|
#1
December 9th, 2007, 04:45 AM
|
|||
|
|||
|
E may, vao day coi co con nho nay ngon lam http://nhatquanglan.xlphp.net/
help please, our pc has a new virus and im not sure what it is. our messenger is now starting to send our contacts messages like this one:
E may, vao day coi co con nho nay ngon lam http://nhatquanglan.xlphp.net/ that's the only sign that we have a virus, everything else seems fine, thanks! here's the hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:53:20 PM, on 12/9/2007 Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\VM_STI.EXE C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Sharp\Sharpdesk\SharpTray.exe C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe E:\SSCVIHOST.exe E:\SSCVIHOST.exe E:\SSCVIHOST.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\moraleja\Desktop\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/yco...//uk.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\sw g.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Sony] "C:\Program Files\SONY ERICSSON W810i DESKMATE\SONY ERICSSON W810i DESKMATE.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Button Manager.lnk = C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdspl ay.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.arcadetown.com/dinerdash2...2.1.0.0.48.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/delici...ylomplayer.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/swf/feedin...utLauncher.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 10213 bytes thanks a lot! 
|
|
#2
December 9th, 2007, 07:17 AM
|
|||
|
|||
|
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "SharpTray" = ""C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"" [null data] "Yahoo Messengger" = "C:\WINDOWS\system32\SSCVIHOST.exe" [null data] HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once\ {++} "L05ZDXRC_3429721" = ""C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE" -m" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS] "BigDogPath" = "C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera" ["BIGDOG"] "Sunkist2k" = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" ["Alcor Micro, Corp."] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] "Sony" = ""C:\Program Files\SONY ERICSSON W810i DESKMATE\SONY ERICSSON W810i DESKMATE.exe"" [file not found] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data] "SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS] "RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."] "SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."] "Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."] "StormCodec_Helper" = ""C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti" [null data] "QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."] "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."] "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! IE Services Button" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\sw g.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."] <<!>> "{AD0ACA58-656F-61DA-9DFE-5D20F4F611BA}" = "*W" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\cs1sa1f.dll" [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <<!>> "Shell" = "Explorer.exe SSCVIHOST.exe" [MS], [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\ "NofolderOptions" = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Removes the Folder Options menu item from the Tools menu} HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} "DisableTaskMgr" = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\moraleja\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
|
|
#3
December 10th, 2007, 07:37 AM
|
||||
|
||||
|
Hi melmoraleja. The worm that your OS is infected with also infects flash drives so make sure that your flash drive is plugged in when you run this fix.
Download the latest version of Combofix.exe from here and save it to your Desktop. Doubleclick on combofix.exe and follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes, Disk Cleanup will run and then a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Copy this log in your next reply together with a new HijackThis log and a new Silent Runners log (you didnt wait for Silent Runners to finish scanning when you posted the other log. Wait for the popup that tells you the log is ready).
|
|
#4
December 20th, 2007, 05:05 AM
|
|||
|
|||
|
hi annmarie!!! here are the logs! thanks!
ComboFix 07-12-20.1 - moraleja 2007-12-20 13:03:12.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.429 [GMT -8:00] Running from: C:\Documents and Settings\moraleja\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\moraleja\Application Data\DriveCleaner Free C:\Documents and Settings\moraleja\Application Data\DriveCleaner Free\Logs\update.log C:\Documents and Settings\moraleja\ResErrors.log C:\Program Files\Common Files\drivecleaner free C:\Program Files\Common Files\drivecleaner free\laststat.dat C:\Program Files\FunWebProducts C:\WINDOWS\system32\autorun.ini C:\WINDOWS\system32\setting.ini . ((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 ))))))))))))))))))))))))))))))) . 2007-12-09 14:02 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-12-09 14:02 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2007-12-09 14:02 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-12-09 14:02 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-09 14:02 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-09 14:02 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-09 14:02 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-09 14:02 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-08 13:11 . 2007-12-08 13:11 <DIR> d-------- C:\Program Files\FashionFits_at 2007-12-08 13:11 . 2007-12-08 13:11 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Fugazo 2007-12-02 09:41 . 2007-12-02 09:41 <DIR> d-------- C:\Documents and Settings\moraleja\Application Data\Raptisoft 2007-12-01 19:36 . 