Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Trojan Horse and Viruses
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-08-2007, 07:52 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Trojan Horse and Viruses
Hello, i'm new to this forum but i have read the Must read before posting sticky before posting :) Any amends that need to be made to this post please do so, and if i have made any mistakes, i apoligise in advance.

Ok, i'm trying to fix my brothers Pc as it has become infected with many viruses and trojans, avg seems to be going mad at the moment especially with trojan's. Most of them are coming from the TEMP folder, which i tell avg to place in the Virus Vault. Some however come from System32, which i do not ask it to place into Virus vault as the file is probably critical in keeping the sytem stable. I "heal" them instead with avg's option.

Well here is my Hijackthis logfile,

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\pckvawky.dll",realset
O4 - HKLM\..\Run: [j4211435] rundll32 C:\WINDOWS\system32\j4211435.dll sook
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\piixghuc.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = C:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1171835030158
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Also, i have been flooded with popups from System doctor, parypoker, ameana ( i think thats spelling) Zedo, cellarado and promting me to Install Winantivirus 06/07, which i decline. Also this isn't the main account on the computer so i don't know if you want me to post a log from there (if it makes a difference, im not sure) I will post my panda log later, as internet explorer (i use firefox) is taking an incredibally long time to scan.

(Also, windows has been unable to update the computer for about a week now, i'm not sure why it isn't working.)

Thanks in advance, and i hope you can help me with my problem,

Luke
Last edited by -Luke-; 06-08-2007 at 07:54 AM.
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-08-2007, 11:00 AM   #2 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Re: Trojan Horse and Viruses
I couldent see the edit button at all :(

