Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

popus, Trojans, Winantiviruspro ect ... [CLOSED]


  • This topic is locked This topic is locked

#1
boz_worth

boz_worth

    New Member

  • Member
  • Pip
  • 8 posts
It's bad enough I can only get dial-up where I live, now I have a spyware/virus mess. Can someone guide me through cleaning this up. I've tried and tried with no luck. I have downloaded the "tools" ...

AVG
Stinger
Ad-Aware
Spybot
cwshredder
ewido
hjt
combofix

next steps please.

Thanks so much.
  • 0

Advertisements


#2
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Can you a Hijackthis log?
  • 0

#3
boz_worth

boz_worth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 09:26, on 10/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchosts.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Boucher\Desktop\foo.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B87EF34F-FDE4-4276-86B3-4A36A309182F} - C:\WINDOWS\System32\jkhhf.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SVC Hosts] svchosts.exe
O4 - HKLM\..\RunServices: [SVC Hosts] svchosts.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SVC Hosts] svchosts.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81777235-5DD4-46A9-81CE-CB2F933C1642}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\System32\jkhhf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  • 0

#4
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Sorry I meant post a new Hijackthis log in my previous post.

Well, looks like you got Vundo/Winantivirus there, let's fix it.

Please open HijackThis, click Do a system scan only, and then place a checkmark beside each of these entries:

O4 - HKLM\..\Run: [SVC Hosts] svchosts.exe
O4 - HKLM\..\RunServices: [SVC Hosts] svchosts.exe
O4 - HKCU\..\Run: [SVC Hosts] svchosts.exe

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

=====================================


Show Hidden Files and Folders

Click Start » My Computer » Tools » Folder Options. Select the View tab.
  • Check - Show hidden files and folders
  • Uncheck - Hide file extensions for known types
  • Uncheck - Hide protected operating system files
Click Yes to confirm, then OK to exit.

=====================================

Reboot into Safe Mode
  • Restart your computer.
  • Before the Windows logo appear, tap F8 repeatedly.
  • A menu should appear, select Safe Mode from the menu using your arrow keys and then hit Enter on your keyboard.
  • This will take a while than usual, so just wait.
=====================================

Locate and delete the following file(s), if present : C:\WINDOWS\System32\svchosts.exe
=====================================


Restart your computer.


Please download VundoFix.exe to your Desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will make a log in C:\vundofix.txt, please include that in your next reply along with a new Hijackthis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#5
boz_worth

boz_worth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Vundofix.txt


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:36:48 AM 9/16/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\tuvuvvs.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvuvvs.dll
C:\WINDOWS\system32\tuvuvvs.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 10:42:45 AM 9/16/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 4:50:35 PM 9/20/2006

Listing files found while scanning....

C:\WINDOWS\system32\hggecba.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hggecba.dll
C:\WINDOWS\system32\hggecba.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 4:54:19 PM 9/20/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 5:18:31 PM 9/20/2006

Listing files found while scanning....

C:\WINDOWS\system32\efcabca.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efcabca.dll
C:\WINDOWS\system32\efcabca.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 5:32:42 PM 9/20/2006

Listing files found while scanning....

C:\WINDOWS\system32\opnnnom.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\opnnnom.dll
C:\WINDOWS\system32\opnnnom.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 6:38:54 PM 9/20/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 9:58:53 AM 9/21/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 5:14:53 AM 10/1/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 06:54:17 10/1/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 07:27:09 10/2/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 15:36:06 10/2/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.5

Checking Java version...

Sun Java not detected
Scan started at 14:20:53 10/3/2006

Listing files found while scanning....

No infected files were found.
  • 0

#6
boz_worth

boz_worth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
HJT log ...

