]
R3 DiWan;Eicon Driver for all Diva Client cards;C:\WINDOWS\system32\DRIVERS\DISDN\Diwan.sys [2002-10-03 16:35]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-07-19 14:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7223ed93-f833-11dc-bc89-00111188f3d5}]
\Shell\AutoRun\command - E:\WD_Windows_Tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 23:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 08:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 09:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 10:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 11:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 12:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-20 13:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 14:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 15:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 16:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-24 17:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-11 00:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-25 18:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-25 19:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-25 20:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-25 21:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-24 22:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-14 23:02:10 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-11 00:01:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-11 01:01:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2007-10-17 02:01:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2007-10-17 03:01:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-11 01:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-10-17 04:01:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2007-10-17 05:01:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2007-11-15 07:02:15 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-03-24 08:02:14 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-21 08:02:01 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-21 09:01:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-21 10:01:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-21 11:01:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-21 12:01:10 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-20 13:02:11 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2007-10-17 02:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-04-21 14:02:11 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-21 15:01:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-21 16:01:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-24 17:02:05 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-25 18:02:12 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-25 19:01:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-25 20:01:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-25 21:01:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2008-04-24 22:01:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\1XU8leGY.exe
"2007-10-17 03:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-10-17 04:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-10-17 05:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\056205C6.exe
"2007-11-15 07:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\056205C6.exe
"2008-03-24 08:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\056205C6.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 22:26:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CatRoot2\msvcsrv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Eicon\Diva\DiInfo.exe
.
**************************************************************************
.
Completion time: 2008-04-25 22:38:42 - machine was rebooted [David]
ComboFix-quarantined-files.txt 2008-04-25 21:37:39

Pre-Run: 9,302,032,384 bytes free
Post-Run: 10,129,661,952 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

266
spreadlove
Active Member
 
Posts: 4
Joined: April 24th, 2008, 1:21 pm
Top

Re: A variety package - Trusted Antivirus, AV Systemcare , SHeur

Unread postby spreadlove » April 25th, 2008, 5:45 pm

Here is the fresh Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:44:25, on 25/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAKE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {205F28FC-DF76-4ED8-92C9-1BF740021CEA} - C:\WINDOWS\system32\CatRoot2\msvcsrv.dll
O2 - BHO: (no name) - {4eab1ba1-178f-4eab-a2a8-179f8162c9a6} - C:\WINDOWS\system32\IPXSYS.dll (file missing)
O2 - BHO: CIEIntegrator Object - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - C:\Program Files\AVSystemCare\Tools\pblock.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\AVSystemCare\Tools\sbiebho.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON PictureMate 100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAKE.EXE /P21 "EPSON PictureMate 100" /O6 "USB003" /M "PictureMate 100"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1B735B98-8010-11D5-AD0B-00500463D885} (SearchCD Control) - http://www.partsarena.com/baxi/Plugins/IMIESRCH.cab
O16 - DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} (GrafixViewControl) - http://www.partsarena.com/baxi/Plugins/GFXVIEW.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://sell-vehicle.ebay.co.uk/images/e ... 0-3-50.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddccyyx - ddccyyx.dll (file missing)
O20 - Winlogon Notify: IPXSYS - IPXSYS.dll (file missing)
O20 - Winlogon Notify: msvcsrv - C:\WINDOWS\system32\CatRoot2\msvcsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9175 bytes
spreadlove
Active Member
 
Posts: 4
Joined: April 24th, 2008, 1:21 pm
Top

Re: A variety package - Trusted Antivirus, AV Systemcare , SHeur

Unread postby peku006 » April 27th, 2008, 7:33 am

Hello spreadlove
I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine

One or more of the identified infections is a backdoor trojan.(password stealer)
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top

Re: A variety package - Trusted Antivirus, AV Systemcare , SHeur

Unread postby spreadlove » April 27th, 2008, 8:46 am

Thanks Peku

I intend to reformat given your advice.

However if I move all my files onto a flash drive and then reinstall them on the newly reformatted drive will this not reinfect it?

Thanks

David
spreadlove
Active Member
 
Posts: 4
Joined: April 24th, 2008, 1:21 pm
Top

Re: A variety package - Trusted Antivirus, AV Systemcare , SHeur

Unread postby peku006 » April 27th, 2008, 2:22 pm

Hello spreadlove

That's a wise decision

Yes, you can move those important files , but Scan the files on the stick with an Antivirus and also with a antimalware scanner before copying them

If you need help with formatting, seehere

Below are some tips how to stay clean in the future

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for Spybot S & D

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Top
Advertisement
Register to Remove
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 116 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index