Heres the Panda log, i didn't realise it had got so bad :(


Incident Status Location

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[www.winantiviruspro.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[.systemdoctor.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[.com.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\au\Application Data\Mozilla\Firefox\Profiles\1c23mh6e.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\au\Application Data\SpywareBot\Quarantine\18-05-2007-21-32-06\10000.qit
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\au\Application Data\SpywareBot\Quarantine\18-05-2007-21-32-06\10001.qit
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\au\Application Data\SpywareBot\Quarantine\18-05-2007-21-32-06\10002.qit
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\au\Application Data\SpywareBot\Quarantine\18-05-2007-21-32-06\10009.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\au\Application Data\SpywareBot\Quarantine\20-05-2007-20-21-41\10000.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\au\Application Data\SpywareBot\Quarantine\27-05-2007-14-17-59\10000.qit
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\au\Application Data\SpywareBot\Quarantine\27-05-2007-14-17-59\10002.qit
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\au\Cookies\au@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\au\Cookies\au@ad.yieldmanager[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\au\Cookies\au@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\au\Cookies\au@advertising[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\au\Cookies\au@drivecleaner[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\au\Cookies\au@linksynergy[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\au\Cookies\au@mediaplex[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\au\Cookies\au@server.iad.liveperson[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\au\Cookies\au@systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\au\Cookies\au@winantivirus[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\au\Cookies\au@www.drivecleaner[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\au\Cookies\au@www.systemdoctor[2].txt
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\au\Local Settings\Temp\jqnernmp.dll
Hacktool:Hacktool/MSNpass.H Not disinfected C:\Documents and Settings\au\Local Settings\Temp\mspass.zip[mspass.exe]
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\au\Local Settings\Temp\nkjcxqxj.dll
Adware:Adware/WebSearch Not disinfected C:\Documents and Settings\au\Local Settings\Temp\temp.frF613
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\au\Local Settings\Temporary Internet Files\Content.IE5\IR9S764B\WinAntiVirusPro2007FreeInstall[1].cab[UWA7P_0001_N91M0809NetInstaller.exe]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.questionmarket.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.adtech.de/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.com.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.zedo.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[statse.webtrendslive.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.hitbox.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.fastclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies-1.txt[.tradedoubler.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.winantivirus.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[winantivirus.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.systemdoctor.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[www.systemdoctor.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[www.winantiviruspro.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[server.iad.liveperson.net/hc/45408239]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.zedo.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.advertising.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[server.iad.liveperson.net/hc/14536768]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Family\Application Data\SpywareBot\Quarantine\20-05-2007-16-10-11\10004.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Family\Application Data\SpywareBot\Quarantine\25-05-2007-06-32-26\10000.qit
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Family\Application Data\SpywareBot\Quarantine\29-05-2007-22-18-49\10000.qit
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Family\Cookies\family@drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Family\Cookies\family@errorsafe[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Family\Cookies\family@i.screensavers[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Family\Cookies\family@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Family\Cookies\family@stats1.reliablestats[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Family\Cookies\family@systemdoctor[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Family\Cookies\family@winantivirus[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Family\Cookies\family@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Family\Cookies\family@www.errorsafe[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Family\Cookies\family@www.systemdoctor[2].txt
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\5plkfs8b.default\Cache\A23E4567d01
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\Family\Local Settings\Temp\izxy37hn.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\Family\Local Settings\Temp\jolyxhbt.dll
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\Family\Local Settings\Temp\mtctqyuh.dll
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\01K345OP\WinAntiVirusPro2006FreeInstall[1].exe
Spyware:Cookie/Systemdoctor Not disinfected C:\RECYCLER\S-1-5-21-515967899-682003330-725345543-1005\Dc21.txt
Spyware:Cookie/DriveCleaner Not disinfected C:\RECYCLER\S-1-5-21-515967899-682003330-725345543-1005\Dc22.txt
Spyware:Cookie/Winantivirus Not disinfected C:\RECYCLER\S-1-5-21-515967899-682003330-725345543-1005\Dc28.txt
Spyware:Cookie/DriveCleaner Not disinfected C:\RECYCLER\S-1-5-21-515967899-682003330-725345543-1005\Dc29.txt
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\aivekbld.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\amuyowws.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\enkulhga.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\eqogpbys.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\flonirrr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gdtasnaw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gireogjp.dll
Virus:Trj/Clicker.ACO Disinfected C:\WINDOWS\system32\gpfdlwvv.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\grwkvbnt.dll
Virus:Trj/Clicker.ACO Disinfected C:\WINDOWS\system32\gxtppgst.exe
Virus:Trj/Downloader.ORT Disinfected C:\WINDOWS\system32\harhyebe.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hdatvfuh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hrgmyrvp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\iaykgtoh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ipmekpmk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\kfsivjpy.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nrtlcmjd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nwqggbfe.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\piixghuc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qrlwkuam.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\rhbcalff.dll
Virus:Trj/Clicker.ACO Disinfected C:\WINDOWS\system32\sikusecc.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\sxatlwqh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\sxqvgstf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\thxxawdk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vgongjba.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtuuuut.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wsmhajoe.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xbsupsbd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ybgyakpr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yfcbfakf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ykyhjojl.dll
Virus:Trj/Clicker.ACO Disinfected C:\WINDOWS\system32\yremsfoy.exe

Any help would be much appreciated :D
( 5 hacking and root tools. 130 Spyware and 3 Viruses i think.)

Thanks once again.
Last edited by -Luke-; 06-08-2007 at 11:01 AM.
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-09-2007, 01:15 AM   #3 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,453
OS: N/A


Re: Trojan Horse and Viruses
1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-10-2007, 10:44 AM   #4 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Re: Trojan Horse and Viruses
Ok done as you requested :)

Here are my current results,

Hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:43:13 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A364C26-F0B2-4F9D-AB85-F44D42B3178B} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {52E54371-D19C-43FD-824F-453836D72915} - C:\WINDOWS\system32\crlxaoqu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {92DED8D0-45A0-49D4-8A6E-E52AF8F42424} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {A8250F99-C9CF-420F-9842-FBF225E03421} - C:\WINDOWS\system32\crlxaoqu.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\aitekkhg.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = C:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1171835030158
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