2007-12-01 19:36 <DIR> d-------- C:\Documents and Settings\moraleja\Application Data\Catena Software 2007-12-01 19:35 . 2007-12-01 19:35 <DIR> d-------- C:\Program Files\SIMetrixIntro53 2007-12-01 13:04 . 2007-12-01 13:04 <DIR> d-------- C:\Program Files\Luxor_at 2007-12-01 13:04 . 2005-04-12 16:29 802,816 --a------ C:\WINDOWS\FeedingFrenzy.scr 2007-12-01 11:56 . 2007-12-01 11:56 <DIR> d-------- C:\Program Files\SallysSalon_at 2007-12-01 11:42 . 2007-12-01 11:42 <DIR> d-------- C:\EASy68K 2007-11-30 17:21 . 2007-11-30 18:22 <DIR> d-------- C:\Program Files\ParadisePetSalon_at . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-12-16 18:21 --------- d-----w C:\Program Files\Incomplete 2007-12-16 18:20 --------- d-----w C:\Program Files\LimeWire 2007-12-16 16:00 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7 2007-12-15 01:08 --------- d-----w C:\Documents and Settings\moraleja\Application Data\LimeWire 2007-12-09 23:48 --------- d-----w C:\Documents and Settings\moraleja\Application Data\AVG7 2007-12-09 01:55 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2007-12-02 17:50 --------- d-----w C:\Program Files\GoldMinerVegas_at 2007-12-02 03:35 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-01 21:01 --------- d-----w C:\Program Files\JanesHotel_at 2007-12-01 03:47 --------- d-----w C:\Program Files\BellesBeautyBoutique_at 2007-11-25 23:27 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-19 04:57 --------- d-----w C:\Documents and Settings\moraleja\Application Data\Jane s Hotel 2007-11-17 22:44 --------- d-----w C:\Program Files\iTunes 2007-11-17 22:44 --------- d-----w C:\Program Files\iPod 2007-11-17 22:42 --------- d-----w C:\Program Files\QuickTime 2007-11-16 18:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7 2007-11-09 04:10 --------- d-----w C:\Documents and Settings\moraleja\Application Data\uTorrent 2007-11-08 19:00 --------- d-----w C:\Program Files\Hamsterball_at 2007-10-24 23:53 --------- d-----w C:\Program Files\Winamp 2007-10-24 23:50 --------- d-----w C:\Program Files\Multimedia Card Reader 2007-10-24 23:41 --------- d-----w C:\Program Files\Google 2007-10-22 01:04 --------- d-----w C:\Program Files\Quake III Arena 2007-10-22 00:56 --------- d-----w C:\Program Files\Electronic Arts 2007-10-22 00:43 --------- d-----w C:\Program Files\Rockstar Games 2007-10-21 19:15 --------- d-----w C:\Program Files\Java 2006-02-26 17:08 359,112 ----a-w C:\Program Files\LimeWireWin.exe 2006-02-05 06:43 9,659,807 ----a-w C:\Program Files\fcrsetup.exe 2005-09-12 22:21 67,328 -c--a-w C:\Documents and Settings\xp professional\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{015407A9-D183-4379-8452-DFD7C2297902}"= C:\Program Files\Cole2k Media Toolbar\v2.0.0.2\Cole2k_Media_Toolbar.dll [ ] [HKEY_CLASSES_ROOT\clsid\{015407a9-d183-4379-8452-dfd7c2297902}] [HKEY_CLASSES_ROOT\ToolBar.ToolBarObj.1] [HKEY_CLASSES_ROOT\TypeLib\{B3A98058-DE1F-413f-9921-FF3EEA6B716F}] [HKEY_CLASSES_ROOT\ToolBar.ToolBarObj] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-02-18 18:16] "SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [2002-10-24 19:46] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-05-02 15:51] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-02-18 10:02 C:\WINDOWS\system32\bthprops.cpl] "BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-06-09 15:37] "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 16:16] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] "Sony"="C:\Program Files\SONY ERICSSON W810i DESKMATE\SONY ERICSSON W810i DESKMATE.exe" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [2007-12-09 15:47] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 09:38] "SiSPower"="Rundll32.exe" [2004-02-18 10:02 C:\WINDOWS\system32\rundll32.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-02-25 23:03 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 02:04 C:\WINDOWS\SkyTel.exe] "StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 10:30] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-12-04 05:00] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw. exe" [2007-12-09 15:47] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Button Manager.lnk - C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe [2007-09-02 13:29:59] IDW Logging Tool.lnk - C:\WINDOWS\system32\idwlog.exe [2004-02-18 10:02:44] Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-09-01 14:01:25] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{AD0ACA58-656F-61DA-9DFE-5D20F4F611BA}"= C:\WINDOWS\system32\cs1sa1f.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^moraleja^Start Menu^Programs^Startup^Registration Prince of Persia Warrior Within.LNK] path=C:\Documents and Settings\moraleja\Start Menu\Programs\Startup\Registration Prince of Persia Warrior Within.LNK backup=C:\WINDOWS\pss\Registration Prince of Persia Warrior Within.LNKStartup R2 SC0CLPT;SC0CLPT;C:\WINDOWS\system32\SC0CLPT.SYS [2002-05-26 16:43] R3 ZSMC302;VIMICRO USB PC Camera;C:\WINDOWS\system32\Drivers\usbVM31b.sys [2004-08-17 11:44] S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [] S2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\system32\DRIVERS\nvtunep.sys [] S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys [] S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [] S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 05:39] S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 05:39] S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 05:39] S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys [] S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 13:55] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{001e07a1-bed1-11db-ac25-806d6172696f}] \Shell\AutoRun\command - E:\SSCVIHOST.exe \Shell\Open\command - E:\SSCVIHOST.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2ca72c02-3454-11da-a69b-806d6172696f}] \Shell\AutoRun\command - New Document.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{30df6bcd-7a7a-11dc-ad86-806d6172696f}] \Shell\0pen\command - E:\krag.