Adware, malware, spyware, hijacker discussion and information

[Gain Knowledge]  [Install Prevention]  [Maintain Security]  [Spyware Removal Help]


It is currently Sat May 25, 2013 11:01 am

Board index » HiJackThis! Log Assessment-Spyware Help » Countermeasures: HijackThis! Spyware Help

All times are UTC - 7 hours


Forum rules


ATTN:!! Only users pre-approved by TeMerc may offer help and assistance in malware removal. Any and all unauthorized posts will be removed without notice. Please read this thread for proper HijackThis! installation.



Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 15 posts ] 
  Print view Previous topic | Next topic 
Author Message
philip
 Post subject: need some advice and some help tnx
PostPosted: Thu Dec 25, 2008 5:31 pm 
Offline

Joined: Wed Dec 24, 2008 3:31 pm
Posts: 8
About a week ago webroot spy sweeper blocked something from installing on pc so I did a scan with it and it picked something up called Trojan down loader ruin so I put into the quarantine then deleted it I also did a boot time scan with avast and it picked some other things up. Spy sweeper wouldn’t up date so I got instructions off webroot to sort that out.(other than that their not very helpful).
Since then pc went really funny first thing that went wrong defrag stopped working, windows update says it’s disabled but when you go into it every thing is ticked to auto update, system restore has been wiped of any restore points as well. Spy sweeper keeps picking up something called virtumonde and trozan agent tdss; to put it bluntly my pc is knackered and behaving funny. I can’t get much info of my son on what he was doing on a 10 week old £1000 custom built gaming tower to make it go like this. Hence that’s why he’s banned now from using it now except for games, that’s if I can get it to work.
I’m quite happy to use the ms windows xp home edition disc to do a full install.
Do I need to get rid of what’s on my pc before I use the ms windows xp disc to hopefully do a repair install or do I need to reformat and start from scratch? Any help and info would be gratefully received. These forums came highly recommended from http://www.windowssecrets.com/support-a ... -infection
Post script as I finished writing this and spy sweeper popped up saying zvfkux dll is trying to install a browser adds on obviously I clicked block because I don’t know what it is.
Iv’e read the read befor asking for help and a few others so hopefully i'm following correct procedure if not please let me know.



IP:
top
Top
 Profile Send private message  
 
philip
 Post subject: Re: need some advice and some help tnx
PostPosted: Thu Dec 25, 2008 5:33 pm 
Offline

Joined: Wed Dec 24, 2008 3:31 pm
Posts: 8
Logfile of HijackThis v1.99.1
Scan saved at 00:29:57, on 26/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\SetPoint II\SetPointII.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 72.5.172.201 products.webroot.com
O1 - Hosts: 64.78.182.203 defs.webroot.com
O1 - Hosts: 72.5.172.202 sales.webroot.com
O1 - Hosts: 64.78.182.203 updates.webroot.com
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "C:\WINDOWS\SkyTel.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [ Privacy Eraser Pro] "C:\Program Files\PrivacyEraser Computing\Privacy Eraser Pro\PrivacyEraser.exe" /ErIEIndex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\RunOnce: [ Privacy Eraser Pro] "C:\Program Files\PrivacyEraser Computing\Privacy Eraser Pro\PrivacyEraser.exe" /ErIEIndex
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - AppInit_DLLs: \\?\globalroot\systemroot\system32\senekawi.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: need some advice and some help tnx
PostPosted: Thu Dec 25, 2008 5:48 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Hello philip and to TeMerc Internet Countermeasures Forum and thanks for joining. 1rokon

looks like I see one rogue file, so lets use another malware scanner to see if it finds it. I'm pretty confident it will.

Because some malware can be easily removed, we recommend Malwarebytes Anti-Malware be run. It's an advanced piece of software which should get a lot of what's on this machine. These guys are so on top of the latest infections it's amazing.

It's important to let me know however, if you experience any trouble getting to the site or downloading it or opening it to run. Some rootkits target MBAM and those indicators are the 'tell', if you will. We have another method of double-checking for this rootkit, which if present, will require another special tool.

Download it from here and save it to your desktop. If you're using IE7 you may get prompted to allow the download, please do so.
  • Double-click mbam-setup.exe icon: Image and when the download dialog box appears, please tick the 'Launch Malwarebytes' Anti-Malware when download completes' as displayed:Image
  • Select your language when this option is displayed.
  • Follow default installation instructions
  • Decide if you would like a 'Start Menu' folder created when this option is displayed
  • Choose your options of preference on the 'Select Additional Tasks' screen
  • Review your choices at the 'Ready To Install' screen
  • At the end, be sure a checkmark is placed next to 'Update Malwarebytes' Anti-Malware' and 'Launch Malwarebytes' Anti-Malware' as displayed here:Image
  • Then click the Image button
  • Please read the information box when it appears and click the Image button
  • Please allow access via your firewall if an alert is presented to you
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select 'Perform quick scan' as displayed here: Image
  • Then click button Image
  • When the scan is complete, you will be presented with a message as such, click the Image button then click the Image button
  • Be sure that each item has its box ticked as displayed here: Image and click Image.
  • When completed, a log will open in Notepad. Please save it to your desktop for easy access. Copy the contents of the file and paste it back into your thread for review along with a new HJT log as well. The MBAM log is also default saved to the following location: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

_________________
Image


IP:
top
Top
 Profile Send private message  
 
philip
 Post subject: Re: need some advice and some help tnx
PostPosted: Fri Dec 26, 2008 1:32 pm 
Offline

Joined: Wed Dec 24, 2008 3:31 pm
Posts: 8
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

26/12/2008 20:14:51
mbam-log-2008-12-26 (20-14-51).txt

Scan type: Quick Scan
Objects scanned: 46210
Time elapsed: 1 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yayAPffE.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56aafcb6-0d18-47d8-aa70-751f6889be1b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{56aafcb6-0d18-47d8-aa70-751f6889be1b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{56aafcb6-0d18-47d8-aa70-751f6889be1b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayapffe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayapffe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yayAPffE.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\EffPAyay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EffPAyay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\evktxaum.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\muaxtkve.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ifmbdhcg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gchdbmfi.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kaflogwx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xwgolfak.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oupposmk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kmsoppuo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSofxh.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSosvd.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSofxh.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.



Logfile of HijackThis v1.99.1
Scan saved at 20:29:40, on 26/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 72.5.172.201 products.webroot.com
O1 - Hosts: 64.78.182.203 defs.webroot.com
O1 - Hosts: 72.5.172.202 sales.webroot.com
O1 - Hosts: 64.78.182.203 updates.webroot.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "C:\WINDOWS\SkyTel.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - AppInit_DLLs: \\?\globalroot\systemroot\system32\senekawi.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: iifeEvsQ - iifeEvsQ.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



IP:
top
Top
 Profile Send private message  
 
philip
 Post subject: Re: need some advice and some help tnx
PostPosted: Fri Dec 26, 2008 1:37 pm 
Offline

Joined: Wed Dec 24, 2008 3:31 pm
Posts: 8
hi again tnk s for helping
after the scan it said it needed to restart pc to remove certain things .unfortunatly my pc froze on start up so i had to press the reset button.hope it has'nt efected the log file.

phil.



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: need some advice and some help tnx
PostPosted: Fri Dec 26, 2008 2:37 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
I see a rootkit file in that log, we'll need to break out the big gun. !*!*

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply as well as another fresh HJT log please.

_________________
Image


IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: need some advice and some help tnx
PostPosted: Fri Dec 26, 2008 2:39 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Also, noe note, I see that in the MBAM file it says datbase version1456, the latest version is over 1500, so please update that software via the internal updater after you've run ComboFix and then scan again, post all 3 logs, ComboFix, MBAM and fresh HJT log.

_________________
Image


IP:
top
Top
 Profile Send private message  
 
philip
 Post subject: Re: need some advice and some help tnx
PostPosted: Fri Dec 26, 2008 3:35 pm 
Offline

Joined: Wed Dec 24, 2008 3:31 pm
Posts: 8
ComboFix 08-12-26.02 - User 2008-12-26 21:59:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2877 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 081226-0] *On-access scanning disabled* (Updated)
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\User\Application Data\inst.exe
c:\windows\system32\hdkmduhc.dll
c:\windows\system32\indnft.dll
c:\windows\system32\itjnkh.dll
c:\windows\system32\kksgxr.dll
c:\windows\system32\lypjtmrl.dll
c:\windows\system32\mkjiopwa.dll
c:\windows\system32\qwipqw.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalight.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekawi.dll
c:\windows\system32\uvhjmnbp.dll
c:\windows\system32\yrjnowmj.dll
c:\windows\system32\zvfkux.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

2008-12-26 20:10 . 2008-12-26 20:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 20:10 . 2008-12-26 20:10 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-26 20:10 . 2008-12-26 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 20:10 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 20:10 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 22:23 . 2008-12-25 22:23 23,552 --a------ c:\windows\system32\teynncna.exe
2008-12-24 22:19 . 2008-12-24 22:19 23,552 --a------ c:\windows\system32\jdothial.exe
2008-12-23 20:48 . 2008-12-23 20:48 48,640 --------- c:\windows\system32\Oongah9m.exe
2008-12-19 22:23 . 2008-12-19 22:23 <DIR> d-------- c:\windows\nview
2008-12-19 22:23 . 2008-12-19 22:23 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2008-12-19 22:23 . 2008-12-26 22:15 200,819 --a------ c:\windows\system32\nvapps.xml
2008-12-19 22:23 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2008-11-28 21:19 . 2004-11-23 17:35 536,576 --a------ c:\windows\system32\ciaXPTab30.ocx
2008-11-28 21:19 . 2004-11-23 17:01 299,008 --a------ c:\windows\system32\ciaXPCombo30.ocx
2008-11-28 21:19 . 2004-11-23 17:33 221,184 --a------ c:\windows\system32\ciaXPSpin30.ocx
2008-11-28 21:19 . 2004-11-23 17:17 212,992 --a------ c:\windows\system32\ciaXPSelection30.ocx
2008-11-28 21:19 . 2004-11-23 16:59 184,320 --a------ c:\windows\system32\ciaXPButton30.ocx
2008-11-28 21:19 . 2004-11-23 17:36 172,032 --a------ c:\windows\system32\ciaXPText30.ocx
2008-11-28 21:19 . 2004-11-23 17:13 139,264 --a------ c:\windows\system32\ciaXPProgress30.ocx
2008-11-28 21:19 . 2004-11-23 17:03 126,976 --a------ c:\windows\system32\ciaXPFrame30.ocx
2008-11-28 21:19 . 2004-12-24 14:48 87,552 --a------ c:\windows\system32\OneWay.dll
2008-11-28 21:18 . 2004-08-12 15:56 926,904 --a------ c:\windows\system32\TList7.ocx
2008-11-28 21:18 . 2004-07-09 23:47 729,088 --a------ c:\windows\system32\wodSmtp.dll
2008-11-28 21:18 . 2003-12-14 15:47 692,224 --a------ c:\windows\system32\ciaResSvr20.dll
2008-11-28 21:18 . 2005-11-14 10:11 434,176 --a------ c:\windows\system32\SetupBuilderX.ocx
2008-11-28 21:18 . 2005-08-22 13:13 397,312 --a------ c:\windows\system32\fathzip.dll
2008-11-28 21:18 . 2004-11-19 01:45 200,704 --a------ c:\windows\system32\ciaSCls20.dll
2008-11-28 21:18 . 2002-11-02 00:27 143,360 --a------ c:\windows\system32\Media.ocx
2008-11-28 21:18 . 2004-11-08 19:56 76,288 --a------ c:\windows\system32\OneWaySerial.dll
2008-11-28 21:18 . 2003-04-19 22:28 73,728 --a------ c:\windows\system32\vumeter.ax
2008-11-28 21:18 . 2003-12-12 16:41 53,248 --a------ c:\windows\system32\ciaXPRegSvr20.dll
2008-11-26 17:18 . 2008-11-26 17:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-11-26 17:04 . 2008-11-26 17:04 34 --a------ c:\windows\DVDFab.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 21:03 --------- d-----w c:\program files\Steam
2008-12-22 19:35 --------- d-----w c:\program files\Diskeeper Corporation
2008-12-20 21:55 --------- d-----w c:\program files\PeerGuardian2
2008-12-20 21:51 --------- d-----w c:\program files\BitTornado
2008-12-20 20:28 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-19 22:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 16:56 --------- d-----w c:\program files\DVDFab 5
2008-12-03 16:56 --------- d-----w c:\documents and settings\User\Application Data\Vso
2008-12-03 16:45 --------- d-----w c:\program files\Java
2008-11-21 19:47 354,560 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-21 19:47 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-21 18:09 --------- d-----w c:\program files\AGEIA Technologies
2008-11-15 21:17 --------- d-----w c:\program files\MWSnap
2008-11-12 14:54 453,152 ----a-w c:\windows\system32\nvudisp.exe
2008-11-12 13:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-10 05:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-08 22:08 164 ----a-w C:\install.dat
2008-11-07 23:07 --------- d-----w c:\documents and settings\User\Application Data\SystemRequirementsLab
2008-11-06 16:56 --------- d-----w c:\program files\Windows Desktop Search
2008-11-05 20:01 --------- d-----w c:\program files\UDPixel
2008-11-05 18:19 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-05 18:18 --------- d-----w c:\program files\Microsoft.NET
2008-11-04 18:21 --------- d-----w c:\program files\vixy.net
2008-11-03 18:17 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-29 16:21 --------- d-----w c:\program files\Common Files\Adobe
2008-10-29 16:21 --------- d-----w c:\documents and settings\User\Application Data\InterTrust
2008-10-27 09:45 --------- d-----w c:\program files\Realtek
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 17:34 47,360 ----a-w c:\documents and settings\User\Application Data\pcouffin.sys
2008-10-13 09:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll
2008-10-07 09:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-10-07 09:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 09:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2007-07-17 55824]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2006-10-30 16269312]
"SkyTel"="c:\windows\SkyTel.EXE" [2006-05-16 2879488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="c:\windows\system32\nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-14 5418864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\senekalight]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\Program Files\\Steam\\steamapps\\alphamoon@blueyonder.co.uk\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-18 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-18 20560]
S2 senekalight;senekalight;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2008-10-10 36864]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
senekalight
.
- - - - ORPHANS REMOVED - - - -

Notify-iifeEvsQ - iifeEvsQ.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDow ... eqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cyr6jn45.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.com/
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cyr6jn45.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 22:16:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-12-26 22:21:22 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-12-26 22:21:11

Pre-Run: 477,714,231,296 bytes free
Post-Run: 477,593,309,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

232 --- E O F --- 2008-12-18 19:37:59



Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

26/12/2008 22:26:54
mbam-log-2008-12-26 (22-26-54).txt

Scan type: Quick Scan
Objects scanned: 47506
Time elapsed: 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of HijackThis v1.99.1
Scan saved at 22:22:16, on 26/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "C:\WINDOWS\SkyTel.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe





hi again malwarebytes did pick something up so i followed what was said in the first lot of instructions and clicked on remove.i'll not be able to check this post again till tommorow late afternoon , once again tnx

phil



phil



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: need some advice and some help tnx
PostPosted: Fri Dec 26, 2008 4:19 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
OK, just a few more to snag and we'll be done.

Please open Notepad then copy & paste all the following text located inside the code box.
Code:
File::
c:\windows\system32\teynncna.exe
c:\windows\system32\jdothial.exe
c:\windows\system32\Oongah9m.exe
c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Drag the .txt file into combofix.exe as displayed in this .gif image:
Image
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Once CF has done it's thing, rescan with HJT and fix the following if present:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

Reboot, run another scan with HJT and if the lines above are no longer displayed in the resultant scan, then no need to post another HJT log

_________________
Image


IP:
top
Top
 Profile Send private message  
 
philip
 Post subject: Re: need some advice and some help tnx
PostPosted: Sat Dec 27, 2008 9:49 am 
Offline

Joined: Wed Dec 24, 2008 3:31 pm
Posts: 8
hello again i think i've followed you're instructions every thin on pc seemes to work now

Logfile of HijackThis v1.99.1
Scan saved at 16:41:30, on 27/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "C:\WINDOWS\SkyTel.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


hopefuly every thing is cleared now , i can only think of one word. "wow" you lot are trully ammazing.
phil



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: need some advice and some help tnx
PostPosted: Sat Dec 27, 2008 10:13 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
OK, that log looks good Philip, but I need the latest combofix.txt log as well to assure those files were in fact removed, thanks.

_________________
Image


IP:
top
Top
 Profile Send private message  
 
philip
 Post subject: Re: need some advice and some help tnx
PostPosted: Sat Dec 27, 2008 10:22 am 
Offline

Joined: Wed Dec 24, 2008 3:31 pm
Posts: 8
ComboFix 08-12-26.02 - User 2008-12-27 16:19:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2890 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 081226-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
c:\windows\system32\jdothial.exe
c:\windows\system32\Oongah9m.exe
c:\windows\system32\teynncna.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jdothial.exe
c:\windows\system32\Oongah9m.exe
c:\windows\system32\teynncna.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-27 16:05 . 2008-12-27 16:05 <DIR> d--hs---- C:\found.000
2008-12-26 20:10 . 2008-12-26 20:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 20:10 . 2008-12-26 20:10 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-26 20:10 . 2008-12-26 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 20:10 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 20:10 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-19 22:23 . 2008-12-19 22:23 <DIR> d-------- c:\windows\nview
2008-12-19 22:23 . 2008-12-19 22:23 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2008-12-19 22:23 . 2008-12-27 16:08 200,819 --a------ c:\windows\system32\nvapps.xml
2008-12-19 22:23 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2008-11-28 21:19 . 2004-11-23 17:35 536,576 --a------ c:\windows\system32\ciaXPTab30.ocx
2008-11-28 21:19 . 2004-11-23 17:01 299,008 --a------ c:\windows\system32\ciaXPCombo30.ocx
2008-11-28 21:19 . 2004-11-23 17:33 221,184 --a------ c:\windows\system32\ciaXPSpin30.ocx
2008-11-28 21:19 . 2004-11-23 17:17 212,992 --a------ c:\windows\system32\ciaXPSelection30.ocx
2008-11-28 21:19 . 2004-11-23 16:59 184,320 --a------ c:\windows\system32\ciaXPButton30.ocx
2008-11-28 21:19 . 2004-11-23 17:36 172,032 --a------ c:\windows\system32\ciaXPText30.ocx
2008-11-28 21:19 . 2004-11-23 17:13 139,264 --a------ c:\windows\system32\ciaXPProgress30.ocx
2008-11-28 21:19 . 2004-11-23 17:03 126,976 --a------ c:\windows\system32\ciaXPFrame30.ocx
2008-11-28 21:19 . 2004-12-24 14:48 87,552 --a------ c:\windows\system32\OneWay.dll
2008-11-28 21:18 . 2004-08-12 15:56 926,904 --a------ c:\windows\system32\TList7.ocx
2008-11-28 21:18 . 2004-07-09 23:47 729,088 --a------ c:\windows\system32\wodSmtp.dll
2008-11-28 21:18 . 2003-12-14 15:47 692,224 --a------ c:\windows\system32\ciaResSvr20.dll
2008-11-28 21:18 . 2005-11-14 10:11 434,176 --a------ c:\windows\system32\SetupBuilderX.ocx
2008-11-28 21:18 . 2005-08-22 13:13 397,312 --a------ c:\windows\system32\fathzip.dll
2008-11-28 21:18 . 2004-11-19 01:45 200,704 --a------ c:\windows\system32\ciaSCls20.dll
2008-11-28 21:18 . 2002-11-02 00:27 143,360 --a------ c:\windows\system32\Media.ocx
2008-11-28 21:18 . 2004-11-08 19:56 76,288 --a------ c:\windows\system32\OneWaySerial.dll
2008-11-28 21:18 . 2003-04-19 22:28 73,728 --a------ c:\windows\system32\vumeter.ax
2008-11-28 21:18 . 2003-12-12 16:41 53,248 --a------ c:\windows\system32\ciaXPRegSvr20.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 00:12 --------- d-----w c:\program files\Steam
2008-12-26 22:46 --------- d-----w c:\program files\Diskeeper Corporation
2008-12-20 21:55 --------- d-----w c:\program files\PeerGuardian2
2008-12-20 21:51 --------- d-----w c:\program files\BitTornado
2008-12-20 20:28 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-19 22:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 16:56 --------- d-----w c:\program files\DVDFab 5
2008-12-03 16:56 --------- d-----w c:\documents and settings\User\Application Data\Vso
2008-12-03 16:45 --------- d-----w c:\program files\Java
2008-11-26 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2008-11-21 19:47 354,560 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-21 19:47 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-21 18:09 --------- d-----w c:\program files\AGEIA Technologies
2008-11-15 21:17 --------- d-----w c:\program files\MWSnap
2008-11-12 14:54 453,152 ----a-w c:\windows\system32\nvudisp.exe
2008-11-12 13:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-10 05:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-08 22:08 164 ----a-w C:\install.dat
2008-11-07 23:07 --------- d-----w c:\documents and settings\User\Application Data\SystemRequirementsLab
2008-11-06 16:56 --------- d-----w c:\program files\Windows Desktop Search
2008-11-05 20:01 --------- d-----w c:\program files\UDPixel
2008-11-05 18:19 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-05 18:18 --------- d-----w c:\program files\Microsoft.NET
2008-11-04 18:21 --------- d-----w c:\program files\vixy.net
2008-11-03 18:17 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-29 16:21 --------- d-----w c:\program files\Common Files\Adobe
2008-10-29 16:21 --------- d-----w c:\documents and settings\User\Application Data\InterTrust
2008-10-27 09:45 --------- d-----w c:\program files\Realtek
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 17:34 47,360 ----a-w c:\documents and settings\User\Application Data\pcouffin.sys
2008-10-13 09:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll
2008-10-07 09:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll
2008-10-07 09:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-10-07 09:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 09:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-26_22.18.02.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 16:08:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_340.dat
+ 2008-12-27 16:08:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_584.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2007-07-17 55824]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2006-10-30 16269312]
"SkyTel"="c:\windows\SkyTel.EXE" [2006-05-16 2879488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="c:\windows\system32\nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-14 5418864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\senekalight]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\Program Files\\Steam\\steamapps\\alphamoon@blueyonder.co.uk\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-18 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-18 20560]
S2 senekalight;senekalight;c:\windows\system32\svchost.exe -k netsvcs [2008-04-14 14336]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2008-10-10 36864]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
senekalight
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDow ... eqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cyr6jn45.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.com/
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cyr6jn45.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 16:29:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-27 16:34:51
ComboFix-quarantined-files.txt 2008-12-27 16:34:42
ComboFix2.txt 2008-12-26 22:21:31

Pre-Run: 477,545,521,152 bytes free
Post-Run: 477,528,584,192 bytes free

196 --- E O F --- 2008-12-18 19:37:59



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: need some advice and some help tnx
PostPosted: Sat Dec 27, 2008 1:20 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
Ok, Philip, looks like that log is clear, how's the machine performing now? Let me know of any more issues we need to tackle.

_________________
Image


IP:
top
Top
 Profile Send private message  
 
philip
 Post subject: Re: need some advice and some help tnx
PostPosted: Sat Dec 27, 2008 2:17 pm 
Offline

Joined: Wed Dec 24, 2008 3:31 pm
Posts: 8
Hello again every thing seems to be working fine as fare as I can tell, it seems to be working like when I first had it built. I.e. not behaving in a peculiar or funny way . Once again thanks ill not hesitate to recommend this site in certain DOD source forums I sometimes frequent or to any friends that are having trouble with their machines. I’ll also keep coming back her every week or two to keep myself informed of any latest threats ect. 1wnnr



phil



IP:
top
Top
 Profile Send private message  
 
TeMerc
 Post subject: Re: need some advice and some help tnx
PostPosted: Sat Dec 27, 2008 3:04 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15966
Location: PHX, AZ
philip wrote:
Hello again every thing seems to be working fine as fare as I can tell, it seems to be working like when I first had it built. I.e. not behaving in a peculiar or funny way . Once again thanks ill not hesitate to recommend this site in certain DOD source forums I sometimes frequent or to any friends that are having trouble with their machines. I’ll also keep coming back her every week or two to keep myself informed of any latest threats ect. 1wnnr
phil
Glad we could be of assistance.

Guess it's time we cleaned up some of the tools we used and then our recommendations to remain malware free.

Time to uninstall ComboFix, it is not a tool for everyday use, and it should never be used without specific instructions by a trained analyst.
Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

Be sure your Java is up to date, many infections use exploits of unpatched systems.
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • Select it and click Remove.
  • Then Download and install the newest version from here
Now that you have regained control of your machine, lets keep it clean. The apps listed below are the ones we recommend. They will help prevent further infections and can be trusted to work well on all systems
SpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.
With Spyware Blaster, just DL, check for updates, enable all protection and you're done.

And either of the two following hosts file databases will keep an even stronger layer of defense: The latter contains more sites as they tend to include domains\IPs which are involved in even the slightest way with malware distribution or sites involved in any other sort of salacious activities. Basically, lay with dogs, get fleas type of thing.

To manage your hosts file we recommend using HostsXpert. With this tool, you can download the latest updates, merge them with another hosts file, edit entries and much more. It's freeware and works very well on all systems

And to prevent unknown applications from being installed on your machine install WinPatrol 2008 v15. WinPatrol is also great at controlling which applications start with Windows. It's even got a nifty 'delay' feature.

Another thing I would suggest, is to install SiteAdvisor or SiteHound. Each provide similar protection, tho SiteAdvisor also rates sites on business practices and spam. SiteHound will offer some content advice as well as security alerts on known rogue sites.

Confused about which apps are good or not? Read about anti-spyware apps pretending to be just that, but are in fact apps which will infect you. For the latest software rated as such check out the this page.

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Happy surfing!!
Tom :D

As your infection removal here in this forum has been completed, we hope you take the time to look around and get involved in some of the other forums. The forums grow and become even more helpful with input from all of our members. We can all help everyone together as a community.

And if we've helped you out and you'd like to contribute to the costs maintaining the site please use the PayPal button as displayed at the top of the page. Image

This is 100% optional as all our help to you has always been free and will continue be free forever.

****This topic has been successfully resolved and is now locked. If the original user needs to have this thread re-opened please PM me

Any other users with similar problems please use the 'New Topic' button to begin a new thread.****
Tom\TeMerc

_________________
Image


IP:
top
Top
 Profile Send private message  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 15 posts ] 

Board index » HiJackThis! Log Assessment-Spyware Help » Countermeasures: HijackThis! Spyware Help

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  

Who is online
Who is online In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes)
Most users ever online was 282 on Tue Sep 25, 2012 11:30 am

Users browsing this forum: No registered users and 1 guest

New posts    No new posts    Forum locked
cron
Powered by phpBB