--
End of file - 5220 bytes

And Combofix's log

ComboFix 07-06-10 - C:\Documents and Settings\Family\Desktop\ComboFix.exe
"Family" - 2007-06-10 14:32:25 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aivekbld.dll
C:\WINDOWS\system32\amuyowws.dll
C:\WINDOWS\system32\enkulhga.dll
C:\WINDOWS\system32\eqogpbys.dll
C:\WINDOWS\system32\flonirrr.dll
C:\WINDOWS\system32\gdtasnaw.dll
C:\WINDOWS\system32\gireogjp.dll
C:\WINDOWS\system32\grwkvbnt.dll
C:\WINDOWS\system32\hdatvfuh.dll
C:\WINDOWS\system32\hrgmyrvp.dll
C:\WINDOWS\system32\iaykgtoh.dll
C:\WINDOWS\system32\ipmekpmk.dll
C:\WINDOWS\system32\kfsivjpy.dll
C:\WINDOWS\system32\nrtlcmjd.dll
C:\WINDOWS\system32\piixghuc.dll
C:\WINDOWS\system32\qrlwkuam.dll
C:\WINDOWS\system32\rhbcalff.dll
C:\WINDOWS\system32\sxatlwqh.dll
C:\WINDOWS\system32\sxqvgstf.dll
C:\WINDOWS\system32\vgongjba.dll
C:\WINDOWS\system32\wsmhajoe.dll
C:\WINDOWS\system32\xbsupsbd.dll
C:\WINDOWS\system32\ybgyakpr.dll
C:\WINDOWS\system32\yfcbfakf.dll
C:\WINDOWS\system32\ykyhjojl.dll
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\edeeg.tmp
C:\WINDOWS\system32\tnbvkwrg.ini
C:\WINDOWS\system32\pvrymgrh.ini
C:\WINDOWS\system32\kmpkempi.ini
C:\WINDOWS\system32\cuhgxiip.ini
C:\WINDOWS\system32\maukwlrq.ini
C:\WINDOWS\system32\fflacbhr.ini
C:\WINDOWS\system32\dbspusbx.ini
C:\WINDOWS\system32\fkafbcfy.ini
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cbeeg.tmp
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\edeeg.tmp
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cbeeg.tmp
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\edeeg.tmp
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\rqtss.tmp
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\vtuuuut.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\#SharedObjects\2U33X8V7\www.broadcaster.com
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NWSAPAGENT
-------\nm
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-10 14:27 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-09 22:22 125,460 --a------ C:\WINDOWS\system32\crlxaoqu.dll
2007-06-08 14:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-06 21:27 55,316 --a------ C:\WINDOWS\system32\tjrmbrik.dll
2007-06-04 21:54 131,124 --a------ C:\WINDOWS\system32\pckvawky.dll
2007-06-03 21:14 132,660 --a------ C:\WINDOWS\system32\thxxawdk.dll
2007-06-03 15:01 2,580 --a------ C:\WINDOWS\system32\jstxjokv.exe
2007-06-02 18:29 2,580 --a------ C:\WINDOWS\system32\alwjxuka.exe
2007-06-02 14:07 2,580 --a------ C:\WINDOWS\system32\oivrjkuc.exe
2007-06-01 18:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-31 22:58 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-31 22:19 <DIR> d-------- C:\dargnor
2007-05-27 23:04 <DIR> d-------- C:\Program Files\JetBrains
2007-05-25 19:25 50,745 --a------ C:\WINDOWS\system32\nwqggbfe.dll
2007-05-22 17:04 <DIR> d-------- C:\WINDOWS\.377_cache
2007-05-15 21:02 <DIR> d-------- C:\Program Files\Hamachi
2007-05-14 15:53 <DIR> d-------- C:\Program Files\SpywareBot
2007-05-14 15:53 <DIR> d-------- C:\DOCUME~1\Family\APPLIC~1\SpywareBot
2007-05-12 19:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 14:46:34 -------- d-----w C:\Program Files\RSDemon
2007-06-08 14:46:08 -------- d-----w C:\Program Files\MSN Messenger
2007-06-08 14:42:29 -------- d-----w C:\Program Files\Messenger
2007-05-27 14:29:30 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-05-12 18:56:31 -------- d-----w C:\Program Files\Lavasoft
2007-05-09 19:34:41 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Hamachi
2007-05-07 13:04:41 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\MSN6
2007-05-07 10:24:29 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-07 10:24:25 -------- d-----w C:\Program Files\CA
2007-05-06 11:51:05 53,248 ----a-w C:\WINDOWS\system32\zlib.dll
2007-05-06 11:50:52 561,180 ----a-w C:\WINDOWS\system32\dao360.dll
2007-05-05 20:41:09 -------- d-----w C:\Program Files\Mgboss
2007-05-05 20:40:14 -------- d-----w C:\Program Files\ArtMoney
2007-05-05 20:39:22 -------- d-----w C:\Program Files\Spyware Process Detector
2007-05-05 20:38:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 17:42:25 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Leadertech
2007-05-03 17:31:59 335 ----a-w C:\WINDOWS\mozregistry.dat
2007-04-29 14:22:25 -------- d-----w C:\Program Files\Cheat Engine
2007-04-20 21:58:24 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-04-20 20:14:55 -------- d-----w C:\Program Files\MoparScape
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-16 16:00:11 -------- d-----w C:\Program Files\Seagate
2007-04-15 12:16:43 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-15 12:16:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-11 1215 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-04-10 21:24:35 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-23 05:07:56 1,683,280 ----a-w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ----a-w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ----a-w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-10 23:23:56 1,168 ----a-w C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3A364C26-F0B2-4F9D-AB85-F44D42B3178B}=C:\WINDOWS\system32\sstqr.dll []
{52E54371-D19C-43FD-824F-453836D72915}=C:\WINDOWS\system32\harhyebe.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-02-19 22:54]
{92DED8D0-45A0-49D4-8A6E-E52AF8F42424}=C:\WINDOWS\system32\geebc.dll []
{A8250F99-C9CF-420F-9842-FBF225E03421}=C:\WINDOWS\system32\crlxaoqu.dll [2007-06-09 22:22]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\aitekkhg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-25 18:09]
"PRISMSVR.EXE"="C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.exe" [2004-07-02 17:27]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-05-07 14:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-05-07 14:50]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 11:37]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqr]
C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FDCDNT.SYS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FileAndFolderProtector_S]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZyXEL G-202 Wireless Adapter Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZyXEL G-202 Wireless Adapter Utility.lnk
backup=C:\WINDOWS\pss\ZyXEL G-202 Wireless Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EfreeSoft Boss Key]
C:\Program Files\Mgboss\mgboss.exe -min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
none

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ffpsrv]
c:\windows\ffpext\ffpsrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
rundll32.exe "C:\WINDOWS\system32\xbsupsbd.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)


Contents of the 'Scheduled Tasks' folder
2007-06-10 14:09:29 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-10 14:55:40 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 15:55:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 15:57:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-10 15:56

--- E O F ---


Is this good now?
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-10-2007, 11:00 AM   #5 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,453
OS: N/A


Re: Trojan Horse and Viruses
Quote:
Is this good now?
Not just yet. Some uninvited guest do not leave a easily they come


------------


Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\crlxaoqu.dll
C:\WINDOWS\system32\tjrmbrik.dll
C:\WINDOWS\system32\pckvawky.dll
C:\WINDOWS\system32\thxxawdk.dll
C:\WINDOWS\system32\jstxjokv.exe
C:\WINDOWS\system32\alwjxuka.exe
C:\WINDOWS\system32\oivrjkuc.exe
C:\WINDOWS\system32\nwqggbfe.dll

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.



-----------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {3A364C26-F0B2-4F9D-AB85-F44D42B3178B} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {52E54371-D19C-43FD-824F-453836D72915} - C:\WINDOWS\system32\crlxaoqu.dll
O2 - BHO: (no name) - {92DED8D0-45A0-49D4-8A6E-E52AF8F42424} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {A8250F99-C9CF-420F-9842-FBF225E03421} - C:\WINDOWS\system32\crlxaoqu.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\aitekkhg.dll (file missing)
O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll (file missing)
O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\WINDOWS\system32\crlxaoqu.dll
C:\WINDOWS\system32\tjrmbrik.dll
C:\WINDOWS\system32\pckvawky.dll
C:\WINDOWS\system32\thxxawdk.dll
C:\WINDOWS\system32\jstxjokv.exe
C:\WINDOWS\system32\alwjxuka.exe
C:\WINDOWS\system32\oivrjkuc.exe
C:\WINDOWS\system32\nwqggbfe.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
Save this as ComboFix-Do.txt




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log


---------------


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. We only require a report from it.
    It does not provide an option to clean/disinfect.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-11-2007, 10:53 AM   #6 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Re: Trojan Horse and Viruses
Here is the Kapersky results,

Sunday, June 10, 2007 10:38:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/06/2007
Kaspersky Anti-Virus database records: 342024
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Family\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 17518
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:37:53

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{81D97896-C18D-44B4-A50F-254903193716}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\alwjxuka.exe Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jstxjokv.exe Object is locked skipped
C:\WINDOWS\system32\oivrjkuc.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Family\LOCALS~1\Temp\~DF9AE3.tmp Object is locked skipped
C:\DOCUME~1\Family\LOCALS~1\Temp\~DFBEE6.tmp Object is locked skipped
C:\DOCUME~1\Family\LOCALS~1\Temp\~DFC314.tmp Object is locked skipped
Scan process completed.