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{3affa837-5f0a-11da-a7c5-806d6172696f}] \Shell\AutoRun\command - I:\ \Shell\explore\Command - \Shell\open\Command - [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{996a7c62-8b02-11dc-ad9e-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exiplorer.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ef6f6c03-8a40-11dc-ad9d-806d6172696f}] \Shell\0pen\command - E:\krag.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2007-12-15 22:05:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-16 17:00:00 C:\WINDOWS\Tasks\At1.job" - C:\WINDOWS\system32\blastclnnn.exe . ************************************************** ************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-20 13:07:41 Windows 5.1.2600 Service Pack 2, v.2082 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2007-12-20 13:08:17
|
|
#5
December 20th, 2007, 05:05 AM
|
|||
|
|||
|
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "SharpTray" = ""C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"" [null data] "Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS] "BigDogPath" = "C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera" ["BIGDOG"] "Sunkist2k" = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" ["Alcor Micro, Corp."] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] "Sony" = ""C:\Program Files\SONY ERICSSON W810i DESKMATE\SONY ERICSSON W810i DESKMATE.exe"" [file not found] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data] "SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS] "RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."] "SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."] "StormCodec_Helper" = ""C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti" [null data] "QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."] "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."] "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! IE Services Button" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\sw g.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."] <<!>> "{AD0ACA58-656F-61DA-9DFE-5D20F4F611BA}" = "*_" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\cs1sa1f.dll" [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\moraleja\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "moraleja" & "All Users" startup folders: ---------------------------------------------------------- C:\Documents and Settings\moraleja\Start Menu\Programs\Startup "Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup "Button Manager" -> shortcut to: "C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe" ["SHARP CORPORATION"] "IDW Logging Tool" -> shortcut to: "C:\WINDOWS\system32\idwlog.exe -3" [MS] "Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] "At1" -> launches: "C:\WINDOWS\system32\blastclnnn.exe" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{015407A9-D183-4379-8452-DFD7C2297902}" -> {HKLM...CLSID} = "Cole2k Media Toolbar" \InProcServer32\(Default) = "C:\Program Files\Cole2k Media Toolbar\v2.0.0.2\Cole2k_Media_Toolbar.dll" [file not found] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesaa.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\(Default) = (no title provided) -> {HKLM...CLSID} = "Encarta &Researcher" \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL" [MS] HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ "ButtonText" = "Yahoo! Services" "CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" -> {HKLM...CLSID} = "Yahoo! IE Services Button" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."] {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {9455301C-CF6B-11D3-A266-00C04F689C50}\ "ButtonText" = "Researcher" {B205A35E-1FC4-4CE3-818B-899DBBB3388C}\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*X" (unwritable string) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Apple Mobile Device, Apple Mobile Device, "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" ["Apple, Inc."] avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"] avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"] avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."] AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] iPod Service, iPod Service, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Inc."] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] SHARP AL-1200(USB) series Language Monitor\Driver = "sc0cLMON.DLL" ["SHARP"] ---------- <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 46 seconds, including 9 seconds for message boxes)
|
|
#6
December 20th, 2007, 05:06 AM
|
|||
|
|||
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:41 PM, on 12/20/2007 Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Sharp\Sharpdesk\SharpTray.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe C:\WINDOWS\system32\sistray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\moraleja\Desktop\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/yco...//uk.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\sw g.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Sony] "C:\Program Files\SONY ERICSSON W810i DESKMATE\SONY ERICSSON W810i DESKMATE.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Button Manager.lnk = C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdspl ay.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.arcadetown.com/dinerdash2...2.1.0.0.48.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/delici...ylomplayer.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/swf/feedin...utLauncher.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 10391 bytes
|
|
#7
December 20th, 2007, 08:40 AM
|
||||
|
||||
|
Are you being helped elsewhere melmoraleja? Your first set of logs showed a number of malware startups and processes however some of these have disappeared from from the second set of logs for no apparent reason. ComboFix didnt remove them either.