Logfile of HijackThis v1.99.1
Scan saved at 14:39, on 10/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Boucher\Desktop\foo.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81777235-5DD4-46A9-81CE-CB2F933C1642}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  • 0

#7
boz_worth

boz_worth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
combofix.txt ...
Boucher - 06-10-03 14:41:05.85 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Boucher\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-09-13 22:07 776,096 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-13 22:07 4,992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-13 22:07 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-13 22:07 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-13 22:07 23,424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-13 22:05 17,008,160 --a------ C:\avg71free_394a752.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-03 01:56 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-03 01:56 -------- d-------- C:\Documents and Settings\Boucher\Application Data\Mozilla
2006-09-26 19:13 -------- d-------- C:\Program Files\ewido anti-malware
2006-09-22 16:09 -------- d-------- C:\Documents and Settings\Boucher\Application Data\AdobeUM
2006-09-20 19:02 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-20 19:02 -------- d-------- C:\Program Files\Common Files
2006-09-16 11:22 -------- d-------- C:\Documents and Settings\Boucher\Application Data\Adobe
2006-09-16 11:16 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-16 11:16 -------- d-------- C:\Program Files\Adobe
2006-09-13 22:07 -------- d-------- C:\Program Files\Grisoft
2006-09-13 22:07 -------- d-------- C:\Documents and Settings\Boucher\Application Data\AVG7
2006-09-12 14:51 -------- d-------- C:\Program Files\PTC
2006-09-11 21:30 -------- d-------- C:\Documents and Settings\Boucher\Application Data\U3
2006-09-09 12:38 -------- d-------- C:\Program Files\Messenger
2006-09-05 22:52 -------- d-------- C:\Program Files\Windows Media Player
2006-09-05 15:16 -------- d-------- C:\Program Files\iTunes
2006-09-03 22:24 -------- d-------- C:\Documents and Settings\Boucher\Application Data\Lavasoft
2006-08-28 21:05 -------- d-------- C:\Documents and Settings\Boucher\Application Data\Macromedia
2006-08-26 12:11 -------- d-------- C:\Program Files\TaxCut05
2006-08-22 11:06 -------- d---s---- C:\Documents and Settings\Boucher\Application Data\Microsoft
2006-08-12 20:46 -------- d-------- C:\Documents and Settings\Boucher\Application Data\MSN6
2006-07-04 11:56 0 -rahs---- C:\MSDOS.SYS
2006-07-04 11:56 0 -rahs---- C:\IO.SYS
2006-07-04 11:56 0 --a------ C:\CONFIG.SYS
2006-07-04 11:56 0 --a------ C:\AUTOEXEC.BAT
2006-07-04 06:35 62 --ahs---- C:\Documents and Settings\Boucher\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"PCTVOICE"="pctspk.exe"
"PV92TRAY"="PV92Tray.exe"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IRC Client"="updated.exe"
"SVC Hosts"="svchosts.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IRC Client"="updated.exe"
"SVC Hosts"="svchosts.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows Logon Process]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlogon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows Session Manager Subsystem]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\smss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_18"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SVC Hosts]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svchosts"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinSysModule]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dsrss"
"hkey"="HKLM"
"command"="dsrss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"NetDDEsrv"=dword:00000002
"Windows Languages Service"=dword:00000003
"Windows Language Service"=dword:00000003
"Windows Spooler Service"=dword:00000003
"AVGEMS"=dword:00000003
"msidll"=dword:00000002
"WINLOGON"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NetDDEsrv

Completion time: Tue 10/03/2006 14:41:22.17
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
  • 0

#8
boz_worth

boz_worth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Jag11,

I did the tasks you asked ...

I added the combofix.txt for kicks. One thing that concerns me are the entries in the HKEY_LOCAL_MACHINE\SOFTWARE area ... Should these be in there?

It seems when I boot up the systems pauses, cursor blinks in the upper left hand corner for a second or two, after the hardwre is detected. (when I would press F8 for safe mode). I didn't use to do that.

Thanks for all of your help.

Next steps??

Later,

Boz
  • 0

#9
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts

One thing that concerns me are the entries in the HKEY_LOCAL_MACHINE\SOFTWARE area ... Should these be in there?

Yes, they're part of your registry.

It seems when I boot up the systems pauses, cursor blinks in the upper left hand corner for a second or two, after the hardwre is detected. (when I would press F8 for safe mode). I didn't use to do that.