Now the Hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:50:02 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
C:\Documents and Settings\Family\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = C:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1171835030158
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

--
End of file - 4697 bytes

And finally Combofix,

ComboFix 07-06-10 - C:\Documents and Settings\Family\Desktop\ComboFix.exe
"Family" - 2007-06-10 18:23:23 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Family\Desktop\ComboFix-Do.txt


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\crlxaoqu.dll
C:\WINDOWS\system32\nwqggbfe.dll
C:\WINDOWS\system32\pckvawky.dll
C:\WINDOWS\system32\thxxawdk.dll
C:\WINDOWS\system32\ykwavkcp.ini
C:\WINDOWS\system32\kdwaxxht.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-10 14:27 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 14:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-03 15:01 2,580 --a------ C:\WINDOWS\system32\jstxjokv.exe
2007-06-02 18:29 2,580 --a------ C:\WINDOWS\system32\alwjxuka.exe
2007-06-02 14:07 2,580 --a------ C:\WINDOWS\system32\oivrjkuc.exe
2007-06-01 18:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-31 22:58 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-31 22:19 <DIR> d-------- C:\dargnor
2007-05-27 23:04 <DIR> d-------- C:\Program Files\JetBrains
2007-05-22 17:04 <DIR> d-------- C:\WINDOWS\.377_cache
2007-05-15 21:02 <DIR> d-------- C:\Program Files\Hamachi
2007-05-14 15:53 <DIR> d-------- C:\Program Files\SpywareBot
2007-05-14 15:53 <DIR> d-------- C:\DOCUME~1\Family\APPLIC~1\SpywareBot
2007-05-12 19:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 14:46:34 -------- d-----w C:\Program Files\RSDemon
2007-06-08 14:46:08 -------- d-----w C:\Program Files\MSN Messenger
2007-06-08 14:42:29 -------- d-----w C:\Program Files\Messenger
2007-05-27 14:29:30 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-05-12 18:56:31 -------- d-----w C:\Program Files\Lavasoft
2007-05-09 19:34:41 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Hamachi
2007-05-07 13:04:41 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\MSN6
2007-05-07 10:24:29 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-07 10:24:25 -------- d-----w C:\Program Files\CA
2007-05-06 11:51:05 53,248 ----a-w C:\WINDOWS\system32\zlib.dll
2007-05-06 11:50:52 561,180 ----a-w C:\WINDOWS\system32\dao360.dll
2007-05-05 20:41:09 -------- d-----w C:\Program Files\Mgboss
2007-05-05 20:40:14 -------- d-----w C:\Program Files\ArtMoney
2007-05-05 20:39:22 -------- d-----w C:\Program Files\Spyware Process Detector
2007-05-05 20:38:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 17:42:25 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Leadertech
2007-05-03 17:31:59 335 ----a-w C:\WINDOWS\mozregistry.dat
2007-04-29 14:22:25 -------- d-----w C:\Program Files\Cheat Engine
2007-04-20 21:58:24 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-04-20 20:14:55 -------- d-----w C:\Program Files\MoparScape
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-16 16:00:11 -------- d-----w C:\Program Files\Seagate
2007-04-15 12:16:43 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-15 12:16:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-11 1215 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-04-10 21:24:35 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-23 05:07:56 1,683,280 ----a-w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ----a-w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ----a-w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-10 23:23:56 1,168 ----a-w C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-02-19 22:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-25 18:09]
"PRISMSVR.EXE"="C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.exe" [2004-07-02 17:27]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-05-07 14:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-05-07 14:50]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 11:37]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FDCDNT.SYS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FileAndFolderProtector_S]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZyXEL G-202 Wireless Adapter Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZyXEL G-202 Wireless Adapter Utility.lnk
backup=C:\WINDOWS\pss\ZyXEL G-202 Wireless Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EfreeSoft Boss Key]
C:\Program Files\Mgboss\mgboss.exe -min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
none

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ffpsrv]
c:\windows\ffpext\ffpsrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
rundll32.exe "C:\WINDOWS\system32\xbsupsbd.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)


Contents of the 'Scheduled Tasks' folder
2007-06-10 14:09:29 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-10 17:27:23 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 18:26:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 18:29:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-10 18:29
C:\ComboFix2.txt ... 2007-06-10 15:57

--- E O F ---


Also yes avg did pop up with a few things shortly after. also Windows is constaly pestering me about geniune winows or something and i may be a victim or software counterfiting :S Sorry for the late Reply i couldent get back on :(
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-11-2007, 10:56 AM   #7 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Re: Trojan Horse and Viruses
Here is the Kapersky results,

Sunday, June 10, 2007 10:38:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/06/2007
Kaspersky Anti-Virus database records: 342024
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Family\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 17518
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:37:53

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{81D97896-C18D-44B4-A50F-254903193716}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\alwjxuka.exe Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jstxjokv.exe Object is locked skipped
C:\WINDOWS\system32\oivrjkuc.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Family\LOCALS~1\Temp\~DF9AE3.tmp Object is locked skipped
C:\DOCUME~1\Family\LOCALS~1\Temp\~DFBEE6.tmp Object is locked skipped
C:\DOCUME~1\Family\LOCALS~1\Temp\~DFC314.tmp Object is locked skipped
Scan process completed.

Now the Hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:50:02 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
C:\Documents and Settings\Family\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = C:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1171835030158
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

--
End of file - 4697 bytes

And finally Combofix,

ComboFix 07-06-10 - C:\Documents and Settings\Family\Desktop\ComboFix.exe
"Family" - 2007-06-10 18:23:23 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Family\Desktop\ComboFix-Do.txt


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\crlxaoqu.dll
C:\WINDOWS\system32\nwqggbfe.dll
C:\WINDOWS\system32\pckvawky.dll
C:\WINDOWS\system32\thxxawdk.dll
C:\WINDOWS\system32\ykwavkcp.ini
C:\WINDOWS\system32\kdwaxxht.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-10 14:27 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 14:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-03 15:01 2,580 --a------ C:\WINDOWS\system32\jstxjokv.exe
2007-06-02 18:29 2,580 --a------ C:\WINDOWS\system32\alwjxuka.exe
2007-06-02 14:07 2,580 --a------ C:\WINDOWS\system32\oivrjkuc.exe
2007-06-01 18:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-31 22:58 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-31 22:19 <DIR> d-------- C:\dargnor
2007-05-27 23:04 <DIR> d-------- C:\Program Files\JetBrains
2007-05-22 17:04 <DIR> d-------- C:\WINDOWS\.377_cache
2007-05-15 21:02 <DIR> d-------- C:\Program Files\Hamachi
2007-05-14 15:53 <DIR> d-------- C:\Program Files\SpywareBot
2007-05-14 15:53 <DIR> d-------- C:\DOCUME~1\Family\APPLIC~1\SpywareBot
2007-05-12 19:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 14:46:34 -------- d-----w C:\Program Files\RSDemon
2007-06-08 14:46:08 -------- d-----w C:\Program Files\MSN Messenger
2007-06-08 14:42:29 -------- d-----w C:\Program Files\Messenger
2007-05-27 14:29:30 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-05-12 18:56:31 -------- d-----w C:\Program Files\Lavasoft
2007-05-09 19:34:41 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Hamachi
2007-05-07 13:04:41 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\MSN6
2007-05-07 10:24:29 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-07 10:24:25 -------- d-----w C:\Program Files\CA
2007-05-06 11:51:05 53,248 ----a-w C:\WINDOWS\system32\zlib.dll
2007-05-06 11:50:52 561,180 ----a-w C:\WINDOWS\system32\dao360.dll
2007-05-05 20:41:09 -------- d-----w C:\Program Files\Mgboss
2007-05-05 20:40:14 -------- d-----w C:\Program Files\ArtMoney
2007-05-05 20:39:22 -------- d-----w C:\Program Files\Spyware Process Detector
2007-05-05 20:38:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 17:42:25 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Leadertech
2007-05-03 17:31:59 335 ----a-w C:\WINDOWS\mozregistry.dat
2007-04-29 14:22:25 -------- d-----w C:\Program Files\Cheat Engine
2007-04-20 21:58:24 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-04-20 20:14:55 -------- d-----w C:\Program Files\MoparScape
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-16 16:00:11 -------- d-----w C:\Program Files\Seagate
2007-04-15 12:16:43 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-15 12:16:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-11 1215 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-04-10 21:24:35 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-23 05:07:56 1,683,280 ----a-w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ----a-w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ----a-w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-10 23:23:56 1,168 ----a-w C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-02-19 22:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-25 18:09]
"PRISMSVR.EXE"="C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.exe" [2004-07-02 17:27]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-05-07 14:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-05-07 14:50]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 11:37]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FDCDNT.SYS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FileAndFolderProtector_S]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZyXEL G-202 Wireless Adapter Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZyXEL G-202 Wireless Adapter Utility.lnk
backup=C:\WINDOWS\pss\ZyXEL G-202 Wireless Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EfreeSoft Boss Key]
C:\Program Files\Mgboss\mgboss.exe -min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
none

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ffpsrv]
c:\windows\ffpext\ffpsrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
rundll32.exe "C:\WINDOWS\system32\xbsupsbd.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)


Contents of the 'Scheduled Tasks' folder
2007-06-10 14:09:29 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-10 17:27:23 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 18:26:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 18:29:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-10 18:29
C:\ComboFix2.txt ... 2007-06-10 15:57

--- E O F ---


Also yes avg did pop up with a few things shortly after. also Windows is constaly pestering me about geniune winows or something and i may be a victim or software counterfiting :S Sorry for the late Reply i couldent get back on :( Also i did the suspicious file thing and requested and sent the cab file to bleepingcomputer saying you asked for it :)
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-11-2007, 11:00 AM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,453
OS: N/A


Re: Trojan Horse and Viruses
Quote:
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Results looks good but they may sometimes be misleading.

Quote:
C:\WINDOWS\system32\alwjxuka.exe Object is locked skipped
C:\WINDOWS\system32\jstxjokv.exe Object is locked skipped
C:\WINDOWS\system32\oivrjkuc.exe Object is locked skipped
These 3 files are bad. They were in use while Kaspersky was scanning & Kaspersky was unable to inspect them. Let's get rid of them now.


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\WINDOWS\system32\alwjxuka.exe
C:\WINDOWS\system32\jstxjokv.exe
C:\WINDOWS\system32\oivrjkuc.exe
Save this as ComboFix-Do.txt




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log

Take a look inside this folder, C:\WINDOWS\.377_cache. Tell me what's inside
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-11-2007, 12:17 PM   #9 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Re: Trojan Horse and Viruses
ComboFix 07-06-10 - C:\Documents and Settings\Family\Desktop\ComboFix.exe
"Family" - 2007-06-11 18:45:30 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Family\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\alwjxuka.exe
C:\WINDOWS\system32\jstxjokv.exe
C:\WINDOWS\system32\oivrjkuc.exe


((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))


2007-06-10 18:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-10 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-10 14:27 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 14:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-01 18:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-31 22:58 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-31 22:19 <DIR> d-------- C:\dargnor
2007-05-27 23:04 <DIR> d-------- C:\Program Files\JetBrains
2007-05-22 17:04 <DIR> d-------- C:\WINDOWS\.377_cache
2007-05-15 21:02 <DIR> d-------- C:\Program Files\Hamachi
2007-05-14 15:53 <DIR> d-------- C:\Program Files\SpywareBot
2007-05-14 15:53 <DIR> d-------- C:\DOCUME~1\Family\APPLIC~1\SpywareBot
2007-05-12 19:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 14:46:34 -------- d-----w C:\Program Files\RSDemon
2007-06-08 14:46:08 -------- d-----w C:\Program Files\MSN Messenger
2007-06-08 14:42:29 -------- d-----w C:\Program Files\Messenger
2007-05-27 14:29:30 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-05-12 18:56:31 -------- d-----w C:\Program Files\Lavasoft
2007-05-09 19:34:41 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Hamachi
2007-05-07 13:04:41 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\MSN6
2007-05-07 10:24:29 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-07 10:24:25 -------- d-----w C:\Program Files\CA
2007-05-06 11:51:05 53,248 ----a-w C:\WINDOWS\system32\zlib.dll
2007-05-06 11:50:52 561,180 ----a-w C:\WINDOWS\system32\dao360.dll
2007-05-05 20:41:09 -------- d-----w C:\Program Files\Mgboss
2007-05-05 20:40:14 -------- d-----w C:\Program Files\ArtMoney
2007-05-05 20:39:22 -------- d-----w C:\Program Files\Spyware Process Detector
2007-05-05 20:38:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 17:42:25 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Leadertech
2007-05-03 17:31:59 335 ----a-w C:\WINDOWS\mozregistry.dat
2007-04-29 14:22:25 -------- d-----w C:\Program Files\Cheat Engine
2007-04-20 21:58:24 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-04-20 20:14:55 -------- d-----w C:\Program Files\MoparScape
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-16 16:00:11 -------- d-----w C:\Program Files\Seagate
2007-04-15 12:16:43 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-15 12:16:35 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-11 1215 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-03-23 05:07:56 1,683,280 ----a-w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ----a-w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ----a-w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-02-19 22:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-25 18:09]
"PRISMSVR.EXE"="C:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.exe" [2004-07-02 17:27]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-05-07 14:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2007-05-07 14:50]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 11:37]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FDCDNT.SYS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FileAndFolderProtector_S]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZyXEL G-202 Wireless Adapter Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZyXEL G-202 Wireless Adapter Utility.lnk
backup=C:\WINDOWS\pss\ZyXEL G-202 Wireless Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EfreeSoft Boss Key]
C:\Program Files\Mgboss\mgboss.exe -min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
none