|
|
#8
December 20th, 2007, 09:47 AM
|
|||
|
|||
|
my sister told me that she scanned our pc using avgfree. that must've deleted the problems, why? is it clean already?? thanks a lot!
|
|
#9
December 20th, 2007, 09:53 PM
|
||||
|
||||
|
Code:
why? Quote:
Open Notepad and copy and paste the below text in it: Code:
@echo off %systemdrive% cd C:\WINDOWS\Tasks attrib -r -s -h At1.job del At1.job Make sure that your Flash drive and any external drives are plugged in and open notepad and copy and paste the text in the codebox below into it: Code:
File::
E:\SSCVIHOST.exe
E:\krag.exe
C:\WINDOWS\system32\exiplorer.exe
C:\WINDOWS\krag.exe
C:\New Document.exe
Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AD0ACA58-656F-61DA-9DFE-5D20F4F611BA}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AD0ACA58-656F-61DA-9DFE-5D20F4F611BA}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{001e07a1-bed1-11db-ac25-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ca72c02-3454-11da-a69b-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30df6bcd-7a7a-11dc-ad86-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3affa837-5f0a-11da-a7c5-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{996a7c62-8b02-11dc-ad9e-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef6f6c03-8a40-11dc-ad9d-806d6172696f}]
 ComboFix will run again. When the fix completes it will create a C:\ComboFix.txt log. Please post that log in your next reply.
|
|
#10
December 23rd, 2007, 02:14 AM
|
|||
|
|||
|
here are the new logs! thanks!
ComboFix 07-12-20.1 - moraleja 2007-12-23 10:15:32.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.396 [GMT -8:00] Running from: C:\Documents and Settings\moraleja\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\moraleja\Desktop\CFScript.txt * Created a new restore point FILE C:\New Document.exe C:\WINDOWS\krag.exe C:\WINDOWS\system32\exiplorer.exe E:\krag.exe E:\SSCVIHOST.exe . ((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 ))))))))))))))))))))))))))))))) . 2007-12-23 08:11 . 2007-12-23 10:14 <DIR> d-------- C:\mommy files 2007-12-21 10:22 . 2007-12-21 10:22 <DIR> d-------- C:\Documents and Settings\moraleja\logs 2007-12-09 14:02 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-12-09 14:02 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2007-12-09 14:02 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-12-09 14:02 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-09 14:02 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-09 14:02 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-09 14:02 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-09 14:02 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-08 13:11 . 2007-12-08 13:11 <DIR> d-------- C:\Program Files\FashionFits_at 2007-12-08 13:11 . 2007-12-08 13:11 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Fugazo 2007-12-02 09:41 . 2007-12-02 09:41 <DIR> d-------- C:\Documents and Settings\moraleja\Application Data\Raptisoft 2007-12-01 19:36 . 2007-12-01 19:36 <DIR> d-------- C:\Documents and Settings\moraleja\Application Data\Catena Software 2007-12-01 19:35 . 2007-12-01 19:35 <DIR> d-------- C:\Program Files\SIMetrixIntro53 2007-12-01 13:04 . 2007-12-01 13:04 <DIR> d-------- C:\Program Files\Luxor_at 2007-12-01 13:04 . 2005-04-12 16:29 802,816 --a------ C:\WINDOWS\FeedingFrenzy.scr 2007-12-01 11:56 . 2007-12-01 11:56 <DIR> d-------- C:\Program Files\SallysSalon_at 2007-12-01 11:42 . 2007-12-01 11:42 <DIR> d-------- C:\EASy68K 2007-11-30 17:21 . 2007-11-30 18:22 <DIR> d-------- C:\Program Files\ParadisePetSalon_at . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-12-23 07:56 --------- d-----w C:\Documents and Settings\moraleja\Application Data\uTorrent 2007-12-16 18:21 --------- d-----w C:\Program Files\Incomplete 2007-12-16 18:20 --------- d-----w C:\Program Files\LimeWire 2007-12-16 16:00 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7 2007-12-15 01:08 --------- d-----w C:\Documents and Settings\moraleja\Application Data\LimeWire 2007-12-09 23:48 --------- d-----w C:\Documents and Settings\moraleja\Application Data\AVG7 2007-12-09 01:55 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP 2007-12-02 17:50 --------- d-----w C:\Program Files\GoldMinerVegas_at 2007-12-02 03:35 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-01 21:01 --------- d-----w C:\Program Files\JanesHotel_at 2007-12-01 03:47 --------- d-----w C:\Program Files\BellesBeautyBoutique_at 2007-11-25 23:27 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-19 04:57 --------- d-----w C:\Documents and Settings\moraleja\Application Data\Jane s Hotel 2007-11-17 22:44 --------- d-----w C:\Program Files\iTunes 2007-11-17 22:44 --------- d-----w C:\Program Files\iPod 2007-11-17 22:42 --------- d-----w C:\Program Files\QuickTime 2007-11-16 18:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7 2007-11-08 19:00 --------- d-----w C:\Program Files\Hamsterball_at 2007-10-24 23:53 --------- d-----w C:\Program Files\Winamp 2007-10-24 23:50 --------- d-----w C:\Program Files\Multimedia Card Reader 2007-10-24 23:41 --------- d-----w C:\Program Files\Google 2006-02-26 17:08 359,112 ----a-w C:\Program Files\LimeWireWin.exe 2006-02-05 06:43 9,659,807 ----a-w C:\Program Files\fcrsetup.exe 2005-09-12 22:21 67,328 -c--a-w C:\Documents and Settings\xp professional\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot@2007-12-20_13.07.41.74 ))))))))))))))))))))))))))))))))))))))))) . - 2007-12-20 21:03:07 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.da t + 2007-12-23 18:15:26 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.da t . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{015407A9-D183-4379-8452-DFD7C2297902}"= C:\Program Files\Cole2k Media Toolbar\v2.0.0.2\Cole2k_Media_Toolbar.dll [ ] [HKEY_CLASSES_ROOT\clsid\{015407a9-d183-4379-8452-dfd7c2297902}] [HKEY_CLASSES_ROOT\ToolBar.ToolBarObj.1] [HKEY_CLASSES_ROOT\TypeLib\{B3A98058-DE1F-413f-9921-FF3EEA6B716F}] [HKEY_CLASSES_ROOT\ToolBar.ToolBarObj] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-02-18 18:16] "SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [2002-10-24 19:46] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-05-02 15:51] "Chikka"="C:\Program Files\Chikka Messenger\Chikka v.4\\ChikkaLauncher.exe" [2007-06-01 14:59] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-02-18 10:02 C:\WINDOWS\system32\bthprops.cpl] "BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-06-09 15:37] "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 16:16] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] "Sony"="C:\Program Files\SONY ERICSSON W810i DESKMATE\SONY ERICSSON W810i DESKMATE.exe" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [2007-12-09 15:47] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 09:38] "SiSPower"="Rundll32.exe" [2004-02-18 10:02 C:\WINDOWS\system32\rundll32.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-02-25 23:03 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 02:04 C:\WINDOWS\SkyTel.exe] "StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 10:30] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-12-04 05:00] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw. exe" [2007-12-09 15:47] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Button Manager.lnk - C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe [2007-09-02 13:29:59] IDW Logging Tool.lnk - C:\WINDOWS\system32\idwlog.exe [2004-02-18 10:02:44] Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-09-01 14:01:25] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^moraleja^Start Menu^Programs^Startup^Registration Prince of Persia Warrior Within.LNK] path=C:\Documents and Settings\moraleja\Start Menu\Programs\Startup\Registration Prince of Persia Warrior Within.LNK backup=C:\WINDOWS\pss\Registration Prince of Persia Warrior Within.LNKStartup R2 SC0CLPT;SC0CLPT;C:\WINDOWS\system32\SC0CLPT.SYS [2002-05-26 16:43] R3 ZSMC302;VIMICRO USB PC Camera;C:\WINDOWS\system32\Drivers\usbVM31b.sys [2004-08-17 11:44] S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [] S2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\system32\DRIVERS\nvtunep.sys [] S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys [] S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [] S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 05:39] S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 05:39] S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 05:39] S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys [] S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 13:55] . Contents of the 'Scheduled Tasks' folder "2007-12-22 22:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************** ************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-23 10:19:28 Windows 5.1.2600 Service Pack 2, v.2082 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2007-12-23 10:20:35 C:\ComboFix2.txt ... 2007-12-20 13:08
|
|
#11
December 23rd, 2007, 06:40 AM
|
||||
|
||||
|
I gather you created the below folder?
C:\mommy files Go here and download ATF cleaner (do not download the Recommended Download on the mirror site). Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others that you would like to remove. If you also use Opera or Firefox, also click on the cleaning options for each browser. Next, disable your antivirus program and go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit > Select All then copy the log and paste it back here. Run Hijack This again and post a new log please. Also tell me if you still have any problems.
|
|
#12
December 23rd, 2007, 10:24 AM
|
|||
|
|||
|
here's the bitdefender scan! thanks!
BitDefender Online Scanner Scan report generated at: Sun, Dec 23, 2007 - 18:28:58 Scan path: C:\;D:\;E:\; Statistics Time 01:15:36 Files 377638 Folders 8588 Boot Sectors 4 Archives 2540 Packed Files 12300 Results Identified Viruses 3 Infected Files 8 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 8 Engines Info Virus Definitions 883977 Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36) Scan plugins 14 Archive plugins 38 Unpack plugins 7 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\$VAULT$.AVG\07292255.FIL Infected with: Trojan.Peed.IOB C:\$VAULT$.AVG\07292255.FIL Disinfection failed C:\$VAULT$.AVG\07292255.FIL Deleted C:\$VAULT$.AVG\08482777.FIL Infected with: Trojan.Peed.IOB C:\$VAULT$.AVG\08482777.FIL Disinfection failed C:\$VAULT$.AVG\08482777.FIL Deleted C:\Documents and Settings\xp professional\Desktop\Abegail\shielas usb\More Games\GUNSHOT.EXE Infected with: Joke.Winshoot.A C:\Documents and Settings\xp professional\Desktop\Abegail\shielas usb\More Games\GUNSHOT.EXE Disinfection failed C:\Documents and Settings\xp professional\Desktop\Abegail\shielas usb\More Games\GUNSHOT.EXE Deleted C:\Documents and Settings\xp professional\Desktop\Abegail\shielas usb\More Games\POSTAL.EXE Infected with: Joke.Winshoot.A C:\Documents and Settings\xp professional\Desktop\Abegail\shielas usb\More Games\POSTAL.EXE Disinfection failed C:\Documents and Settings\xp professional\Desktop\Abegail\shielas usb\More Games\POSTAL.EXE Deleted C:\Program Files\Ringz Studio\Storm Codec\stormupd.dll Infected with: Trojan.Downloader.Agent.ASG C:\Program Files\Ringz Studio\Storm Codec\stormupd.dll Disinfection failed C:\Program Files\Ringz Studio\Storm Codec\stormupd.dll Deleted C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159076.EXE Infected with: Joke.Winshoot.A C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159076.EXE Disinfection failed C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159076.EXE Deleted C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159077.EXE Infected with: Joke.Winshoot.A C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159077.EXE Disinfection failed C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159077.EXE Deleted C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159078.dll Infected with: Trojan.Downloader.Agent.ASG C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159078.dll Disinfection failed C:\System Volume Information\_restore{7B82AE59-513A-4981-A704-4BE471F4C809}\RP299\A0159078.dll Deleted
|
|
#13
December 23rd, 2007, 10:26 AM
|
|||
|
|||
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:10 PM, on 12/23/2007 Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Sharp\Sharpdesk\SharpTray.exe C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\WINDOWS\explorer.exe C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.ex e C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe C:\Documents and Settings\moraleja\Desktop\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/yco...//uk.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\sw g.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Sony] "C:\Program Files\SONY ERICSSON W810i DESKMATE\SONY ERICSSON W810i DESKMATE.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [Chikka] C:\Program Files\Chikka Messenger\Chikka v.4\\ChikkaLauncher.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Button Manager.lnk = C:\Program Files\Sharp\Personal MFP series Utility\Button Manager\btnman.exe O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdspl ay.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.arcadetown.com/dinerdash2...2.1.0.0.48.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/delici...ylomplayer.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/swf/feedin...utLauncher.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 10702 bytes
|
|
#15
December 24th, 2007, 05:31 AM
|
|||
|
|||
|
yup, my mom created that folder. there's no more problem now. thanks a lot!!!!!
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 01:54 PM.
