Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32:Agent-ASH [Trj]

Started by skiddyness , Nov 21 2006 12:16 PM

This topic is locked

#1
skiddyness

Posted 21 November 2006 - 12:16 PM

New Member

Member
6 posts

hello,

i have been infected by this trojen " Win32:Agent-ASH [Trj] "
it is infecting here " C:\WINDOWS\comdlg64.dll "

avast says its removing it but it reappears in the same place after each boot.
i have removed everything that is detected from avast, spybot and adaware.
my zonelabs firewall is blocking everything except what i know to be safe.

this trojen is very stubborn as i cant find where the file that is recreating it is located.its not in the memory as i have allready removed it from there on start-up and it isnt detected there when i scan it.
sooo, im guessing its being created on start-up with these root hooks????

i was getting LOADS of suspicious mail warings from avast before my last reboot but thank god its stoopped (for now).

i was just typing this letter out and just as i finished my computer rebooted with no warning.
i dont think anyone has access with this trojan as i keep checking for established connections on netstat and im happy with what i see.

im pretty sure these messages my comp is sending havnt got out as i have stopped them all with avast but i cant keep working with these bloody pop up warnings from avast.

do you think the problem could be solved with hijackthis or is there anything alse i should try first???
im pretty good with comps so anything complicated is ok with me.
do you think i will be ok deleting the entrys in hijackthis if i research the entrys that im not familier with???
having a quick browse through it i can spot the programs that i have allowed to auto boot on startup.

ok thanks for any replys.

ow yeah, little confession, i have modified the system.sys folder with a program to allow more connections for downloading. i changed it from default 10 to 50.
i havnt got the program now and think i should change it back as it was defaulted to 10 to prevent virus spreading too quickly by microsoft.
anyone know a proggy??? or if anyone knows where instructions are to change it back using the command line it would be apretiated.

p.s if you dont know what im on about with the system.sys thing dont worry i will sort it myself with a little research. (just being lazy and seeing if anyone knew here)

Edited by skiddyness, 21 November 2006 - 12:18 PM.

#2
skiddyness

Posted 21 November 2006 - 12:43 PM

New Member

Topic Starter
Member
6 posts

ok i wanted to see if there was an alternate fix before i posted the log but im desperate to get rid of the avast pop up "suspicious message" warnings....

-----------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:37:45, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\aseoseyw.exe
C:\WINDOWS\system32\sysvx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
E:\hijackthis\HijackThis.exe

O2 - BHO: ASP.NET Helper - {42031715-09B2-3B51-A93F-56C308E48F38} -

C:\WINDOWS\system\ctlvxd32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [aseoseyw] C:\WINDOWS\system32\aseoseyw.exe
O4 - HKLM\..\Run: [sysvx.exe] C:\WINDOWS\system32\sysvx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [aseoseyw] C:\WINDOWS\system32\aseoseyw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

------------------------------------------------------------------------------------------------------------------------------
these are the only two i dont reconize.....
O4 - HKLM\..\Run: [aseoseyw] C:\WINDOWS\system32\aseoseyw.exe
O4 - HKLM\..\Run: [sysvx.exe] C:\WINDOWS\system32\sysvx.exe

like i said my biggest prob is the spam trying to be sent from my comp if thats any help.
but there is that trojan warning every time i start up.
i dont know if these two problems are the same thing or seperate issues.

Edited by skiddyness, 21 November 2006 - 12:48 PM.

#3
MFDnSC

Posted 21 November 2006 - 12:50 PM

Banned

Banned
1,137 posts

That is not a complete log

Open the log in notepad

EDIT - SELECT ALL
EDIT - COPY

Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE

==============================
Download AVG Anti-Spyware from http://www.ewido.net/en/download/ and save that file to your desktop. Note: This is NOT the Anti Virus from AVG.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.
1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
o Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
o Select "Automatically generate report after every scan"
o Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG will now begin the scanning process. Please be patient as this may take a little time.
Once the scan is complete, do the following:
5. If you have any infections you will be prompted. Then select "Apply all actions."
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the log from AVG and a new HiJack log

#4
skiddyness

Posted 21 November 2006 - 04:39 PM

New Member

Topic Starter
Member
6 posts

ok 2 hours of scanning later and heres the results....

the message pop ups from avast have stopped(alllleyyyluuuuyaaaaaaaa)
the trojen alert at startup has stopped.

the avg program found 2 infections and heres the log.....