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ffpsrv]
c:\windows\ffpext\ffpsrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
rundll32.exe "C:\WINDOWS\system32\xbsupsbd.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)


Contents of the 'Scheduled Tasks' folder
2007-06-11 17:28:36 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-11 17:41:02 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 18:48:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [3248]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-11 18:48:44
C:\ComboFix-quarantined-files.txt ... 2007-06-11 18:48
C:\ComboFix2.txt ... 2007-06-10 18:29
C:\ComboFix3.txt ... 2007-06-10 15:57

--- E O F ---


Well heres the log after Kapersky did what it did :) also the .377 cache folder had a zip foler in it called 377. When i tried to open it said it is missing or corrupt :S Shall i delete?
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-11-2007, 04:21 PM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,453
OS: N/A


Re: Trojan Horse and Viruses
Please upload that zipfile to http://www.bleepingcomputer.com/subm....php?channel=4
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2007, 03:00 AM   #11 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Re: Trojan Horse and Viruses
Done and done, ill wait for a reply.
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2007, 03:10 AM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,453
OS: N/A


Re: Trojan Horse and Viruses
I managed to extract some files from it. Appears to musical files.
Quote:
jingle0.mid
jingle1.mid
jingle2.mid
jingle3.mid
jingle4.mid
k23lk
k4o2n
lam3n
Does that ring any bells for you? How's the machine behaving now?
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2007, 04:17 AM   #13 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Re: Trojan Horse and Viruses
Ah yes that would be some music files from my brothers friend that hes hosting his game. As far as i'm aware my brother has to keep his java updated and has Java 1.7.0, which i'm not sure if its as good as 6.1 because 1.7 is only in Beta. Anyways i'm sure he wont mind if i delete them. The computer is behaving excellent now :) And avg hasnt come up with anything in the past 24 hours. Also just to improve my machines performance i want to stop its constant clicking noise from the Hard drive. I was wondering would buying a new Harddrive stop the noise? I'ts not from the speakers as i checked and i opened up the case and heard it from the hard drive. it clicks violently when i load something thats large and takes up alot of room, its its always clicking. Is the hardrive outdated? Its from a 2002 Compaq evo desktop. Also thank you for the swift replies :)
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2007, 06:18 AM   #14 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,453
OS: N/A


Re: Trojan Horse and Viruses
Clicking hard drives are signs of imminent hard disk failure. To avoid loss of personal data, best get the replacement at earliest disposal


----------------------


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start → Run → type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html


  6. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html

  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2007, 08:06 AM   #15 (permalink)
Registered User
 
Join Date: Jun 2007
Location: Kent, England.
Posts: 12
OS: Windows Xp Proffesional


Re: Trojan Horse and Viruses
Yup its been resolved :) Thanks so much :) Yep ill buy a new Hardrive in the next couple of days so everything should work smoothly. and ill download all the things you have said in keeping the computer secure. Thanks once again :)
-Luke- is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:49 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85