What do you mean? There's no cursor when booting up (I mean the black screen at boot).

Question:
Do you know this software/program (or are you the one who installed it)?

C:\Program Files\WindowsUpdate

Open the folder and see if you recognize the files.

==

Ok next:


1. Download combofix.exe from one of these locations -

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Click Start » Run - then copy/paste this into the run box & click OK :

"%userprofile%\desktop\combofix.exe" /v hggecba efcabca opnnnom

3. When finished, it shall produce a log for you. Post that log in your next reply.

NOTE : Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#10
boz_worth

boz_worth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Yes, they're part of your registry.


I know they are part of my registry, but wondering about what to being called/loaded (in the item or command entries). I could be talking out of my arse, let me know.

I also get files dropped on by c:\windows\System32 folder ...

Filename is: i
Filesize is : 1kb
Type: File

Filename is: Setup_60623.exe (i think the digits change)
filesize: 64kb
type: Application

Filename is: TFTP1040.exe (i think the digits change)
filesize: 14kb
type: Application


Filename is: .exe
filesize: ??
type: Application



what a mess - below is per your request....

Thanks,

Boz_worh



Boucher - Wed 10/04/2006 11:00:56.01 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Boucher\desktop"
Command switches used :: /v hggecba efcabca opnnnom

((((((((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010/04/2006 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2012/18/2004 08:32 PM 38229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2012/12/2002 12:14 AM 7424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2012/12/2002 12:14 AM 5504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2012/12/2002 12:14 AM 5248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2012/12/2002 12:14 AM 4096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2012/12/2002 12:14 AM 130304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2011/19/2004 08:40 AM 10368 --------- C:\WINDOWS\system32\drivers\pfc.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"PV92TRAY"="PV92Tray.exe"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IRC Client"="updated.exe"
"SVC Hosts"="svchosts.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IRC Client"="updated.exe"
"SVC Hosts"="svchosts.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows Logon Process]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlogon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows Session Manager Subsystem]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\smss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_18"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SVC Hosts]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svchosts"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinSysModule]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dsrss"
"hkey"="HKLM"
"command"="dsrss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"NetDDEsrv"=dword:00000002
"Windows Languages Service"=dword:00000003
"Windows Language Service"=dword:00000003
"Windows Spooler Service"=dword:00000003
"AVGEMS"=dword:00000003
"msidll"=dword:00000002
"WINLOGON"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NetDDEsrv

Completion time: Wed 10/04/2006 11:01:12.01
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
  • 0

#11
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts

I also get files dropped on by c:\windows\System32 folder ...

Delete those, I can't find any info about them, so probably they're bad.

I know they are part of my registry, but wondering about what to being called/loaded (in the item or command entries). I could be talking out of my arse, let me know.

Yeah, looks like you have some nasties there.. Have you disabled them with MSCONFIG? If yes, please enable them all (startups) and then post a new Hijackthis log please.
  • 0

#12
boz_worth

boz_worth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I boot to safe mode. Clean want I know is wrong. Use all the "utilities" . And crap always comes back.
AVG finds backdoor trojans 2 - 3 times a day.

Thanks




combofix ...

Boucher - 06-10-08 23:03:52.20 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Boucher\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-08 to 2006-10-08 ))))))))))))))))))))))))))))))))))