--------------------------------------------------------------------------------------------
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:00:14 PM 11/21/2006

+ Scan result:

C:\WINDOWS\system32\jysoaaaa.exe -> Logger.BZub.fz : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sysvx.exe -> Worm.Locksky.aq : Cleaned with backup (quarantined).

::Report end

----------------------------------------------------------------------------------------------

and heres the hijack log....................

------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:34:00, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00

(7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil

Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50

727\mscorsvw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI

Technologies\ATI.ACE\CLI.EXE
C:\Program

Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\aseoseyw.exe
C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe
C:\Program Files\Mozilla

Firefox\firefox.exe
E:\downloaded programs\registry hook

analizer\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft....ink/?LinkId=691

57
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....ink/?LinkId=548

96
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft....ink/?LinkId=548

96
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft....ink/?LinkId=691

57
O2 - BHO: ASP.NET Helper -

{42031715-09B2-3B51-A93F-56C308E48F38} -

C:\WINDOWS\system\ctlvxd32.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) -

{73364D99-1240-4dff-B12A-67E448373148} -

C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program

Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATIPTA] C:\Program

Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe]

C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [avast!]

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program

Files\ATI

Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program

Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [aseoseyw]

C:\WINDOWS\system32\aseoseyw.exe
O4 - HKLM\..\Run: [Zone Labs Client]

"C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware]

"C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [aseoseyw]

C:\WINDOWS\system32\aseoseyw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe

(file missing)
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe

(file missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL]

International*
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control

Service (aswUpdSv) - Unknown owner -

C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI

Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown

owner - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner -

Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service

(file missing)
O23 - Service: avast! Web Scanner -

Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service

(file missing)
O23 - Service: AVG Anti-Spyware Guard -

Anti-Malware Development a.s. - C:\Program

Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: TrueVector Internet Monitor

(vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-------------------------------------------------------------------------------------------------------------------------------

i cant find anything that relates to the 2 executables that avg found but i dont specialize in this so whats your oppinion?????

by the way i'd like to say a big thanks for the FREE help it is well apreciated.
makes u a v.good person for helping people for nothing. a very rare type to find these days im sad to say.

p.s the resident protection isnt enabled in trial version so i was wondering if its ok to keep avast running at the same time without worrying about program conflicts and what not.
is there any more "preferably free coz im broke" programs that would be usefull to have incase of emergencys???

p.p.s im guessing i can delete the crap out of the 2 infections(and crack a beer open to see them off)

p.p.p.s i will also help a few people in the forums with what i can, (links to all the software im using at the mo and links to info on how to use them. just so everyone nows that i have contributed a little in return.

Edited by skiddyness, 21 November 2006 - 04:45 PM.

#5
MFDnSC

Posted 21 November 2006 - 04:54 PM

Banned

Banned
1,137 posts

I can't possibly read that log, run hijack again and then go to FORMAT in notepad and click on wordwrap

#6
skiddyness

Posted 21 November 2006 - 05:51 PM

New Member

Topic Starter
Member
6 posts

errrrm i dont know why it pasted like that i have already turned word wrapp on over 6 months ago.
il paste it again and sort it manually if it does it again
soz

heres the log . . . .

-------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:34:00, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\aseoseyw.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\downloaded programs\registry hook analizer\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: ASP.NET Helper - {42031715-09B2-3B51-A93F-56C308E48F38} - C:\WINDOWS\system\ctlvxd32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [aseoseyw] C:\WINDOWS\system32\aseoseyw.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [aseoseyw] C:\WINDOWS\system32\aseoseyw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

------------------------------------------------------------------------------------------------------------

there it is - - - looking over other peoples probs + logs should i delete the no name ones??
i mean is that something to look out for???

please dont forget to answer my question in last post about avast v avg conflict possibilitie.
thnks

also my web browsing is still a little sluggish

#7
MFDnSC

Posted 21 November 2006 - 06:37 PM

Banned

Banned
1,137 posts

Do not go on the file missing - there is a bug in HJT

Avast is an AV - AVG a spyware pgm - no conflict

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: ASP.NET Helper - {42031715-09B2-3B51-A93F-56C308E48F38} - C:\WINDOWS\system\ctlvxd32.dll

O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll

O4 - HKLM\..\Run: [aseoseyw] C:\WINDOWS\system32\aseoseyw.exe

O4 - HKCU\..\Run: [aseoseyw] C:\WINDOWS\system32\aseoseyw.exe

DownLoad http://www.downloads...org/KillBox.zip or
http://www.thespykil...les/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system\ctlvxd32.dll
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\aseoseyw.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system

#8
skiddyness

Posted 21 November 2006 - 07:34 PM

New Member

Topic Starter
Member
6 posts

ok i have done what you said and here is my report...

i deleted or repaired the 4 hooks you told me to. there was no errors doing this.

i deleted the 3 files told me to with the killbox program with 1 error/comment.
the second file appeared to not exist but the first and third deleted with no probs.

heres a question for you.
im not sure what this is O4 - HKLM\..\Run: [aseoseyw] C:\WINDOWS\system32\aseoseyw.exe
i did delete the hook with hijack this but somthink popped into my head after i did so.
i play on call of duty 2 on multiplayer. someone on the game sugested to me that i could find alot more variety of servers to play on if i installed a program called "the all seeing eye" this program will list hundreds more servers that are cracked and therefor not listed on the server list provided by activision.
the first three letters in the hook above match "all seeing eye"
is this just a coincidence or do you think this program is the culprit???
alot of people have this program and there aint no complaints that i can find and my scanners dont pick up any infection in the downloded file or program files.

just give me the word and its gone.

i will list the hijack log below but before i do i will tell you that my browsing speed has increased to normal. i have now noticed that the computer is taking a [bleep] of a long time to shutdown or restart even though i have chosen the option to speed up shutdown time in the avg program.
i know alot of people complain about this i was wondering if it is the infection starting to spread at shutdown.

ok here is the log and thank you very much for your time on this problem i apreciate it very much.

----------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 01:11:34, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\downloaded programs\registry hook analizer\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"

/minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-------------------------------------------------------------------------------------------------------------------

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll

is this suspiciouse to you as it is similer to the others i deleted.

ow yeah, i typed the name of the virus i had and i found a site that told me step by step what the virus did.
it supposedly creates a file to list ip addresses in.
when i scanned my partitions looking for this file by name it was not to be found.
i also followed the step by step procedure to delete the registry keys that it creates manualy.
these have also gone.
does this mean that avg has done its job and done this for me????

there is one more thing i think you might like to know.
the key logger that was detected also in my system seems a little strange to me.
whereas the virus was recorded all over the internet with ways to get rid of it etc the key logger brought me only one result back on multiple search engines. this site was in a language i cant read so i dont know nothing about it.
just wondered if it was new or rare????
guess not if avg destroyed it.

thnks again

#9
MFDnSC

Posted 21 November 2006 - 07:45 PM

Banned

Banned
1,137 posts

You are why we say do not fix anything without instruction

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll = is the totally legit java application from Sun

Google on aseoseyw.exe and you get nothing - an invalid file

You want to fix it yourself then you will cripple the system

The log looks ok now

Turn off restore points, boot, turn them back on – here’s how

http://service1.syma...src=sec_doc_nam

#10
skiddyness

Posted 21 November 2006 - 08:04 PM

New Member

Topic Starter
Member
6 posts

ahhhh thanks for everything again i think im clean as a whistle now.

MFDnSC,

what you said wasnt nice to hear and i also think it to be untrue.

You are why we say do not fix anything without instruction

if you notice in my post i did ask if it looked suspiciouse coz it looked similer.
if you also notice that i didnt start my post with these words.....

heeeellllllllpppppp
i have just deleted a root hook on my own decision thinking it was a problem and now i have crippled my system and need your help to fix it.

see?? you shouldnt stereo type me like that because i have just spent 6 - 7 hours carefully researching and following your instructions to fix this problem. i could have just done what i thought best but i didnt.
i also could have formated my computer which would have solved the problem in 30 mins.
but i chose to learn what the problem was and not take the easy root.

anyhow, i think you guys are stars on this forum helping people out for free.
also, while i was waiting for replys to my problems i was reading quite a few other peoples problems.
i think alot of the post dont apreciate how much time you guys spend helping out as most posts just list a log the problem and get on with it.

also it pisses me off reading posts where people give a problem, get an answer and then dont bother to write back to say wether it worked or not or even to say a quick thank you.

my regards
mark