2006-09-13 22:07 776,096 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-13 22:07 4,992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-13 22:07 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-13 22:07 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-13 22:07 23,424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-13 22:05 17,008,160 --a------ C:\avg71free_394a752.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-08 22:57 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-03 01:56 -------- d-------- C:\Documents and Settings\Boucher\Application Data\Mozilla
2006-09-26 19:13 -------- d-------- C:\Program Files\ewido anti-malware
2006-09-22 16:09 -------- d-------- C:\Documents and Settings\Boucher\Application Data\AdobeUM
2006-09-20 19:02 -------- d-------- C:\Program Files\Common Files
2006-09-16 11:22 -------- d-------- C:\Documents and Settings\Boucher\Application Data\Adobe
2006-09-16 11:16 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-16 11:16 -------- d-------- C:\Program Files\Adobe
2006-09-13 22:07 -------- d-------- C:\Program Files\Grisoft
2006-09-13 22:07 -------- d-------- C:\Documents and Settings\Boucher\Application Data\AVG7
2006-09-12 14:51 -------- d-------- C:\Program Files\PTC
2006-09-11 21:30 -------- d-------- C:\Documents and Settings\Boucher\Application Data\U3
2006-09-09 12:38 -------- d-------- C:\Program Files\Messenger
2006-09-05 22:52 -------- d-------- C:\Program Files\Windows Media Player
2006-09-05 15:16 -------- d-------- C:\Program Files\iTunes
2006-09-03 22:24 -------- d-------- C:\Documents and Settings\Boucher\Application Data\Lavasoft
2006-08-28 21:05 -------- d-------- C:\Documents and Settings\Boucher\Application Data\Macromedia
2006-08-26 12:11 -------- d-------- C:\Program Files\TaxCut05
2006-08-22 11:06 -------- d---s---- C:\Documents and Settings\Boucher\Application Data\Microsoft
2006-08-12 20:46 -------- d-------- C:\Documents and Settings\Boucher\Application Data\MSN6
2006-07-04 06:35 62 --ahs---- C:\Documents and Settings\Boucher\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"PV92TRAY"="PV92Tray.exe"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IRC Client"="updated.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IRC Client"="updated.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows Logon Process]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlogon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows Session Manager Subsystem]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\smss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_18"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SVC Hosts]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svchosts"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinSysModule]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dsrss"
"hkey"="HKLM"
"command"="dsrss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"NetDDEsrv"=dword:00000002
"Windows Languages Service"=dword:00000003
"Windows Language Service"=dword:00000003
"Windows Spooler Service"=dword:00000003
"AVGEMS"=dword:00000003
"msidll"=dword:00000002
"WINLOGON"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NetDDEsrv

Completion time: Sun 10/08/2006 23:04:10.00
ComboFix.txt
ComboFix2.txt
ComboFix3.txt




HTJ ...

Logfile of HijackThis v1.99.1
Scan saved at 11:03:38 PM, on 10/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Boucher\Desktop\foo.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  • 0

#13
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Sorry for the delay..

Let's continue:


  • Click Start » Run » type: Notepad » OK
  • Copy (Ctrl+C) and paste (Ctrl+V) the following text below (inside the box) to Notepad.

    REGEDIT4
    
    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IRC Client"=-
    
    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IRC Client"=-
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows Logon Process]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows Session Manager Subsystem]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SVC Hosts]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinSysModule]
    
    
  • Make sure there are no black spaces before REGEDIT4 and there should be one blank line at the end.
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it FixME.reg and save it on your desktop.
  • Its icon should look like this : Posted Image
  • Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.
=====================================

Delete this file:

C:\WINDOWS\smss.exe


Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Download Ewido Anti-Spyware
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Click on the Settings tab.
    • Under How to act? click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan? all boxes should be selected.
    • Under Possibly unwanted software: all boxes should be checked.
    • Under Reports: click on Automatically generate report after every scan.
    • Under What to scan? select Scan every file.
  • Click on Scanner
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When scan has finished, at bottom of the screen click Apply all Actions.
  • Click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
  • Post back with the Ewido report and a new Hijackthis log.

I also want you to do this online scan and then include its report as well:

Run an online scan at Kaspersky
  • Please go here to run Kaspersky Online Virus Scanner.
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan, select My Computer.
[*]This will scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
[*]Now click on the Save as Text button, and save it to your Desktop.
[*]Copy and paste that information in your next post along with a new Hijackthis log.
[/list]===

So I should have:

1. New Hijackthis log
2. Ewido log
3. Kaspersky log
  • 0

#14
Jag11

Jag11

    Visiting Staff

  • Member
  • PipPipPipPipPip
  • 2,210 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP